What is the EU's revised Payment Services Directive (PSD2) and its impact?

The upcoming PSD2 requirements, which include multifactor authentication for online European payment card transactions, will have a ripple effect on the payments processing industry in the U.S. and elsewhere.

New security requirements for online payments will come into effect in Europe in September as part of the revised Payment Services Directive (PSD2), but they are also expected to make an impact in the U.S. and other regions of the world. The PSD2 brings two major changes to the payments industry: It mandates stronger security requirements for online transactions through multi-factor authentication (MFA) and it forces banks and other financial institutions to give third-party payment services providers access to consumer bank accounts if account holders give their consent.

What are the strong consumer authentication (SCA) requirements?

According to PSD2, financial institutions that hold payment accounts will need to challenge online payments, such as card transactions, initiated by European consumers with two-factor authentication (2FA). This stronger authentication combines something the user knows, such as a password or PIN, with something the user has, such as a code generated by a smartphone app, or with a biometric identifier like a fingerprint or facial recognition. This will result in unique authentication codes for every transaction that will link the customer and the transaction amount.

There are several exemptions from these requirements. For example, transactions under 30 euros can be exempted, as well as recurring transactions that have the same payee and amount, like those to subscription-type services. Consumers will also be able to whitelist merchants.

Higher-value transactions can be exempted if the acquiring bank or service ensures low fraud rates through other risk analysis methods -- transactions of up to 100 euros for fraud rates below 0.13%, 250 euros for fraud rates below 0.06% and 500 euros for fraud rates below 0.01%. However, according to a recent report by consulting firm Aite Group and fraud prevention company Iovation on the impact of PSD2, the average fraud rates of most acquirers is well above 0.13%, so it's unclear if such low fraud rates are even achievable.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!