The Impact of PSD2 on Online Merchants

by PCI Booking – June 5, 2019

When we, as merchants, take a payment from a customer, many factors come together to make it seamless, secure, and fast. But the world of payments, like other business areas, is seeing massive digital transformation. The era of the ‘fintech’ is firmly upon us; structures of payment are rapidly changing to accommodate new ways of selling; customer expectations in a socialized world need to be respected; and, concurrently, cybercrime figures are soaring. To deal with this heady mix, legislation in the form of the second Payment Services Directive (PSD2) has shaken the payments system.

Research by Iovation, found that only 25% of European online merchants are aware of the requirements under PSD2 for more robust and secure customer authentication. This is only one aspect of PSD2 compliance, and with the looming September 14 deadline approaching, now more than ever, merchants need to know what PSD2 is about.

PSD2 is a replacement for the earlier PSD1 framework which came into force in 2007. PSD2 came into effect across the European Union on January 13, 2018. The Payment Service Directive is a legislative framework that is designed to add elements of security and control to financial transactions. However, PSD2 states that the full Regulatory Technical Standards (RTS) will take some 18 months from the March 2018 release date of the RTS. This gives us until 14 September 2019 to ensure we meet the requirements of the legislation.

Why Have an Update to An Already Existing Payment Regulation?

The planets have aligned in the payment space opening a gap in the existing legislation – the three main drivers for the PSD2 update are:

  1. Cyber-threats and technology landscape: PSD2 came about as a reflection of the changing technology landscape. These changes focused on increases in online transactions and mobile payments. At the same time, cybercriminal activity was morphing to take advantage of these changes. The European Payment Council’s “2018 Payment Threats and Fraud Trends identified a number of cyber-threats that focused on payments. This included social engineering and phishing, targeting payment frameworks, as well as malware such as ransomware.
  2. Increasing Fraud: PSD2 was designed to focus on the increase in fraud, both for card present and card not present use cases. A report by Experian, “The 2018 Global Fraud and Identity Report” which mapped fraud risk to customer experience, offered interesting insight. Firstly, the report found that 66% of customers actually preferred to experience security protocols online as it made them feel “more protected”. The report also found that in the previous 12-months most businesses were experiencing the same or more fraud losses.
  3. API economy: Cyber-threats, fraud and customer expectations are all feeding into this new payment landscape. But one more area is fueling PSD2 and that is the API economy. An API or Application Programming Interface allows applications to communicate directly. In the world of payments and banking, this means that “Banking APIs” can offer new layers of functionality, allowing customers to more easily access bank accounts and perform transactions online. This ‘user-centric’ API approach is being wrapped into PSD2. This opens opportunities for banks to provide access to customer accounts. In turn, this allows merchants to create new payment models and improve user journeys. For merchants, this means (potentially) that a direct bank account transaction could take place.

What Types of Organizations are Affected by PSD2?

PSD2 affects bodies that handle payments within the European Union. This extends to an organization that is associated with an EU bank or financial service provider or Fintech player. If you are an online merchant, many of the changes in PSD2 will impact you directly.

Online merchants must comply with the PSD2 regulation, especially in certain areas which we will explore in the next section.

Online Merchants and PSD2

There are three key areas within PSD2 that affect online merchants:

  1. i. Secure Customer Authentication (SCA): This is all about ensuring that robust and stringent authentication measures are used during “customer-initiated” online payments. This is within the EU and will affect all credit and debit card payments as well as bank transfers made online. The exceptions to the SCA rule are merchant-initiated payments, e.g. recurring direct debits and in-person (not contactless) payments.

    ii. The strong authentication requirement can be met using the 3-D Secure (3DS) and the new version 3-D Secure 2 verification system, which was released earlier this year. On mobile devices, biometrics and passwords can be used with eWallet payments such as Apple Pay. The SCA requirement of PSD2 may impact the way users interact with your service and how payments are taken.
  2. Open Banking/API interfaces, and account access: While PSD2 does not require to open up an interface to banking mandatory, it is strongly encouraged. Consequently, many European banks are creating APIs that allow customers to perform direct payment transactions with merchants. The standards used to create the interface between merchant and bank means that potentially a merchant can become a PISP (Payment Initiation Service Provider) offering cost reductions and faster payments.

  3. Surcharge bans: PSD2 bans certain surcharges. The scope of the ban is specifically focused on B2C and impacts many industries including travel. The ban can also affect B2B payments.

The directive is also designed to protect merchants saying that neutral definition of acquiring of payment transactions in order to capture not only the traditional acquiring models structured around the use of payment cards, but also different business models, including those where more than one acquirer is involved. This should ensure that merchants receive the same protection, regardless of the payment instrument used, where the activity is the same as the acquiring of card transactions.”

A note on penalties: PSD2 sets out that penalties for noncompliance should be “effective, proportionate and dissuasive”. Ultimately, any fine is at the discretion of the EU state.

How PCI Booking Supports PSD2 Compliance:

All of this can be onerous for the online merchant. However, PCI Booking is an expert in delivering compliance solutions for online merchants, specifically in the travel industry. To support you in your PSD2 needs we will:

  • Incorporate a 3-D secure prompt on our card capture forms. This allows you to meet the Strong Customer Authentication (SCA) requirement.
  • Enhance our tokenization mechanisms to allow you to capture, alongside the card details, the 3-D authentication token from a third party.
  • Enhance our system to store the 3-D secure authentication token. This is then relayed to all of our integrated payment gateways via our Universal Payment Gateway. This makes the customer experience more seamless whilst upholding the SCA requirement.

Benefits of PSD2 for Customers

PSD2 has been brought in to make sure that online payments remain beneficial to the customer. Benefits of PSD2 include:

  • Financial – faster and more secure payments could lead to cost reductions.
  • Increased consumer rights and user-centric controls.
  • More robust payment security.


PSD2 is an impactful regulation that touches all online merchants who handle payments in the EU. However, it is an important regulation to ensure that customers are protected in a landscape where fraud and cybersecurity are a serious challenge. The merchant that utilizes technology built to make PSD2 achievable, can reap the rewards of protecting their customers and open up opportunities enabled by a more open banking environment.