Payment regulations in Europe are becoming increasingly complex as regulators hone their focus on digital technologies. For merchants and merchant aggregators, compliance with payment regulations is vital for avoiding costly fees, maintaining relationships with card networks, and ensuring security.
As digital payments have skyrocketed in popularity, European payment authorities are beginning to re-examine key regulatory requirements to reflect the risks of new technological advancements.
If you operate in European markets, keeping up with changes to payment regulations is crucial.
Old and New Regulations
The Payments Services Directive (PSD) that began as far back as 2005 when first conceived released a major update in 2018 and it was repealed and replaced by PSD2. PSD2 brought new requirements for payment transactions and anyone doing e-commerce in Europe and forced them to make changes to their payment stack.
The credit card brands also come into play in regard to upcoming regulations as well. Visa, Mastercard and others implemented mandates around 3D Secure 2 (3DS2), which is something you’ll need to know about as well.
There is certainly a lot of information out there and it can be complicated, so this piece aims to simplify it. We’ll break current mandates down into a basic overview. If you would like to dig deeper into each topic, source links are provided. This article will focus on card not present payments, but the regulations can affect card present transactions as well.
What are PSD2, SCA, & 3DS2?
The two main players in the European regulatory landscape are the European Banking Authority (EBA) and the PCI Security Standards Council (SSC). These authorities are responsible for regulating and enforcing key regulations like PSD2, SCA, and 3DS2.
The EBA is an independent EU authority responsible for the PSD2 regulation — which includes the SCA requirement — while the PCI DSS is the main authority that oversees the 3DS2 regulation.
Here is a quick breakdown of the basic goals and requirements of each of these regulations:
- PSD2: The Payment Services Directive (PSD) is a set of regulatory rules focused around payments in the European region. Originally adopted in 2007, the first iteration of PSD aimed to better regulate payments in Europe. The second iteration of PSD, called PSD2, went into effect in 2016 with full compliance expected by 2018. Regulators designed PSD2 to create a more integrated and efficient payments market in Europe. Currently, PSD2 is under legislative review, with a new legislative proposal focused mainly on instant payments was released on June 28, 2023.expected sometime in 2023.
- SCA: Strong Customer Authentication (SCA) is a specific requirement of PSD2 that came into effect in 2019. SCA encompasses a strict set of requirements that must be applied when an electronic payment is initiated by a payer. The SCA process is designed to validate user identity for payers and determine whether the use of a payment instrument is properly authorized. With the upcoming changes to PSD2, we are likely to see adjustments to SCA requirements as well.
- 3DS2: 3D Secure is a multi-factor authentication protocol that helps to confirm a payer’s identity during a transaction and acts as an additional layer of fraud prevention. This protocol is a major component of PCI compliance and was first used by Visa before becoming a broader standard for all major card networks. 3D Secure 2.0, or 3DS2 for short, was developed to provide a more frictionless and simplified authentication process. Early adoption of 3DS2 began in 2017, with most major card networks halting support for 3DS1 in 2022.
A Closer Look At The Regulations
With the European regulatory landscape for merchants and merchant aggregators becoming increasingly complex and dynamic it’s important to take a look at each regulation individually. Each shift is prompting significant changes in several key areas of compliance, with its own unique set of challenges. Breaking everything down allows a simpler path to a solution.
To understand the Payments Services Directive and PSD2 you need to understand that its creation stems from initiatives of the European Union. Why? To establish a Single Euro Payments Area, or SEPA, and regulate how payment services should operate in Europe (not to be confused with SEPA Direct Debit).
Its purpose is to increase competition by ensuring participation by banks and non-banks alike. It also ensures consumer protection by controlling the obligations between users and providers.
PSD2 dictated rules that European providers must follow in January 2017, however it did not become a law until December 31st, 2020. One of the biggest changes with this regulation was that banks now have to open up their systems and data to third parties.
This will bring about new use cases and applications to fulfill a part of the competitive goal. Some openness was already happening, but this set the requirement in stone. It also introduced new requirements for user identification in order to reduce fraud. This was done to protect consumers, and banks for that matter, in this new age of openness.
SCA: Strong Customer Authentication Under PSD2
The most important component or change for user identification coming with PSD2 is the requirement of Strong Customer Authentication. This requirement dictates that consumers must authenticate using additional parameters.
Gone are the days of only a username and password. This was something the user knew or in many cases could not remember. One step authentication is becoming more and more insecure, as it only requires something “known” which could be obtained or hacked with relative ease.
Now, customers will need to identify themselves with two of three categories. The categories are knowledge, possession, and inherence. Often referred to as, something you know, something you possess, and something you are.
Source: Our Preferred Partner Stripe
Since this is a banking regulation, this obviously encompasses payments as well, since banks are effectively behind all of the payment transactions. Of course merchants are concerned about this because already transactions have a set success rate. What happens when additional requirements are placed on users to complete an online transaction? Most assume that success rates will fall.
3DS (3D Secure)
3-D Secure (3DS) has been in existence for some time now, utilized in Europe as well as a firm requirement in other countries like India and South Africa. It was implemented as a secure authentication method for online transactions.
Later, EMV 3-D Secure was developed by EMVCo, the same organization that developed smart chips for credit cards. EMVCo is overseen by EMVCo’s six member organizations - American Express, Discover, JCB, Mastercard, UnionPay, and Visa.
Each brand adopts the current 3D secure protocol into their services, and has branded this service differently. Visa is Verified by Visa, Mastercard is Mastercard SecureCode, American Express is SafeKey, etc.
The first generation of the service provided for authentication of the user by the issuing bank (consumers were often redirected to the bank website to enter in a pin). This caused a rise in cart abandonment and a decline in success rates which limited adoption and merchant satisfaction.
3DS2 (3D Secure 2)
A new standard, 3D Secure 2, was created in 2015 by EMVCo and is now being promoted as a solution for SCA under PSD2. The main advantage is reduced friction in the user experience — to help solve for the aforementioned cart abandonment problem. The specification also calls for it to meet the standards needed for SCA in order for it to co-exist with the European requirements.
3DS2 will require merchants to send additional data with each transaction, so that the bank can determine if the cardholder is the actual transactor. If the data matches what the bank requires, then the transaction can continue on a “frictionless” flow and will not need user input. This will have to match with exemptions and what is allowable for SCA to qualify once SCA is in place.
If the data is not acceptable, and the transaction also didn’t meet an acceptable exemption, then the bank will respond with a “challenge” for user authentication. If challenged, 3DS2 has an improvement over 3DS removing the explicit redirect. The challenge can be presented in the customer application, or in the bank’s application on a mobile device if installed, providing for a better user experience.
How are PSD2, SCA, & 3DS2 Changing?
The evolving PSD2 regulation is set to be centered around enabling instant payments across the EU.
Since their origins, PSD2 and 3DS2 have been deeply tied, as 3DS2 is often applied to develop solutions for the SCA requirement. As a result, any changes to the PSD2 regulation inherently impact 3DS2.
With this in mind, let’s look at the current PSD2 timeline and the progress regulators are making:
- Initial Consultations (May 10th, 2022): In May 2022, the European Commission launched two official consultation-reviews of PSD2. These consultations involved both stakeholders and the general public, with the goal of gathering evidence for the application and impact of PSD2. The Commission launched these consultations as part of an ongoing effort to better enable and regulate open finance in the EU.
- First Legislative Proposal (October 26th, 2022): In October 2022, the European Commission adopted the first legislative proposal for providing instant payment capabilities to all citizens and businesses with bank accounts in the EU. As part of the proposal, the Commission outlined the goal to make instant payments in the EU affordable, secure, and frictionless.
- PSD2 Study (February 2nd, 2023): In February 2023, the European Commission carried out a study on the impact of PSD2, looking specifically at the regulation’s relevance, effectiveness, efficiency, coherence, and EU-added value. This study included recommendations for PSD2 revisions across the topics of consumer protection, open banking, and scope and exclusions.
- Legislative Proposal Adoption (2023): The next step in the PSD2 regulatory process is for the European Commission to adopt an official legislative proposal that is either a revision of PSD2 or an entirely new iteration of the Payment Services Direction (popularly referred to within industry speculations as PSD3). This proposal adoption is expected sometime in 2023, at which point the Commission will provide specific information on new requirements and deadlines.
The changes to PSD2, SCA, and 3DS2 in 2023 are yet to be finalized but we can say with confidence that any changes are sure to deal with instant payments. In the PSD2 study discussed above, researchers and regulators highlighted several key findings that give us potential insights into new regulations, including:
- More balanced payment service provider requirements for SCA, licensing, and transparency
- Increased cost efficiency in open banking, API development, and SCA implementations
- Greater standardization of regulatory implementation processes for EU Member States
- Clarified expectations for interactions between PSD2 regulations and MiCA regulations
- Improved collaboration between supervisory authorities
In terms of instant payments specifically, the 2023 PSD2 study and the earlier 2022 legislative proposal identify four key points of interest that are likely to shape the final regulatory changes:
- Making instant payments universally available across the EU
- Preventing payment service providers from charging additional costs or fees for instant payments
- Increasing security measures to improve the detection of errors and fraud in instant payments
- Boosting the efficiency of instant payment sanction screenings
All-in-all, the main takeaway is that changes to PSD2, SCA, and 3DS2 will be centered around enabling instant payments in a way that is financially inclusive, affordable, and secure.
Ah, but what about the exemptions you ask? What if I just exempt all my transactions? Not so fast. If all of them could be exempted then that really defeats the directive, so only a few types will be allowed. And even those have uncertainty as the different participants work with the EBA to determine exactly how they will be implemented.
Here are the exemptions that are allowed under PSD2 rules around SCA (subject to additional details around the directive's exact requirements).
- Article 12 - Unattended terminal for transport and parking
- Article 13 - Trusted beneficiaries: This is generally where the consumer has already whitelisted the merchant to run transactions
- Article 14 - Recurring transactions: Similar to 13, this is where the consumer has already given permission for the merchant to run subsequent recurring transactions
- Article 15 - Credit transfers to self: Where the consumer and the payee are the same and both accounts are the same service provider
- Article 16 - Low-value transactions: Where the amount of the remote electronic payment transaction does not exceed €30 and the cumulative amount of previous remote electronic payment transactions initiated since the last challenge does not exceed €100 or 5 consecutive individual remote electronic payment transactions.
- Article 17 - Secure corporate payment processes and protocols
- Article 18 - Transaction risk analysis: PSPs are allowed to notify authorities that they intend to use real time risk analysis to qualify certain transactions if they can show that the overall fraud rate is less than the required threshold. The thresholds are: 0.13% to exempt transactions below €100, 0.06% to exempt transactions below €250, and 0.01% to exempt transactions below €500.
Each exemption is separate, and only one needs to be requested even if multiple are eligible. As with any kind of exemption it is likely that some will carry more weight than others, but we believe this is something that will develop over time.
All that to say that even still if a PSP or a merchant request an exemption, the issuer might override that exemption and request SCA. Since the issuer has the most information, and a full view of the payers usage, they remain the authority in determining whether to require them to authenticate or not. Non-exemption can occur even for transactions where the consumer is not currently engaged in the flow, like the case with recurring transactions. Merchants will need to be prepared that there can be an “off-session” flow to have customers authenticate transactions that were not exempted whether it be SMS or email to pull them back to the application.
In the end all parties are invested in making sure the consumer is able to pay when they want to, and that fraud is reduced.
What Regulations Are Next?
Although the deadlines for the current iterations of PSD2 and 3DS2 have already come to pass, changes to these regulations are on the horizon. To stay ahead of regulatory changes, merchants and merchant aggregators need trustworthy compliance providers to optimize their payment systems.
Spreedly offers the payment orchestration capabilities needed to not only stay in line with the latest compliance requirements but to also focus efforts on developing your core value.
With Spreedly, you can minimize your compliance burden thanks to our Level 1 PCI Compliance and built-in 3DS2 solution. Our team helps future-proof your payments strategy by supporting a diverse approach to compliance that considers both global and region-specific regulatory changes.
Make Spreedly your trusted partner to ensure success with PSD2, SCA, and 3DS2 compliance. Connect with our security team today to get started.
Download the PCI Compliance eBook Below