The second Payment Services Directive (PSD2) is a European regulation that requires online card payments to go through strong customer authentication (SCA) starting from September 14, 2019.
Overview of PSD2
The second edition of the Payment Services Directive (PSD2) has brought about a radical change in the world of payments, finance, and SaaS. PSD2 aims, through technology, to bring more competition and innovation to the European market while strengthening payment security and, consequently, consumer protection.
PSD2 builds upon three parts of the original directive introduced in 2007:
- harmonization of consumer protection and rights,
- harmonization of access policies to account information by third-party payment service providers,
- and strengthening of security.
With the emergence of new types of payment services, the European Commission decided to revise the PSD1 regulation. The new payment service providers brought innovation and competition by offering cost-effective alternatives for online payments. The problem was that they were not properly regulated.
Including them in the revised edition of PSD has allowed for increased innovation, with the involvement of non-bank actors, in order to level the playing field and enhance transparency and security for consumers.
For users, they can gather all their banking data, compare fees charged by banks, access their historical data, make safer and faster transactions, and benefit from greater transparency of account information.
One of the main focuses of the revised edition of the PSD law is strengthening the security of online payments through strong customer authentication (SCA). For consumers, this means increased customer rights, faster payments, and clearer information on payments and refund rights.
What does PSD2 mean for companies with a subscription-based business model?
Strong customer authentication (SCA) applies to transactions initiated both by the customer and by the merchant. A merchant-initiated transaction is a transaction made with a customer’s stored card when the customer is not present.
Merchants using a subscription-based business model must integrate all SCA flows into their payment page. For fixed amount subscription invoice payments, merchants need to apply SCA only during the initial transaction. However, if the customer upgrades to a higher tier or adds additional options to their subscription, changing the amount of their subscription, it requires a 3D Secure verification for the first transaction with the modified amount.
Achieving compliance with PSD2 can be particularly challenging for companies that charge their customers based on usage of a service, as the amount varies over time. Since these transactions are marked as “merchant-initiated transactions,” they will be exempt from PSD2 and SCA requirements.
Even though a merchant-initiated transaction is exempt from PSD2, the first transaction will still require a 3DS 2 verification.
Additionally, a consumer’s bank may require a 3DS 2 verification for a transaction that has been classified as exempt from PSD2 and SCA requirements.