We know that Payment Services Directive 2 (PSD2) is affecting e-commerce, but are you struggling to find your way through all the information on the subject? We’ve picked out the top 3 things e-merchants need to know about PSD2.
What is PSD2 for?
PSD2 is to tackle bank fraud and money laundering. It aims to provide a legislative framework for the new practises arriving in the payment market, particularly in light of the growth of e-commerce and m-commerce. It therefore serves to ensure security for merchants and consumers when making online transactions. Specifically, it introduces the concept of strong authentication to better protect European citizens in the event of bank card theft. Authentication is “strong” when it integrates two of the following factors: possession (what the customer has), knowledge (what they know) and inherence (what they are).
PSD2 is now being unrolled and the deadline for implementing 3DS v2 in France is 15 May 2021, with 3DS v1 transactions being admitted until 2022.
What are the major changes with PSD2?
PSD2 is introducing important changes in the fight against online payment fraud:
- The previous obligation of means has been replaced by an obligation of results, introducing fraud rate thresholds to comply with (for more information about these thresholds, see our article).
- The decision to trigger strong authentication (which was previously made by merchants) is now in the hands of the customers’ issuing banks.
- The 3D Secure security protocol is evolving: merchants have to migrate to version 2, which allows more data to be exchanged with the issuer.
Possible exemptions to strong authentication
The PSD2 application texts specify possible exemptions to strong authentication:
- recurring payments;
- small amounts (under €30) within a cumulative limit of €100, or 6 consecutive transactions;
- individuals deemed “trusted beneficiaries” (white-listed);
- non-nominative cards (payments initiated by “legal entity” payers);
- TRA (Transaction Risk Analysis) exemptions, i.e. justified by a risk analysis;
- transactions outside the scope of PSD2, i.e.: MOTO (Mail Order/Telephone Order), MIT (Merchant-initiated transactions), and one-leg (inter-regional)
In these cases, the consumer will not need to authenticate and will therefore have a smoother user experience.
To find out more about TRA exemptions and how to request them from issuers, download our Practical Guide to PSD2 Migration.