PSD2 Regulation: How to Be PSD2 Compliant
The EU’s second payment services directive (PSD2) will be in full force come September 14, 2019. With the deadline looming, everyone in the payment industry is concerned about becoming compliant before it’s too late. Of the main players — banks, payment service providers, and business owners — the latter has the least amount of insight on the matter.
To help business owners bridge this knowledge gap, we put together this guide on how to be PSD2 compliant. It includes approaches you can take to meet PSD2’s applicable regulations and what changes to expect from the directive. Check out the chapter synopsis below to get a high-level picture of the information we’re presenting, then dive right in to learn all about PSD2.
Chapter synopsis
- Chapter 1: Introduction.
- Chapter 2: Why the EU needed the payment services directive. PSD2 is the updated version of PSD. See why PSD was needed in the first place, what it covered, and why it became outdated.
- Chapter 3: PSD2 compliant payment services. This chapter will help you learn more on the progress of major payment gateway services on their quest to become PSD2 compliant.
- Chapter 4: PSD2 compliance examples. This section will serve as a compilation of PSD2 compliance announcements.
- Chapter 5: What changes to expect from PSD2. PSD2 is bringing a lot of changes to the payment industry, most notably strong customer authentication. Learn more about this important payment concept in this chapter.
- Chapter 6: PSD2’s impact on payment service providers. In this chapter, learn more about how PSD2 is impacting payment service providers and which widely used providers are or will be PSD2 compliant.
- Chapter 7: PSD2’s impact on online businesses. In this chapter, learn more about PSD2’s impact from the perspective of online businesses — namely, their concerns and how they can become PSD2 compliant.
- Chapter 8: PSD2 and JotForm. This chapter builds on the business concerns presented in the previous chapter and talks about a tool that helps business owners improve their customer experience.
Remember to bookmark this guide for later reference. You’ll undoubtedly have questions about PSD2 as the deadline nears and even afterward. This guide will provide you with the answers.
How to be PSD2 Compliant
As a business owner, there are two primary approaches you can take to comply with PSD2:
- Choose a PSD2-compliant PSP. Many payment service providers (PSPs) offer hosted checkout options that take on the burden of PSD2 compliance themselves, assuming they are or will be compliant by the deadline. If you engage with one of these PSPs, you’ll be in the clear. “You’ll also be able to better focus on your core business instead of the legal and administrative concerns of compliance,” says Sandra Wróbel-Konior of SecurionPay.
- Build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a PSP without a hosted checkout option, you’ll have to handle implementing 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.
Whichever approach you choose, you’ll need the right tools to keep your business running smoothly after PSD2 is in full force. Check out how JotForm can help, along with its efforts in being PSD2 compliant, in the next chapter.
PSD2-compliant providers
PSD2 will have significant consequences for nearly all banks, online payment processors, and third-party payment providers. Here’s a rundown of the short- and long-term PSD2 compliance action plans a few major payment providers have announced.
Stripe is planning to be compliant by the September 14 deadline. EU customers using products such as Stripe and Stripe Connect shouldn’t have any compliance issues. Plus, JotForm has completed the necessary technical steps to become PSD2 compliant for Stripe users.
PayPal also pledges to be fully compliant with the new PSD2 regulations by the deadline. Third-party PayPal providers should research the steps they need to take to be compliant.
CyberSource has announced that they will be able to support 3D Secure 2.0, which is a crucial part of SCA and PSD2. However, they require their third-party users to upgrade to their latest integration.
Unlike many payment methods, Square has not made any public statements about PSD2. At the moment, it’s unclear if they are planning to be compliant. They haven’t provided any information about what their customers should do.
Authorize.Net has also remained silent about PSD2. It’s likely that they will not be PSD2 compliant. One option is to move to CyberSource, an Authorize.Net sister company that has announced they will be PSD2 compliant.
European-based online payment processors Klarna, Ingenico, and Wordline have been working hard to be in line with PSD2 legislation. In fact, Ingenico declared themselves PSD2 compliant as of May 29, 2018.
PSD2 compliance examples
Below are some of the news and press releases from payment gateways about their PSD2 compliance efforts.
Why the EU needed the payment services directive
Currently, the entire payment industry is focused on PSD2 — and for good reason. But to truly understand something, you have to know where it came from. That’s why we’re exploring the EU’s first payment services directive (PSD) and the reason it was created.
The origin of PSD
Much-needed regulation
In the early 2000s, payment services began extending beyond the walls of traditional financial institutions. New entrants to the payment industry, like intermediaries and other service providers, meant banks were no longer the only players. These new entrants offered payment services that didn’t necessarily fit within the boundaries of existing rules.
According to Jeremy Bellino of Worldpay, “PSD’s aim was to boost competition across Europe by allowing nonbanks access to the industry, and to create a more level playing field for both consumers and payment providers.”
In addition, the EU felt it necessary to make sure customers were confident that the payments they made were secure. So it created a framework in the form of PSD to better regulate payment services across the EU, replacing individual countries’ national rules.
What PSD covered
PSD created a number of rules, regulations, and guiding points that impacted consumers, merchants, and PSPs alike, including the following:
- Conditions and information requirements for payment services should be transparent.
- Consumers should receive relevant information (for free) before entering into any binding payment service contracts. They should also be able to request their contracts, in writing, at any point during the contract term — again, without being charged.
- Consumers should be able to terminate their contracts with payment service providers after a year without incurring charges. And while consumers need only provide a month’s notice prior to termination, the PSP must provide at least two months’ notice.
- PSPs must not hold consumers liable for losses due to a compromised payment instrument (such as a lost or stolen credit card) once the consumer has notified the PSP of the situation. Along with this rule, the consumer should be held liable for a “limited amount” to provide an incentive for them to notify the PSP of the situation quickly.
In all, there are hundreds of points the EU put forth in PSD that helped shape the payment industry into a more regulated space. You can read them all in the European Commission’s legislative text on PSD.
Why PSD became outdated
While PSD set a clear precedent for providing structure and security within the payment landscape, it couldn’t remain relevant forever. Even as PSD came into force, the payment industry continued to evolve, introducing new technology, processes, and use cases that tested the limits of the original framework. The rise of e-commerce and the introduction of smartphones and other mobile devices are key examples of the type of modern elements PSD could not account for.
Some of the language PSD used showcases why its framework can’t hold up in today’s digitally connected world:
“As the payer is usually present when he gives the payment order, it is not necessary to require that information should in every case be provided on paper or on another durable medium. The payment service provider may give information orally over the counter or make it otherwise easily accessible, for example by keeping the conditions on a notice board on the premises.”
To be fair, PSD did account for some digital aspects of the payment industry, namely e-commerce transactions; however, the space has grown and changed since then, leaving PSD obsolete. Hence the need for PSD2.
Now that we’ve covered the origin story of PSD, let’s get into the changes PSD2 will bring to the payment industry.
What changes to expect after PSD2
Nearly a decade after PSD went into force, the EU determined that an updated version of the directive was necessary. Enter its replacement, PSD2. The regulations put forth in PSD2 account for the modernization of the payment industry in ways PSD couldn’t.
Bellino calls out a key distinction between the first and second versions: “While more innovation and competition remains a central objective, the primary intention of PSD2 is increasing security and reducing overall fraud in the payments ecosystem.”
This fact isn’t surprising given concerning stats about fraud from a 2018 report by the European Central Bank: Within the Single Euro Payments Area (SEPA), the value of CNP fraud losses in 2016 was €1.32 billion. This made it the largest category of fraud in absolute value. In addition, unlike ATM and POS fraud, CNP fraud was the only fraud category that increased compared to the previous year.
What changes does PSD2 enact, and how do they impact the payment industry and fraud rates? Keep reading to find out.
Exploring PSD2
What is PSD2?
PSD2, or the second payment services directive, is a collection of rules and guiding points for regulating the payment industry. According to the European Commission, the purpose of the directive is to “improve the existing EU rules for electronic payments,” making the international payment process (within the EU) easier and more secure.“It takes into account emerging and innovative payment services, such as internet and mobile payments.”
“PSD2 will revolutionize the payment industry, particularly with its open banking initiative,” says Bellino. The initiative provides regulated third-party providers (TPPs) access to consumer and business bank accounts, provided the account holders have consented. This enables consumers to more easily pay for online purchases directly from their bank accounts, reducing processing costs and chargeback risks. It also paves the way for TPPs to identify and create new payment methods — a tieback to PSD2’s intention to increase innovation in the industry.
We provide more details about the entities PSD2 impacts, the important deadlines surrounding the directive, and more in our post that answers the question, “What is PSD2?”
Introducing SCA
PSD2 introduces another big change in the form of strong customer authentication (SCA). Since it’s performed at the time of purchase, SCA is PSD2’s main weapon to combat fraud. Having users verify their identities immediately before remitting payment is the last line of defense before money and items are potentially lost as the result of a fraudulent transaction.
The European Commission defines SCA as an authentication that uses at least two of three verification elements:
- Knowledge — something only the user knows. “These are things like a password or a PIN,” explains Bellino.
- Possession — something only the user possesses. “Think debit or credit card, or a mobile phone,” Bellino says.
- Inherence — something the user is. “This will involve some type of biometric identifier, such as facial recognition or a fingerprint scan,” Bellino notes.
Check out this post that goes into more detail on who SCA is for, how it’s delivered, and more.
SCA exemptions
All countries within the European Economic Area (EEA), including the U.K. (regardless of the outcome of Brexit), are subject to SCA enforcement. Additionally, every business that accepts electronic payments within the EEA is required to be SCA compliant. No businesses are excluded, regardless of the vertical. However, there are several exclusions and exemptions business owners may be able to take advantage of.
“SCA exclusions are out of scope of the SCA mandate, meaning SCA will not be performed,” Bellino explains. These include
- One leg out transactions — payments where the card issuer or acquirer is based outside of the EEA. “For example, if I am a U.S.-based consumer with a U.S.-issued credit card and I want to make a purchase from a U.K.-based business, SCA would not be required,” Bellino explains.
- Merchant-initiated transactions — transactions initiated by the payee (merchant) on behalf of the consumer, such as recurring metered billing and fixed or variable subscriptions/installments. “However,” Bellino cautions, “SCA does apply on the first transaction, when the consumer is establishing the recurring agreement.”
- Mail orders/telephone orders (MOTOs) — These are excluded because the technology to perform SCA does not yet exist for these channels. “We strongly believe this will change in the future as fraudsters turn their attention to MOTOs as the e-commerce space becomes tougher to crack,” notes Bellino.
“SCA exemptions are within the scope of the SCA mandate but must be requested by the merchant, acquirer, or PSP,” says Bellino. These include
- Low-risk transactions — transactions that have been assessed as low risk in real time via a process called transaction risk. To request this exemption, the PSP fraud rate must be below the approved threshold, and the transaction value may not exceed €500.
- Low-value transactions — remote electronic payments less than or equal to €30. This exemption applies to up to five consecutive payments or when the cumulative amount since the last SCA is less than or equal to €100.
- Whitelists of beneficiaries — when a cardholder adds a merchant to a whitelist maintained by the issuing bank, the merchant doesn’t have to use SCA for authentication. “We expect whitelisting support to be more widely available in 2020,” adds Bellino.
- Corporate payments — B2B payments using a secure, dedicated process. These are usually corporate cards that are tied to an entity, not an individual. They are typically used for lodging or are virtual.
Now that we’ve covered PSD2 and its changes from a broad perspective, the next chapter will consider the perspective of payment gateways, processors, and other payment service providers.
PSD2’s impact on online businesses
Like PSPs, online business owners must comply with PSD2 to operate successfully in the EU. And though many of their concerns may overlap with PSPs, online business owners have a different perspective. Keep reading to see how PSD2 impacts your business and what you can do to be compliant.
PSD2 and online businesses
Declined payments
The biggest issue facing online businesses that don’t comply with PSD2 is declined payments. Failure to execute SCA during the payment process means that banks, which ultimately decide whether to accept a transaction, will decline the payment.
Not only does this result in a failed sale, but it also frustrates customers. Some customers may decide to use another payment method, such as a bank draft if it’s available, but many will not.
Wróbel-Konior explains the implications: “European businesses, in aggregate, can lose billions of euros in the first months after SCA is brought into force, as a number of merchants have no idea what these new requirements really mean for their businesses and how they can impact the bottom line.”
Conversion rates
Though online business owners know SCA is required, they are also keenly aware that adding any friction in the checkout or payment experience negatively impacts conversion rates. “They are concerned about SCA from a conversion perspective, as it impacts the customer experience,” says Wróbel-Konior.
Moving people from interested visitors to paying customers for products and services is a delicate dance that, when interrupted, can result in an unfortunate tumble. In this metaphor, that tumble is akin to a failed sale — a nightmare for any business owner.
SCA adds a mandatory step, namely authorization, which is additional friction for customers. As mentioned previously, the primary method of enacting SCA is through 3D Secure 2.0. Even though this method will be common across the payment landscape, the payment experience may differ depending on how a business or PSP has designed the payment flow.
Wróbel-Konior calls out another consideration: “The challenge will be to provide a smooth user experience depending on the transaction type. For example, it can get more complex with recurring payments.”
Most subscription-based payments are perceived as merchant-initiated, meaning they are outside the scope of SCA. (We discussed this exclusion in Chapter 3.) However, the decision on whether the transaction should be authenticated is ultimately up to the bank.
“Imagine how frustrating it would be for customers to authenticate each of their recurring payments every month. This is why payment platforms need to advance their systems to simplify the purchase process for customers, and aim to help merchants retain their conversion rates,” explains Wróbel-Konior.
How to be PSD2 compliant
As a business owner, there are two primary approaches you can take to comply with PSD2:
- Choose a PSD2-compliant PSP. Many PSPs offer hosted checkout options that take on the burden of PSD2 compliance themselves, assuming they are or will be compliant by the deadline. If you engage with one of these PSPs, you’ll be in the clear. “You’ll also be able to better focus on your core business instead of the legal and administrative concerns of compliance,” says Wróbel-Konior.
- Build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a PSP without a hosted checkout option, you’ll have to handle implementing 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.
Whichever approach you choose, you’ll need the right tools to keep your business running smoothly after PSD2 is in full force. Check out how JotForm can help, along with its efforts in being PSD2 compliant, in the next chapter.
Impact on payment service providers
Payment service providers (PSPs) in the EU must abide by PSD2 regulations to operate successfully within the region. In the previous chapter, we discussed SCA and why it’s an important aspect of PSD2.
The directive calls for all member states within the EU to enforce the use of SCA with PSPs anytime a user
- Accesses their payment account online
- Initiates a digital transaction
- Performs any action through a remote channel where payment fraud could occur
PSPs will also need to institute appropriate security measures to protect the confidentiality and integrity of users’ credentials.
“PSPs shouldn’t look at complying with PSD2 as only unintentional burdens that need to be managed,” cautions Bellino. “The innovation aspect is an important one to consider as well.” (As a reminder, we noted how PSD2’s open banking initiative provides the opportunity for PSPs of all types to formulate new methods of payment.)
For example, according to a Worldpay report on global payments, by 2022, the number of European consumers paying online with a bank transfer is expected to exceed those using a credit card.
“Consider the Netherlands, where 57 percent of consumers use iDEAL, a direct online transfer from the consumer bank account to the bank account of a merchant. These examples showcase that identifying and providing the preferred payment method for consumers is essential to increasing sales and revenue, increasing security, and reducing fraud,” explains Bellino.
PSD2 and PSPs
3D Secure 2.0
Closely related to SCA is 3D Secure 2.0, which is how SCA is performed at the time of purchase. For added clarity, Bellino defines 3D secure 2.0 as “the new standard through which SCA is achieved when using a credit or debit card in ecommerce and similar spaces, where transactions are primarily made through digital means.”
You can learn more about 3D Secure 2.0 and how it differs from 3D Secure 1.0 in this detailed 3D Secure 2.0 post.
Are the widely used PSPs PSD2 compliant?
SCA and 3D Secure 2.0 are the main determinants of whether a PSP is PSD2 compliant. We looked into four of the major PSPs used by EU businesses to see whether each is or will be instituting these components to become compliant by the deadline:
- PayPal. This PSP has made it very clear that they are or will be compliant with PSD2. However, business owners may need to take extra steps depending on their payment setup.
- Stripe. This is another PSP that has said they are or will be PSD2 compliant, though not all of their products are currently included.
- Authorize.Net. Though Authorize.Net appears to have no plans for becoming PSD2 compliant, it has a sister brand that is compliant.
- Square. Square is a special case, as it remains unclear whether it will be PSD2 compliant as of September 2019.
Consequences of failing to comply with PSD2
Failure to comply with PSD2 means businesses that serve EU customers will seek out other PSPs that are PSD2 compliant. This effectively ensures the noncompliant PSP will suffer a significant loss of business or, in the case of PSPs that have only EU customers, a complete loss of business. Simply put, a PSP that serves the EU cannot hope to operate successfully if it doesn’t comply with PSD2 regulations, specifically SCA.
While understanding PSPs’ perspectives is important, business owners have concerns about how PSD2 will impact them. We explore these in the next chapter.
JotForm Payment Forms
As an online business owner, you’re always looking for the best way to convert site visitors to paying customers. Unfortunately, SCA adds an extra step in the payment process, which means more friction for your customers.
For the many reasons laid out in previous chapters, implementing SCA is unavoidable when serving EU customers; however, there are alternative ways for you to improve the customer experience.
Enter JotForm, the easy-to-use online form builder. With JotForm, you can
- Enjoy a selection of more than 10,000 online form templates
- Create branded, amazing-looking order forms to improve customer perception and conversion on your digital goods and physical products
- Collect customer information that’s important for delivering your products and services
- Accept payments by integrating order forms with your payment processor of choice
Is JotForm PSD2 compliant? Recall that the onus for PSD2 compliance is primarily on banks and payment service providers (PSPs) — the entities that hold, manage, and are otherwise accountable for your funds at any point during the payment process.
Since JotForm acts as a convenient connector to PSPs, our main focus is ensuring the gateway between us and the PSP is set up appropriately. So the real question is whether the PSP you want to use is compliant. We discussed the PSD2 compliance of several widely used PSPs in Chapter 5.
Your order form options
With more than 10,000 form templates on JotForm, it can be hard to know where to begin. We call out a few forms you might like below, depending on what type of business you’re running. (FYI, our forms come in classic and card versions, which offer visually distinct differences. Choose which style your customers prefer.)
T-shirt order form
Do you sell preprinted or custom-made T-shirts? Here’s an order form template that’s been used more than 1,800 times. Make the form yours by adding high-quality images of your T-shirts and a compelling description.
By default, customers can select the shirt quantity and size, but you can add additional fields if you need more information from them.
Check out this form in its classic and card formats. If this one isn’t your style, there are many other T-shirt order form options to choose from.
Cake order form
Own a bakery? Yum! This themed cake order form has been used 7,000+ times. It could be just what you need to give your customers the opportunity to describe their dream cake.
Besides contact information, this form allows customers to indicate the date they need the cake, serving size, flavor, filling, theme, and more. Customers can even add images of cakes to help you deliver the perfect tasty centerpiece.
Check out this form in its classic and card formats. Looking for a different flavor of form? Here are a few other cake order form options.
Photography order form
Are you a wedding or party photographer? Do you shoot portrait or scenery photos? Then you need a form for people to request the photo packages you offer.
This form comes with prebuilt options customers can pick from. You can, of course, adjust the options to suit your pricing and package offerings. Or feel free to add even more packages.
Check out this form in its classic and card formats. Picturing a different look for your form? Try these other photography order form options.
Any of the above order form templates (or hundreds of others) will ensure you’re ready for business once PSD2 comes fully into force — assuming you’ve used one of the compliance approaches we laid out in Chapter 4.
More about your PSD2 guides
Jeremy Bellino
Bellino is the specialist sales manager at Worldpay, a global acquirer headquartered in London, United Kingdom, and Cincinnati, Ohio. With a decade of experience in payments and payment technology, he’s responsible for supporting customers to make sure they comply with PSD2 SCA in the United States.
“PSD2 is a complex topic that takes a lot of explaining. I’m happy to help anyone who doesn’t quite grasp the topic,” he says.
Sandra Wróbel-Konior
Wróbel-Konior is the content marketing manager at SecurionPay, an online payment platform based in Switzerland. She helps spread the word about PSD2 and how her company is PSD2 compliant to make sure that each SecurionPay client is on the same page.
“We know how confusing PSD2 can be, and we have taken every stride to make compliance as easy as possible for merchants to understand and abide by,” she says.