PSD2: What to Expect in 2020

Updating Payment Services Directive (PSD) 1, a nearly 20-year-old protocol, has not been easy. A lot has changed in the last two decades— including the introduction of smartphones and tablets and the exponential growth of e-commerce and cybercriminals. So, it’s no surprise that developing and implementing PSD2 has been fraught with issues and delays.

But because PSD2 serves to enforce data protection and liability rules while creating safer online payments — and because its effective date is only months away — it is important for e-commerce merchants and the entire payment industry to understand the implications. Here’s what you can expect from PSD2 this year.

Extended Deadline for Compliance

While the PSD2 directive was supposed to become effective Sept. 14, 2019, the European Banking Authority (EBA) revised the deadline to Dec. 31, 2020.

The delay stems from banks and merchants who were not prepared by March 14, 2019 to implement the new standards, consequently missing the six-month testing period. In fact, 41% of European banks surveyed reported they failed to meet the March 2019 deadline and didn’t provide a testing environment to third-party service providers — a critical step for the successful launch of the directive.

Another reason for the deadline extension was that some banks and financial providers expressed concern about compliance and were reluctant to release transaction and customer data.

The EBA states they expect the new end-of-year deadline will give everyone ample time to implement changes.

Amended Fraud Reporting Guidelines

In January 2020, the European Banking Authority published amendments to its 2018 fraud reporting guidelines under PSD2, including a change to reporting templates based on European Commission clarifications. In an attempt to ensure all transactions are reported consistently and correctly, the amendment also adds two data fields for reporting transactions in which Strong Customer Authentication (SCA) isn’t used.

Continued Commitment to Security

The main components of PSD2 — including SCA and transaction risk analysis — are still firmly in place, reinforcing the directive’s security-based slant. Banks are still required to implement multifactor authentication for transactions and will require customers to enter a combination of something they know (e.g., password), something they are (e.g., fingerprint) and something they have (e.g., token).

Despite the PSD2’s focus on security, some inadequacies are still present:

Fraud will not be eliminated, because it does not account for alternative payment methods, like debits or payments in advance.
The liability shift away from merchants will not cover all transactions, including transactions in which an error occurs, or authentication fails or is unavailable.
Lack of experience can affect results. While issuers may now have the benefit of access to more data, it is unclear if they will all know how to manage and what to do with it.
Reduced transparency can muddle fraud prevention. Merchants will want to ensure they can access post-checkout transaction data that is processed through SCA, including the percentage of orders that were declined and data that gives insight into fraudulent activities.

Increased Flexibility for Assessing Risk

Not every financial transaction carries the same amount of risk. For example, low-value payments are less risky than a large payment to a new beneficiary. So, PSD2 gives banks the flexibility to implement security measures commensurate with risk potential. In addition, some transactions will be exempt from SCA requirements, such as merchant-initiated transactions, transactions less than €30, and transactions to trusted beneficiaries.

Thanks to this flexibility, banks can ensure they are striking the proper balance between improved security and a seamless customer experience.

Updated PSD2 Mandate Timelines

While the deadline for EU companies to implement PSD2 isn’t until year-end, that doesn’t mean banks should be waiting until then to make their move. Instead, every party in the e-commerce ecosystem should be taking steps to help them meet these PSD2 mandate timelines:

March 14, 2020 — EMV 3DS 2.1 Visa mandate for issuers begins
July 1, 2020 — EMV 3DS 2.1+ Mastercard mandate for issuers begins
14, 2020 — EMV 3DS 2.2 Visa mandate for issuers begins
31, 2020 — SCA implementation deadline

Supplementing PSD2 With Fraud Prevention

Wherever you are in the world, it’s important you spend time evaluating your business’s current fraud prevention systems and determine if they support new PSD2 requirements. It’s just as important to ensure that they are robust enough to protect against emerging fraud threats, comply with new regulations and improve the customer experience.

That’s precisely why businesses trust the ClearSale Fraud Protection Solution, which protects you and your customers through the use of advanced artificial intelligence and expert staff. Not only do we help keep your fraud rates low, but we can also help you take advantage of available exemptions to maximize frictionless authentication.