PSD2 REGULATIONS AND CARD PAYMENTS IN E-COMMERCE

« PSD2 » is the acronym used to refer to the second Directive (EU) 2015/2366 of 25 November on payment services. This directive is the European regulation that includes the regulatory framework that applies to electronic payments in Europe.

This standard prescribes the mandatory application of specific security measures and procedures for electronic payment transactions, and in particular those taking place at a distance. These measures and procedures are based on the concept of « enhanced customer authentication » (« ECS »). 

The requirement to perform enhanced customer authentication when initiating an electronic payment transaction consists of the obligation for Payment Service Providers (PSPs) issuing payment instruments to authenticate the identity of the payer based on the use of two independent security features (authentication factors) each time the payer makes a payment at a physical or electronic store.

The obligation to perform SCA when initiating an electronic payment transaction began to apply to face-to-face purchases as of September 14, 2019. For online purchases it will begin to apply in the coming months, and the authentication factors that will be requested will not be the same as for face-to-face purchases.

The use of SCA for card payments over the Internet will change the way payment service users make purchases, as payers will no longer be able to make online payments using their card information only (card number, expiry date and security code). Instead, they will have to, for example, verify their identity during the payment process by entering an additional code that they will receive on their mobile phone or through the banking application that is connected to their phone and that requires a password or fingerprint to approve a transaction.

Stronger customer authentication in Internet payments is based on the combined use of two of the following types of authentication factors:

Knowledge: something you know, for example, your online banking access password, etc.

Possession: something you own, for example, the mobile phone on which you receive one-time passwords that are sent by SMS.

Inheritance: something that « is », for example, biometric elements such as facial recognition or fingerprints.

In this way, the issuer of the payment instrument can be sure that the payer is who he says he is. In this sense, each issuing institution has decided which authentication factors it will ask its customers for, so the shopping experience may vary depending on the card being used.

However, there are a number of situations that allow you not to have to ask for both authentication factors all the time, which benefits the user experience without reducing the security of the payment.

The application of CIS to cardholders is the responsibility of the card-issuing bank, although the PSD2 provides for a number of situations (called exemptions) in which issuing banks are allowed not to apply CIS as they are considered to be lower risk transactions. In this respect, CIS may not be applied in the following cases:

Low-value transactions: remote e-commerce payments whose transaction amount is less than or equal to 30 euros or its equivalent in other currencies are considered low-value payments. In addition, a maximum is set above which ADSs are required, namely a maximum of 5 consecutive transactions without ADSs or a maximum cumulative amount without ADSs of EUR 100.

Frequent operations: these are known as recurrent operations, with the same amount and beneficiary. Authentication is required on the first transaction and if there is any modification (for example, if the card through which the payment is made is modified).

Secure corporate payment processes and protocols: issuing banks have the option not to apply SCAs to legal entities which initiate electronic payment transactions by using payment processes or protocols which are only available to non-consumer payers, where the competent authorities are satisfied that such processes or protocols ensure levels of security at least equivalent to those provided for by the PSD2.

Payment transactions in favour of beneficiaries included in a trust list: the so-called trust list or white list is a mechanism that allows a customer to determine which merchants he considers to be trustworthy, allowing the PSD2 in those cases that the issuing bank does not perform SCA on the purchases made by that customer in that merchant.

Low fraud risk operations: known as the TRA waiver, transactional risk analysis. It allows certain e-commerce transactions to be exempt from SCA provided a sound risk analysis is performed and that both issuing and acquiring banks meet specific fraud thresholds.

Strong Customer Authentication, also known as « SCA », involves the application of new security measures that will make card payments even more secure, as this will be the way in which issuing banks will identify cardholders when they order payments in face-to-face or online shops.

These new security measures began to be applied to face-to-face purchases from 14 September 2019. For online purchases it will start to be applied in the coming months, until its full implementation in January 2021.

Currently the authentication of customers in secure shops was done by asking them to enter the card number, expiry date, their CVV, and the 4-digit OTP key that was sent to their mobile phone by SMS.

From the moment that SCA is requested, when a customer makes a purchase at an online store, he or she will be asked to enter the card number and expiration date, but in addition, the bank that issued the card used to make the purchase will ask for 2 of the following 3 types of authentication factors:

Issuing banks will ask their cardholder customers for the most convenient and user-friendly authentication factors according to their preferences in terms of the use of technology and the way they relate to them.

As a result, a customer’s shopping experience at a store may be different depending on the bank that issued the card they use to make payment.

No, the Banco de España has confirmed that CCS will always have to be applied, unless the transaction is exempt (e.g. in the case of cross-border transactions from outside the EU) or one of the exemptions provided for by law can be applied.

No, since they are not considered payment transactions.

Yes, as these are operations initiated via the Internet or a device that can be used for remote communication. This would include transactions carried out via the Internet and transactions carried out via mobile phones (in the case of an Internet purchase, it is not a « contactless » purchase).

The European Banking Authority has clarified that both in cases where the originator has pre- authorised the blocking of a maximum amount and in cases where this pre-authorisation has not been given, if the final amount is equal to or less than the agreed amount, the transaction can be executed without the need to request ACS again, but if the amount is greater, the issuer will have to either request ACS or reject the transaction.

The white list is maintained by the issuing bank but is created by the customer and only he can modify it. It is for this reason that the European Banking Authority has established that issuing banks cannot make suggestions of new entries or modifications of shops to customers. However, there is nothing to prevent the merchant from informing his client of this possibility and even suggesting it to him. However, whitelisting must be done in the issuing environment and requires SCA.

Issuing entities are not legally required to inform the acquiring bank or the merchant if a business is included in the white list. Sharing such information without the express consent of the cardholder could violate data protection law. However, nothing prevents the merchant from obtaining this information from its own customer.

On the other hand, the ultimate decision to apply SCA to a transaction is that of the issuing entity, so, following risk criteria, it could decide to apply SCA to a transaction, even if the trade was included in its white list.