PSD2 Regulation: How to Be PSD2 Compliant

Banks, payment gateways, and business owners are all concerned about the EU’s second payment services directive, PSD2, and how it will impact their operations. Below we shed some light on the subject by answering several important questions.

What is PSD2?

According to the European Commission, the purpose of the directive is to improve the existing EU rules for electronic payments, making the international payment process (within the EU) easier and more secure. PSD2 takes into account emerging and innovative payment services, such as internet and mobile payments.

The rules of PSD2 focus on different areas:

• Electronic payments. PSD2 contains rules regarding the security of electronic payments. These rules are meant to protect consumers’ financial data, guarantee authentication, and reduce the risk of fraud.
• Payment services. PSD2 increases transparency about the products and services that payment services offer and the information requirements for using them.
• Users and providers of payment services. PSD2 clarifies the rights and obligations of both users and payment services providers.

Sandra Wróbel-Konior of SecurionPay adds that the directive requires banks to provide access to their customers’ accounts via open APIs. “PSD2 is about putting all existing players under one unified regulatory framework, even newer entrants with more modern products. The new regulation is meant to equalize and drive innovation in the European payments market.”

How does it change the payments market?

While the broad idea of PSD2 is to equalize the payments playing field, it also has many specific implications. Here are a few highlights:

• Broadening the EU payment market. PSD2 gives businesses that offer account-information or payment-initiation services entry into the market.
• Enhancing consumer rights. PSDE removes surcharges for using a consumer credit or debit card, includes a “no questions asked” right to a refund for a limited period of time after direct debit purchases, and establishes reduced liability for non-authorized payments.
• Limiting interchange fees. PSD2 caps interchange fees between banks for card-based transactions, which is intended to drive down merchant costs for accepting consumer debit and credit cards.

“Overall, payments across Europe will be more competitive and faster for the end consumer, which means more choices and better services. This will also result in greater consumer trust in the payments market,” says Wróbel-Konior.

What entities does PSD2 impact?

There are several key players impacted by PSD2:

• Account information service providers (AISPs) — entities that use financial institutions’ APIs to provide users with their account information in one application. An example of an AISP is a money management app that accesses and aggregates multiple user accounts for budgeting, spend monitoring, and general convenience. AISPs require prior authorization from the user before gaining access to their accounts.
• Account servicing payment service providers (ASPSPs) — financial institutions such as banks or credit unions
• Payment initiation service providers (PISPs) — entities that may access customer account data and initiate transactions without ASPSPs’ prior commercial agreement. Unlike AISPs, PISPs are authorized to take action with a user’s account, such as making payments on their behalf. An example of a PISP is a financial management tool that transfers a portion of a user’s balance each week to a savings account.
• Third-party providers (TPPs) — entities that are able to initiate payments through PISPs, directly from the customer’s bank account, or provide account information services. In other words, PISPs and AISPs are considered TPPs. (Quite the mouthful!)

What are the important deadlines surrounding PSD2?

Different aspects of the PSD2 have different deadlines:

• EU countries were required to incorporate PSD2 into national law by January 13, 2018.
• Banks were required to implement a testing “sandbox” environment for TPPs that includes APIs, documentation, and support by March 14, 2019.
• Final regulations regarding strong customer authentication (SCA), access to accounts (XS2A), and other related requirements are mandatory as of September 14, 2019.
• Merchants, third-party providers, credit card issuers, payment service providers, and other payment industry players must implement strong customer authentication safeguards by December 31, 2020. After this date, EU member states can take enforcement actions against noncompliant entities. 
• The Financial Conduct Authority, a key financial industry regulator in the U.K., gave payment service providers, banks, and credit card issuers until March 14, 2020 to comply with PSD2’s strong customer authentication requirements. Meanwhile, e-commerce firms and merchants must comply with PSD2’s strong customer authentication mandates by September 14, 2021.

As a business owner, there are two primary approaches you can take to comply with PSD2:

• Choose a PSD2-compliant PSP. Many payment service providers (PSPs) offer hosted checkout options that take on the burden of PSD2 compliance themselves, assuming they are or will be compliant by the deadline. If you engage with one of these PSPs, you’ll be in the clear. “You’ll also be able to better focus on your core business instead of the legal and administrative concerns of compliance,” says Sandra Wróbel-Konior of SecurionPay.
• Build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a PSP without a hosted checkout option, you’ll have to handle implementing 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.

Whichever approach you choose, you’ll need the right tools to keep your business running smoothly after PSD2 is in full force. Check out how Jotform can help, along with its efforts in being PSD2 compliant, in the next chapter.

PSD2 will have significant consequences for nearly all banks, online payment processors, and third-party payment providers. Here’s a rundown of the short- and long-term PSD2 compliance action plans a few major payment providers have announced.

Stripe is planning to be compliant by the September 14 deadline. EU customers using products such as Stripe and Stripe Connect shouldn’t have any compliance issues. Plus, Jotform has completed the necessary technical steps to become PSD2 compliant for Stripe users.

PayPal also pledges to be fully compliant with the new PSD2 regulations by the deadline. Third-party PayPal providers should research the steps they need to take to be compliant.

CyberSource has announced that they will be able to support 3D Secure 2.0, which is a crucial part of SCA and PSD2. However, they require their third-party users to upgrade to their latest integration.

Unlike many payment methods, Square has not made any public statements about PSD2. At the moment, it’s unclear if they are planning to be compliant. They haven’t provided any information about what their customers should do.

Authorize.Net has also remained silent about PSD2. It’s likely that they will not be PSD2 compliant. One option is to move to CyberSource, an Authorize.Net sister company that has announced they will be PSD2 compliant.

European-based online payment processors Klarna, Ingenico, and Wordline have been working hard to be in line with PSD2 legislation. In fact, Ingenico declared themselves PSD2 compliant as of May 29, 2018.

Below are some of the news and press releases from payment gateways about their PSD2 compliance efforts.

Currently, the entire payment industry is focused on PSD2 — and for good reason. But to truly understand something, you have to know where it came from. That’s why we’re exploring the EU’s first payment services directive (PSD) and the reason it was created.

The origin of PSD

Much-needed regulation

In the early 2000s, payment services began extending beyond the walls of traditional financial institutions. New entrants to the payment industry, like intermediaries and other service providers, meant banks were no longer the only players. These new entrants offered payment services that didn’t necessarily fit within the boundaries of existing rules.

According to Jeremy Bellino of Worldpay, “PSD’s aim was to boost competition across Europe by allowing nonbanks access to the industry, and to create a more level playing field for both consumers and payment providers.”

In addition, the EU felt it necessary to make sure customers were confident that the payments they made were secure. So it created a framework in the form of PSD to better regulate payment services across the EU, replacing individual countries’ national rules.

What PSD covered

PSD created a number of rules, regulations, and guiding points that impacted consumers, merchants, and PSPs alike, including the following:

• Conditions and information requirements for payment services should be transparent.
• Consumers should receive relevant information (for free) before entering into any binding payment service contracts. They should also be able to request their contracts, in writing, at any point during the contract term — again, without being charged.
• Consumers should be able to terminate their contracts with payment service providers after a year without incurring charges. And while consumers need only provide a month’s notice prior to termination, the PSP must provide at least two months’ notice.
• PSPs must not hold consumers liable for losses due to a compromised payment instrument (such as a lost or stolen credit card) once the consumer has notified the PSP of the situation. Along with this rule, the consumer should be held liable for a “limited amount” to provide an incentive for them to notify the PSP of the situation quickly.

In all, there are hundreds of points the EU put forth in PSD that helped shape the payment industry into a more regulated space. You can read them all in the European Commission’s legislative text on PSD.

Why PSD became outdated

While PSD set a clear precedent for providing structure and security within the payment landscape, it couldn’t remain relevant forever. Even as PSD came into force, the payment industry continued to evolve, introducing new technology, processes, and use cases that tested the limits of the original framework. The rise of e-commerce and the introduction of smartphones and other mobile devices are key examples of the type of modern elements PSD could not account for.

Some of the language PSD used showcases why its framework can’t hold up in today’s digitally connected world:

“As the payer is usually present when he gives the payment order, it is not necessary to require that information should in every case be provided on paper or on another durable medium. The payment service provider may give information orally over the counter or make it otherwise easily accessible, for example by keeping the conditions on a notice board on the premises.”

To be fair, PSD did account for some digital aspects of the payment industry, namely e-commerce transactions; however, the space has grown and changed since then, leaving PSD obsolete. Hence the need for PSD2.

Now that we’ve covered the origin story of PSD, let’s get into the changes PSD2 will bring to the payment industry.

Nearly a decade after PSD went into force, the EU determined that an updated version of the directive was necessary. Enter its replacement, PSD2. The regulations put forth in PSD2 account for the modernization of the payment industry in ways PSD couldn’t.

Bellino calls out a key distinction between the first and second versions: “While more innovation and competition remains a central objective, the primary intention of PSD2 is increasing security and reducing overall fraud in the payments ecosystem.”

This fact isn’t surprising given concerning stats about fraud from a 2018 report by the European Central Bank: Within the Single Euro Payments Area (SEPA), the value of CNP fraud losses in 2016 was €1.32 billion. This made it the largest category of fraud in absolute value. In addition, unlike ATM and POS fraud, CNP fraud was the only fraud category that increased compared to the previous year.

What changes does PSD2 enact, and how do they impact the payment industry and fraud rates? Keep reading to find out.

Introducing SCA

PSD2 introduces another big change in the form of strong customer authentication (SCA). Since it’s performed at the time of purchase, SCA is PSD2’s main weapon to combat fraud. Having users verify their identities immediately before remitting payment is the last line of defense before money and items are potentially lost as the result of a fraudulent transaction.

The European Commission defines SCA as an authentication that uses at least two of three verification elements:

• Knowledge — something only the user knows. “These are things like a password or a PIN,” explains Bellino.
• Possession — something only the user possesses. “Think debit or credit card, or a mobile phone,” Bellino says.
• Inherence — something the user is. “This will involve some type of biometric identifier, such as facial recognition or a fingerprint scan,” Bellino notes.

Check out this post that goes into more detail on who SCA is for, how it’s delivered, and more.

SCA exemptions

All countries within the European Economic Area (EEA), including the U.K. (regardless of the outcome of Brexit), are subject to SCA enforcement. Additionally, every business that accepts electronic payments within the EEA is required to be SCA compliant. No businesses are excluded, regardless of the vertical. However, there are several exclusions and exemptions business owners may be able to take advantage of.

“SCA exclusions are out of scope of the SCA mandate, meaning SCA will not be performed,” Bellino explains. These include

• One leg out transactions — payments where the card issuer or acquirer is based outside of the EEA. “For example, if I am a U.S.-based consumer with a U.S.-issued credit card and I want to make a purchase from a U.K.-based business, SCA would not be required,” Bellino explains.
• Merchant-initiated transactions — transactions initiated by the payee (merchant) on behalf of the consumer, such as recurring metered billing and fixed or variable subscriptions/installments. “However,” Bellino cautions, “SCA does apply on the first transaction, when the consumer is establishing the recurring agreement.”
• Mail orders/telephone orders (MOTOs) — These are excluded because the technology to perform SCA does not yet exist for these channels. “We strongly believe this will change in the future as fraudsters turn their attention to MOTOs as the e-commerce space becomes tougher to crack,” notes Bellino.

“SCA exemptions are within the scope of the SCA mandate but must be requested by the merchant, acquirer, or PSP,” says Bellino. These include

• Low-risk transactions — transactions that have been assessed as low risk in real time via a process called transaction risk. To request this exemption, the PSP fraud rate must be below the approved threshold, and the transaction value may not exceed €500.
• Low-value transactions — remote electronic payments less than or equal to €30. This exemption applies to up to five consecutive payments or when the cumulative amount since the last SCA is less than or equal to €100.
• Whitelists of beneficiaries — when a cardholder adds a merchant to a whitelist maintained by the issuing bank, the merchant doesn’t have to use SCA for authentication. “We expect whitelisting support to be more widely available in 2020,” adds Bellino.
• Corporate payments — B2B payments using a secure, dedicated process. These are usually corporate cards that are tied to an entity, not an individual. They are typically used for lodging or are virtual.

Now that we’ve covered PSD2 and its changes from a broad perspective, the next chapter will consider the perspective of payment gateways, processors, and other payment service providers.

Like PSPs, online business owners must comply with PSD2 to operate successfully in the EU. And though many of their concerns may overlap with PSPs, online business owners have a different perspective. Keep reading to see how PSD2 impacts your business and what you can do to be compliant.

PSD2 and online businesses

Declined payments

The biggest issue facing online businesses that don’t comply with PSD2 is declined payments. Failure to execute SCA during the payment process means that banks, which ultimately decide whether to accept a transaction, will decline the payment.

Not only does this result in a failed sale, but it also frustrates customers. Some customers may decide to use another payment method, such as a bank draft if it’s available, but many will not. 

Wróbel-Konior explains the implications: “European businesses, in aggregate, can lose billions of euros in the first months after SCA is brought into force, as a number of merchants have no idea what these new requirements really mean for their businesses and how they can impact the bottom line.”

Conversion rates

Though online business owners know SCA is required, they are also keenly aware that adding any friction in the checkout or payment experience negatively impacts conversion rates. “They are concerned about SCA from a conversion perspective, as it impacts the customer experience,” says Wróbel-Konior.

Moving people from interested visitors to paying customers for products and services is a delicate dance that, when interrupted, can result in an unfortunate tumble. In this metaphor, that tumble is akin to a failed sale — a nightmare for any business owner.

SCA adds a mandatory step, namely authorization, which is additional friction for customers. As mentioned previously, the primary method of enacting SCA is through 3D Secure 2.0. Even though this method will be common across the payment landscape, the payment experience may differ depending on how a business or PSP has designed the payment flow. 

Wróbel-Konior calls out another consideration: “The challenge will be to provide a smooth user experience depending on the transaction type. For example, it can get more complex with recurring payments.”

Most subscription-based payments are perceived as merchant-initiated, meaning they are outside the scope of SCA. (We discussed this exclusion in Chapter 3.) However, the decision on whether the transaction should be authenticated is ultimately up to the bank. 

“Imagine how frustrating it would be for customers to authenticate each of their recurring payments every month. This is why payment platforms need to advance their systems to simplify the purchase process for customers, and aim to help merchants retain their conversion rates,” explains Wróbel-Konior.

How to be PSD2 compliant

As a business owner, there are two primary approaches you can take to comply with PSD2:

• Choose a PSD2-compliant PSP. Many PSPs offer hosted checkout options that take on the burden of PSD2 compliance themselves, assuming they are or will be compliant by the deadline. If you engage with one of these PSPs, you’ll be in the clear. “You’ll also be able to better focus on your core business instead of the legal and administrative concerns of compliance,” says Wróbel-Konior.
• Build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a PSP without a hosted checkout option, you’ll have to handle implementing 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.

Whichever approach you choose, you’ll need the right tools to keep your business running smoothly after PSD2 is in full force. Check out how Jotform can help, along with its efforts in being PSD2 compliant, in the next chapter.

Payment service providers (PSPs) in the EU must abide by PSD2 regulations to operate successfully within the region. In the previous chapter, we discussed SCA and why it’s an important aspect of PSD2.

The directive calls for all member states within the EU to enforce the use of SCA with PSPs anytime a user

• Accesses their payment account online
• Initiates a digital transaction
• Performs any action through a remote channel where payment fraud could occur

PSPs will also need to institute appropriate security measures to protect the confidentiality and integrity of users’ credentials.

“PSPs shouldn’t look at complying with PSD2 as only unintentional burdens that need to be managed,” cautions Bellino. “The innovation aspect is an important one to consider as well.” (As a reminder, we noted how PSD2’s open banking initiative provides the opportunity for PSPs of all types to formulate new methods of payment.)

For example, according to a Worldpay report on global payments, by 2022, the number of European consumers paying online with a bank transfer is expected to exceed those using a credit card. 

“Consider the Netherlands, where 57 percent of consumers use iDEAL, a direct online transfer from the consumer bank account to the bank account of a merchant. These examples showcase that identifying and providing the preferred payment method for consumers is essential to increasing sales and revenue, increasing security, and reducing fraud,” explains Bellino.

PSD2 and PSPs

3D Secure 2.0

Closely related to SCA is 3D Secure 2.0, which is how SCA is performed at the time of purchase. For added clarity, Bellino defines 3D secure 2.0 as “the new standard through which SCA is achieved when using a credit or debit card in ecommerce and similar spaces, where transactions are primarily made through digital means.”

You can learn more about 3D Secure 2.0 and how it differs from 3D Secure 1.0 in this detailed 3D Secure 2.0 post.

Are the widely used PSPs PSD2 compliant?

SCA and 3D Secure 2.0 are the main determinants of whether a PSP is PSD2 compliant. We looked into four of the major PSPs used by EU businesses to see whether each is or will be instituting these components to become compliant by the deadline:

• PayPal. This PSP has made it very clear that they are or will be compliant with PSD2. However, business owners may need to take extra steps depending on their payment setup.
• Stripe. This is another PSP that has said they are or will be PSD2 compliant, though not all of their products are currently included.
• Authorize.Net. Though Authorize.Net appears to have no plans for becoming PSD2 compliant, it has a sister brand that is compliant.
• Square. Square is a special case, as it remains unclear whether it will be PSD2 compliant as of September 2019.

Consequences of failing to comply with PSD2

Failure to comply with PSD2 means businesses that serve EU customers will seek out other PSPs that are PSD2 compliant. This effectively ensures the noncompliant PSP will suffer a significant loss of business or, in the case of PSPs that have only EU customers, a complete loss of business. Simply put, a PSP that serves the EU cannot hope to operate successfully if it doesn’t comply with PSD2 regulations, specifically SCA.

While understanding PSPs’ perspectives is important, business owners have concerns about how PSD2 will impact them. We explore these in the next chapter.

As an online business owner, you’re always looking for the best way to convert site visitors to paying customers. Unfortunately, SCA adds an extra step in the payment process, which means more friction for your customers. 

For the many reasons laid out in previous chapters, implementing SCA is unavoidable when serving EU customers; however, there are alternative ways for you to improve the customer experience.

Enter Jotform, the easy-to-use online form builder. With Jotform, you can

• Enjoy a selection of more than 10,000 online form templates
• Create branded, amazing-looking order forms to improve customer perception and conversion on your digital goods and physical products
• Collect customer information that’s important for delivering your products and services
• Accept payments by integrating order forms with your payment processor of choice

Is Jotform PSD2 compliant? Recall that the onus for PSD2 compliance is primarily on banks and payment service providers (PSPs) — the entities that hold, manage, and are otherwise accountable for your funds at any point during the payment process. 

Since Jotform acts as a convenient connector to PSPs, our main focus is ensuring the gateway between us and the PSP is set up appropriately. So the real question is whether the PSP you want to use is compliant. We discussed the PSD2 compliance of several widely used PSPs in Chapter 5.

Your order form options

With more than 10,000 form templates on Jotform, it can be hard to know where to begin. We call out a few forms you might like below, depending on what type of business you’re running. (FYI, our forms come in classic and card versions, which offer visually distinct differences. Choose which style your customers prefer.)

T-shirt order form

Do you sell preprinted or custom-made T-shirts? Here’s an order form template that’s been used more than 1,800 times. Make the form yours by adding high-quality images of your T-shirts and a compelling description.

By default, customers can select the shirt quantity and size, but you can add additional fields if you need more information from them.

Check out this form in its classic and card formats. If this one isn’t your style, there are many other T-shirt order form options to choose from.

Cake order form

Own a bakery? Yum! This themed cake order form has been used 7,000+ times. It could be just what you need to give your customers the opportunity to describe their dream cake.

Besides contact information, this form allows customers to indicate the date they need the cake, serving size, flavor, filling, theme, and more. Customers can even add images of cakes to help you deliver the perfect tasty centerpiece.

Check out this form in its classic and card formats. Looking for a different flavor of form? Here are a few other cake order form options.

Photography order form

Are you a wedding or party photographer? Do you shoot portrait or scenery photos? Then you need a form for people to request the photo packages you offer.

This form comes with prebuilt options customers can pick from. You can, of course, adjust the options to suit your pricing and package offerings. Or feel free to add even more packages.

Check out this form in its classic and card formats. Picturing a different look for your form? Try these other photography order form options.

Any of the above order form templates (or hundreds of others) will ensure you’re ready for business once PSD2 comes fully into force — assuming you’ve used one of the compliance approaches we laid out in Chapter 4.

More about your PSD2 guides

Jeremy Bellino

Bellino is the specialist sales manager at Worldpay, a global acquirer headquartered in London, United Kingdom, and Cincinnati, Ohio. With a decade of experience in payments and payment technology, he’s responsible for supporting customers to make sure they comply with PSD2 SCA in the United States.

“PSD2 is a complex topic that takes a lot of explaining. I’m happy to help anyone who doesn’t quite grasp the topic,” he says.

Sandra Wróbel-Konior

Wróbel-Konior is the content marketing manager at SecurionPay, an online payment platform based in Switzerland. She helps spread the word about PSD2 and how her company is PSD2 compliant to make sure that each SecurionPay client is on the same page.

“We know how confusing PSD2 can be, and we have taken every stride to make compliance as easy as possible for merchants to understand and abide by,” she says.