DSP2: Definition and measurements

You’ve probably heard a lot about PSD2 in recent months. Entering into practice on September 14, 2019, the new version of the European Payment Services Directive (PSD2) is at the heart of banking and business news. And yet, it’s not new. Adopted in November 2015, its “big sister” (or PSD1) dates back to 2007.

PSD2 aims to strengthen consumer protection when shopping within member states. The dematerialisation of transactions is accompanied by an increase in fraud, which it is vital to counter.

The focus is on “strong authentication”, with changes on the agenda that will become mandatory at European level:

– Reinforced authentication when logging on to online banking services: from now on, customers will no longer be able to log on using just their password and user ID, but will have to go through strong authentication at least once every 90 days via a single-use code sent by the banking institution. Several channels will be available: SMS, via the mobile application or even by voice message.
– Enhanced security for online credit card payments: the key measure here is the widespread use of 3D secure. In addition to entering their credit card details, customers must also enter a one-time code on the payment page or on their mobile application. However, for purchases of less than 30 euros, this code may not be required, but the merchant will be held responsible, with a mandatory refund in the event of fraud.
– Enhanced authentication for contactless payments: for purchases of up to €30, customers can pay contactless (i.e. without inserting their bankcard into the terminal), by entering their 4-digit PIN. With PSD2, contactless payments will now require strong authentication in two cases:
1. When the customer has made a total of 150 euros in purchases
2. When the customer has carried out 5 consecutive transactions since the date of his last strong authentication

In both cases, customers will have to pay in the “classic” way, by inserting their card into the terminal and entering their secret code.

These new measures will have an impact on industry professionals, particularly banks and payment organisations, which will have to update their payment services and develop new APIs (Application Programming Interfaces). Merchants, too, will be obliged to incorporate security measures into their online purchasing processes. Although these measures were not mandatory prior to PSD2, most merchants have already begun this transition, notably with the introduction of 3D-Secure.

Although adopted in November 2015, PSD2 came into force in January 2018 with the publication of the technical standards in March 2018; this was followed by an 18-month transition period that enabled payment organisations and merchants to implement these regulatory technical standards (RTS) relating to strong authentication. September 14, 2019 therefore marks the progressive application by all these players of these security standards (RTS) on strong authentication. However, full implementation will take longer than expected, as most banks have fairly old IT systems that are not very compatible with PSD2. At present, 75% of European banks’ APIs are available, but only 18% are usable. Italy and the Netherlands lead the way, with 33% of APIs operational, compared with 10% in France and 0% in Germany… This is why professionals have been given extra time to integrate these new measures. Strong authentication is due to be rolled out in Europe around the end of 2020.