Payment Services Directive (PSD)
The Payment Services Directive is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The Directive’s purpose was to increase pan-European competition and participation in the payments industry also from non-banks and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users.
Each country in the EU is required to transpose the directive into national legislation and designate a ‘competent authority’ to supervise and enforce its implementation.
PSD contains two main sections:
- Market rules that describe which type of organizations can provide payment services. Next to credit institutions (i.e. banks) and certain authorities (e.g. central banks, government bodies), the PSD mentions electronic money institutions (EMI), created by the E-Money Directive in 2000. Organizations that are neither credit institutions or EMIs can apply for an authorization as a payment institution if they meet certain capital and risk management requirements.
- Business conduct rules which specify what transparency of information payment service institutions need to provide, including any charges, exchange rates, transaction references and maximum execution time. It stipulates the rights and obligations for both payment service providers and users, how to authorize and execute transactions, liability in case of unauthorized use of payment instruments, refunds on payments, revoking payment orders, and value dating of payments.
The original Payment Services Directive (PSD) (Directive 2007/64/EC) was amended by a second directive (PSD2) (Directive 2015/2366). The new rules aim to better protect consumers when they pay online, promote the development and use of innovative online and mobile payment options such as through open banking, and make cross-border European payment services safer.
On 13 January 2016, PSD2 entered into force in the EU. In order to support the transposition of the Directive by 13 January 2018, PSD2 gives the European Banking Authority (EBA) the mandate to develop six regulatory technical standards (RTSs) and five sets of guidelines (GLs). The goal of the technical standards and guidelines is to help the various stakeholders in the payment services market reduce to practice the requirements laid out in the directive.
Generally speaking, PSD2 compliance means adherence to the relevant Regulatory Technical Standards (RTSs) and Guidelines (GLs) issued by the EBA. That said, PSD2 regulates many different aspects of payment services and payment service providers, so compliance can mean many different things, depending on the payment service and the nature of the payment service provider.
Article 97 of PSD2 states that payment service provider need to apply strong customer authentication where the payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Article 98 calls on the EBA to issue Regulatory Technical Standards specifying:
(a) the requirements of the strong customer authentication referred to in Article 97;
(b) the exemptions from the application of Article 97;
(c) the requirements with which security measures have to comply, in accordance with Article 97 in order to protect the confidentiality and the integrity of the payment service users’ personalized security credentials; and
(d) the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers.
Open banking mandated by PSD2 translates into banks providing API access to Third Party Providers (TPPs). While PSD2 mandates that access provided and outlines security controls to be put in place, it is not specific on how APIs should be implemented.
Strong Customer Authentication (SCA) is defined as the use of two or more authentication elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). SCA should be applied each time a payer accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuse.
Composite and Distributed Services is not a term coined or defined by an EU directive or EBA document. That said, it is generally used to describe the post-PSD2 payment system, where the monolith payment service is replaced by a composite and distributed ecosystem of atomic services, that are orchestrated into a new, more sophisticated service.
The Regulatory Technical Standard issued by EBA on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) defines a dynamic linking requirement, which mandates a payer to authenticate a financial transaction by calculating an authentication code over the transaction data (at least the amount and some information identifying the beneficiary, like an IBAN), and linking the authentication code to the transaction data.
The purpose of this requirement is to avoid man-in-the-middle attacks against payment applications, whereby an adversary can alter the details of a financial transaction without the payer knowing.
Sensitive payment data means data, including personalized security credentials which can be used to carry out fraud. The name of the account owner and the account number do not constitute sensitive payment data given all the other security measures put in place.