What is PSD2?
The PSD2 (Payment Services Directive 2) was created by the European Union (EU) in order to make the practices in the payment industry more uniform in the EU28/EEA.
From when does PSD2 apply?
From the 13th of January 2018, PSD2 becomes state legislation across the EU28/EEA.
What are the most important points from PSD2 for a merchant?
In the context of merchants accepting online payments in e-Commerce, the main points from PSD2 are:
- Strong Customer Authentication
What is surcharging?
Surcharging- the practice of merchants charging customers extra fees, besides the price of the purchase, to cover the interests associated with offering payments via credit/debit cards.
PSD2 mandates the types of payment cards that can be surcharged. These are: consumer cards and business/corporate cards.
Consumer cards- debit/credit etc. cards issued to private persons for their own personal purchases. Consumers use these cards to purchase good/services such as clothing, food, streaming memberships etc.
Business/corporate cards- debit/credit etc. cards issued to companies for purchasing in the business environment. Companies purchase goods/services like a company car, internet domain names etc. with these cards.
1. It will not be possible for merchants to surcharge customers looking to pay with consumer cards in B2C transactions.
This measure covers:
- Consumer cards from Visa, Mastercard, Dankort etc.
- Credit and debit cards
- Domestic and cross-border payments
- Physical and online shops
2. It will still be permitted for merchants to surcharge customers looking to pay with corporate or business cards in B2B transactions.
What can I do about surcharging?
Options to consider:
- See where you can make cost savings in your company
- Add the card payment fees in the final price of the products/services that you are selling
NOTE. In Denmark, PSD2’s regulation on Surcharging takes effect from the 1st of January 2018. You can read the official text in Section 3, Article 121 (in Danish).
Strong Customer Authentication via 2FA
PSD2 advances Strong Customer Authentication (SCA) in the context of online payments by making Two-Factor Authentication (2FA) a requirement. However, there is a transition period (see further down).
What is authentication?
Authentication- the process of making sure that the customer purchasing from your online shop is indeed the owner of the card being used in the transaction.
How does 2FA take place?
2FA takes place by requesting 1. the “something known” element (i.e card details and/or CVV etc.); and 2. the “something owned” element:
- OTP, short for One-Time Password (i.e. a string of text, usually sent in the form of an SMS or e-mail to the cardholder’s devices)
- Biometric Feature (i.e. a fingerprint connected to the cardholder’s registered device)
- Scanned QR Code (i.e. an on-screen QR code that has to be scanned with the cardholder’s registered device)
NOTE. You as a merchant do not have to perform any programming or special implementation in order to provide the 2 elements for authentication (“something known” and “something owned”). Your gateway, Clearhaus and the issuing bank of the cardholder collaborate and exchange information so your online shop requests 2FA.
What are the benefits of Strong Customer Authentication via 2FA?
- Customers receive protection against card data theft and its results
- You receive protection against fraud- potential chargebacks
What is the transition period?
PSD2 becomes national law in all EU28/EEA member states from the 13th of January 2018, however, there will be a transition period regarding SCA, which will last at least until November 2018. The implication of this is that merchants, issuers, and acquirers are permitted to not apply 2FA during the transition period.
The purpose of this transition period is to let merchants, issuers, and acquirers familiarise themselves with the technicalities and principles brought by PSD2, which are stipulated in the Regulatory Technical Standards.
Despite the transition period, currently, the long-term goal to be achieved is to offer SCA via 2FA in online transactions. Therefore, whether 2FA will become mandatory from November 2018 or not, Clearhaus recommends you get accustomed to its applicability and exemptions as soon as possible.
What are the exemptions from the 2FA requirement?
- Recurring transactions (i.e. payments in the forms of memberships, subscriptions etc.)
Contactless electronic payment transactions at point of sale (POS), however:
- a single transaction cannot have a value of more than 50 Euros
- the total amount of transactions cannot have a value of more than 150 Euros or 5 consecutive transactions cannot take place without authentication
Remote electronic payment transactions (payment transactions over the internet or made on a device suited for distance communication) of low value, however:
- a single transaction cannot have a value of more than 30 Euros
- the total amount of transactions cannot have a value of more than 100 Euros or 5 consecutive transactions cannot take place without authentication
Unattended terminals used in road transport or parking
Payments to self (i.e. when the payer and payee represent the same entity and have the same account at Clearhaus/an acquirer)
Customers who access the balance of their payment accounts online, accounts which are present in your online shop
How to comply with the 2FA requirement?
The best option for complying with the 2FA requirement set by PSD2 is to request 3-D Secure or use Apple Pay in transactions.
Additional points about 2FA
- 2FA will be applied to both new and old customers when they make a purchase, except if the customers qualify for an exemption (see above).