However, even though most companies on the market would need several months to adapt appropriately to this first change, a new European directive follows suit and adds additional constraints. The PSD2, or European Directive on Payment Services number 2, came into force on January 13, 2018. However, most of the new rules it entails will only be mandatory from September 2019 onwards, which still leaves some leeway for already overwhelmed companies.
As the name suggests, this latter reinforces internet users’ security, specifically for their online purchases.
To do this, the PSD2 is based on three major subjects, namely:
- Secure communication between banks and Third Party Providers (TPP)
- The obligation of solid authentication for account consultation and binding operations
- The strengthening of consumer rights
What are Third Party Providers?
A TPP is a third-party service provider, an online service provider, in this case, about your bank. For example, these are applications such as Bankin, Linxo, or Budgea …
There are two types of services offered:
- AISP (Account Information Service Provider): Allows customers to gather all information from their various bank accounts within the same interface
- PISP (Payment Initiation Service Provider): Allows the initiation of payments through their accounts without the need for card details
The first point listed does not concern traditional companies but only third-party providers and banks. The latter will have to find a way to set up a system for sharing the information they hold regarding customer payment data with TPPs in a secure manner.
What is strong authentication?
This point refers directly to work that needs to be done by companies.
Strong authentication is the combination of more than one authentication factor of distinct nature among three main categories:
- Knowledge: what you know, such as a password, PIN code…
- Possession: what you have on you, such as your phone, physical key…
- Biometrics: what you are, such as a fingerprint or facial recognition…
In the future, this authentication with (at least) two factors will be required for each financial transaction qualifying as “binding” for amounts over €30. In addition, the consumer will have to renew how they authenticate every three months.
All of this must, of course, be implemented by companies because, currently, almost none of them offer double authentication during online purchases.
This approach aims to reduce fraud in e-commerce when such fraud is becoming increasingly common.
What do we mean when we talk about “strengthening consumer rights”?
This point concerns banks again, including:
- Prohibition of overcharging during credit card payments
- Shortened or even eliminated refund deadlines
- Lowering of the franchise paid by the client in the event of fraudulent payment (from €150 to €50)
In short, many things will change by September, bringing new challenges to banks and companies already overwhelmed in the race for GDPR compliance.
It will therefore be necessary to redouble efforts, but it is never too late to receive a little boost by opting for a turnkey solution such as Axeptio, which will take care of your first problem: GDPR.