PSD2 in brief

DSP2, you have surely heard about it in recent months. Entered into practice on September 14, 2019, the new version of the European Directive on Payment Services (PSD2) is at the heart of banking and commercial news. However, it does not date from yesterday. Adopted in November 2015, its “big sister” (or DSP1) dates from 2007.

What does the DSP consist of?

This measure aims to strengthen the protection of consumers when they shop in the Member States. The dematerialization of transactions is indeed accompanied by an increase in fraud, which it is essential to counter.

The PSD2 emphasizes "strong authentication" with the program, changes that will be required at European level:

  • Reinforcement of authentication when connecting to online banking services: from now on, the customer will no longer be able to connect with his password and his username only but will have to go through a strong authentication at least once every 90 days via a one-time code sent by the banking establishment. Several channels will be available: SMS, via the mobile application or even by voice message.
  • Improved security during online payments by bank card: here, it is the generalization of 3D secure which is the flagship measure. In addition to entering their bank card details, the customer must enter a one-time code on the payment page or on their mobile application. However, for purchases less than 30 euros, this code may not be requested but the merchant's responsibility will be engaged with a compulsory refund in the event of fraud.
  • Reinforcement of authentication during contactless payments: for purchases not exceeding 30 euros, the customer can pay with contactless (that is, without inserting your bank card into the terminal) and entering your 4-digit secret code. With DSP2, contactless payments will now have to go through strong authentication in two cases:
  1. When the customer has made 150 euros in cumulative purchases
  2. When the customer has carried out 5 consecutive operations since the date of his last strong authentication

In these two cases, the customer will therefore have to pay in a "classic" way by inserting his card into the terminal and entering his secret code. These new measures will impact professionals in the sector, in particular banks and payment organizations, which will have to update their payment services and will have to develop new APIs (Application Programming Interface). Merchants will also be obliged to integrate security measures when shopping online, even if these measures were not mandatory before DSP2, most merchants have started this transition with the introduction of 3D-Secure in particular.

Although adopted in November 2015, PSD2 was put into effect in January 2018 with the publication of technical standards in March 2018. There followed an 18-month transition period which allowed payment organizations and merchants to implement these regulatory technical standards (RTS) relating to strong authentication. September 14, 2019 therefore marks the gradual application by all these actors of these security standards (RTS) on strong authentication. However, its full implementation will take longer than expected, as most banks have fairly old IT systems that are not very compatible with PSD2. At present, 75% of the APIs of European banks are available but only 18% are usable. Italy and the Netherlands are in the lead with 33% of operational APIs against 10% in France, and 0% in Germany… This is why professionals have extra time to integrate these new measures. Strong authentication should be extended around the end of 2020 in Europe.

E-Pay Space Team,

Next Post Previous Post