What is PSD2?
The PSD2 (Payment Services Directive 2) was created by the European Union (EU) in order to make the practices in the payment industry more uniform in the EU28/EEA.
From when does PSD2 apply?
From the 13th of January 2018, PSD2 becomes state legislation across the EU28/EEA.
What are the most important points from PSD2 for a merchant?
In the context of merchants accepting online payments in e-Commerce, the main points from PSD2 are:
- Strong Customer Authentication
What is surcharging?
Surcharging- the practice of merchants charging customers extra fees, besides the price of the purchase, to cover the interests associated with offering payments via credit/debit cards.
PSD2 mandates the types of payment cards that can be surcharged. These are: consumer cards and business/corporate cards.
Consumer cards- debit/credit etc. cards issued to private persons for their own personal purchases. Consumers use these cards to purchase good/services such as clothing, food, streaming memberships etc.
Business/corporate cards- debit/credit etc. cards issued to companies for purchasing in the business environment. Companies purchase goods/services like a company car, internet domain names etc. with these cards.
1. It will not be possible for merchants to surcharge customers looking to pay with consumer cards in B2C transactions.
This measure covers:
- Consumer cards from Visa, Mastercard, Dankort etc.
- Credit and debit cards
- Domestic and cross-border payments
- Physical and online shops
2. It will still be permitted for merchants to surcharge customers looking to pay with corporate or business cards in B2B transactions.
What can I do about surcharging?
Options to consider:
- Accept the fee yourself (and maybe see where you can make cost savings other places in your company)
- Add the card payment fees in the final price of the products/services that you are selling
- Only accept corporate cards
NOTE. In Denmark, PSD2’s regulation on Surcharging takes effect from the 1st of January 2018. You can read the official text in Section 3, Article 121 (in Danish).
Strong Customer Authentication via 2FA
PSD2 advances Strong Customer Authentication (SCA) in the context of online payments by making Two-Factor Authentication (2FA) a requirement. However, there is a transition period (see further down).
What is authentication?
Authentication- the process of making sure that the customer purchasing from your online shop is indeed the owner of the card being used in the transaction.
How does 2FA take place?
2FA requires that cardholder provides at least two of the following:
- Something known (e.g. card details, CVV or static password)
- Something owned (e.g. one-time password sent via SMS or email or a QR code, which is scanned with the cardholder’s device)
- Something inherited (e.g. fingerprint, iris scan or face recognition (Face ID))
NOTE. You as a merchant do not have to perform any programming or special implementation in order to provide the 2 elements for authentication (“something known” and “something owned”). Your gateway, Clearhaus and the issuing bank of the cardholder collaborate and exchange information so your online shop requests 2FA.
What are the benefits of Strong Customer Authentication via 2FA?
- Customers receive protection against card data theft and its results
- You receive protection against fraud and are not liable for chargebacks caused by fraud
What is the transition period?
PSD2 becomes national law in all EU28/EEA member states from the 13th of January 2018, however, there will be a transition period regarding SCA, which will last at least until September 2019. Until then, online shops are not required to apply 2FA, but both EU and us, at Clearhaus, recommend that they start becoming familiar with the different solutions, e.g. 3-D Secure. Read the rules here: Regulatory Technical Standards.
What are the exemptions from the SCA requirement?
- Recurring transactions of same amount (i.e. payments in the forms of memberships, subscriptions etc.)
- Payments to oneself
- Secure corporate payments that goes through another secure system
- Low-risk transactions
Online payments below 30 Euro, but:
If the total amount of several transactions exceed 150 Euros or for every fifth transaction (no matter the value) 2FA must be applied.
How to comply with the 2FA requirement?
The best option for complying with the 2FA requirement set by PSD2 is to request 3-D Secure or use Apple Pay in transactions.
Additional points about 2FA
- 2FA will be applied to both new and existing customer when they make a purchase (unless they fall under one of the above mentioned exeptions).