Warning: PSD2’s Regulatory Technical Standards are coming soon
Changes will impact on retail and e-commerce businesses
As online purchases are becoming increasingly common, businesses are having to balance the risk of fraud and security breaches with providing a seamless customer experience.
A number of changes have been introduced to the UK’s payment services regime which will have an impact on retail and e-commerce businesses.
The Payment Services Directive (commonly known as “PSD2”) is the main legislation governing payment services and will impact retailers and payment service providers supplying consumers in the EU.
New security requirements may cause friction at the checkout
Due to the new ways in which consumers can make payments, new strong customer authentication (SCA) requirements are being introduced to supplement PSD2.
The Regulatory Technical Standards (RTS) set out the requirements for the implementation of SCA. These are due to come into force on 14 September 2019.
They consist of two-factor ID requirements for certain transactions, and whilst they aim to improve security, retailers should be mindful that the measures could cause additional friction at the checkout.
Unless certain exemptions apply, to make a payment, consumers will be required to provide two forms of ID from the following three options:
- Knowledge: something only the customer knows, such as a PIN or password.
- Possession: something only the customer has, such as a mobile phone or payment card.
- Inherence: something unique to the customer, such as their fingerprint.
Electronic remote transactions (such as payments made over the internet or mobile phone) require an additional form of SCA, to include elements which dynamically link the transaction to a specific amount and a specific payee e.g. a requirement that the payer is informed up front of the amount of the transaction and the merchant being paid.
Increased monitoring of transactions will be required to detect unauthorised or fraudulent payments.
Exemptions to reduce friction in certain circumstances
There are certain exemptions to the SCA requirements which will enable transactions to be processed with minimum friction in certain circumstances.
Such exemptions include the following:
- Contactless and low value payments: face-to-face contactless up to 50 euros (and up to 150 euros or 5 transactions max from the date of the last application of SCA) and for electronic remote transactions, single transactions must be less than 30 euros (and up to a maximum of 100 euros or five transactions from the date of the last application of strong customer authentication). The thresholds will be subject to conversion in the local currency.
- Corporate payments: this includes ‘secure virtual payments’, such as virtual cards or B2B cards. The transaction must be initiated by a legal person (e.g. a business) rather than an individual consumer.
- Whitelisting: consumers can whitelist merchants so that all future transactions with that merchant do not require additional security checks.
- Recurring payments: from the same merchant recurring for the same amount (e.g. direct debit).
- Commercial Agent: this exclusion applies where payment transactions between a payer and payee are made through a commercial agent with permission, given by an agreement, to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or payee. This exemption will now not be available where a commercial agent acts on behalf of both parties in a transaction (payer and payee). Businesses will, therefore, need to consider if this exemption will continue to apply to them and if they can continue to operate outside of the PSD2 regime.
The use of two-factor authentication and access to customer bank accounts gives retailers an opportunity to lower card-associated costs, minimise the risk of fraud and limit the scope of data breaches.
To seize such opportunities, online retailers will need to review their payment strategies and work with payment providers that deliver SCA to provide the most seamless purchasing experience for consumers.
Online platforms who provide the payment services themselves (e.g. Amazon), and therefore deal with money from third parties, will be directly responsible for compliance with PSD2.
We can help you
If you would like to discuss any of the above changes in more detail, Jennifer Kelly, Corporate and Commercial Solicitor at HRC Law, would be happy to assist you.
Jennifer can be contacted on T: 0161 358 0545 or at E: firstname.lastname@example.org
This bulletin contains general overview information only. It does not constitute, and should not be relied upon, as legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.