All You need To Know About Paypal PSD 2
3mins Read
It all began in 2007, with the Payment Service Providers Directive (PSD), which sought to contribute to the development of a single payment market in the European Union to promote innovation, competition, and efficiency in the EU.
In 2013, the European Commission proposed an amendment (that’s where the two comes from in PSD2), which aimed to enhance these objectives. It seeks to improve consumer protection, boost competition, and innovation in the sector and reinforce security in the payments market, which is expected to facilitate the development of new methods of payment and ecommerce.
1. What is PSD2?
PSD2 stands for Payment Services Directive 2. PSD2 is a new EU directive regulating payment services in the European Economic Area. This directive requires that we put in place, new measures that impact how you access your account and pay with PayPal.
One such measure is the introduction of two-factor authentication for electronic payments, known as 'Strong Customer Authentication' (SCA). For electronic payments in Europe, this extra security is being implemented to help keep online card purchases more secure and prevent fraud.
You can read more about this at:
https://www.paypal.com/uk/webapps/mpp/psd2
2. What are the biggest changes?
The changes will have multiple implications, many of which are still unknown, but banks opening their payment services to other companies, the so-called Third-Party Payment Services Providers (TPPs) is causing the most commotion.
PSD2 regulates and harmonizes two types of services that were already in existence when the first PSD was adopted in 2007, but which have become more popular in recent years: on the one hand, the Payment Initiation Services (PIS); and Account Information Services (AIS) on the other.
Account Information Services (AIS) include the collection and storage of information from a customer’s different bank accounts in a single place, allowing customers to have a global view of their financial situation and easily analyze their expenses and financial needs.
Meanwhile, in Payment Initiation Services (PIS) other providers facilitate the use of online banking to make payments online. These services help to initiate a payment from the consumer’s account to the merchant’s account by creating an interface to bridge both accounts, filling in the information needed for the bank transfer (amount of the transaction, account number, message) and informing the store of the transaction. PS2D also allows clients to make payments to a third party from a bank’s app using any of the client’s accounts (whether they belong to this entity or not).
So far, TPPs have faced multiple obstacles that have prevented them from offering large scale solutions in the different countries of the European Union. By eliminating these barriers, greater competition is expected due to the arrival of new players and the provision of these services by existing actors. In return, the TPPs will have to comply with the same rules as traditional payment service providers: registration, authorization and supervision by competent authorities.
The other major development in PSD2 is the introduction of new security requirements, which is known as Strong Customer Authentication (SCA). This involves the use of two authentication factors for bank operations that were not previously required, including payments and access to accounts online or via apps, as well as a stricter definition of what counts as an authentication factor.
Continuing with the example of online purchases, customers will notice changes in the way they authorize their purchases, primarily in the authentication factors they use, with reinforced authentication in the level of security by default, and the written information on the card (card number, expiration date and CVV) will no longer be a valid factor for authentication.
3. How is the new regulation put into practice?
In terms of security, banks had to update the authentication elements they provide their customers, replacing coordinate cards or tokens, with cell phone messages or more advanced tokens, for example.
Also, they had to develop systems and processes that allow the bank to make use of the exceptions permitted by the strong customer authentication regulations for transactions whose risk is considered low.
4. And when will all of this take place?
Although several delays have occurred in the development of this regulation (delays in the transposition of the directive into Spanish regulation and the European Banking Authority (EBA) postponing the creation of technical standards to regulate third party access and strong authentication), PSD2 began gradually entering into force on January 2018.
However, the biggest regulatory milestone was the authentication and thirty party access requirements entering into force on September 14, 2019.
That said, not all of these technical requirements have entered into force due to the possible negative impact that PSD2 taking effect could have on ecommerce. As a result, financial institutions will have an additional transition period whose maximum duration has been established by the EBA on December 31, 2020.
5. How will PSD2 affect U.S. businesses?
Although the PSD2 is only being enforced in the European Economic Area (EEA), it will have an effect on U.S. businesses. Essentially, the Strong Customer Authentication (SCA) mandate applies to all merchants doing business in the EEA. So, if your business meets the following criteria, you may need to implement SCA-compliant transactions:
- U.S. entity only but receive EU customers and traffic
If your business receives a significant amount of traffic from Europe, setting up an EU entity could be a good idea.
- U.S. business expanding into the EU
Businesses expanding into Europe will need to comply with PSD2 and SCA, so making the transition as soon as possible will be beneficial.
- U.S. headquarters but entities in the EU
Any U.S. businesses with entities in the EU will need to ensure that their European entities are PSD2-compliant and SCA-ready. Otherwise, you run the risk of declining authorization rates and even declined payments.
6. What do VPCart merchants using PayPal Pro need to do?
A) Register your PayPal Pro Merchant Account with CardinalCommerce (PayPal’s Preferred customer authentication partner)
B) Obtain your Cardinal Credentials
C) Check your VPCart version and populate Cardinal credentials into VPCart Paypal Pro CardinalCommerce
For detailed instructions on how to go about this, simply leave us a ticket on the Helpdesk or follow the instructions on our https://helpnotes.vpcart.com/userguide900/#!Documents/paypalpropsd2.htm
TrustGuard - PCI Security Scanner
