PSD2 Is A Disruptive Game Changer And Success Depends On Security, Privacy And Trust

admin on 3pm3/3pm3/3pm3

A game-changer

There is no shortage of finance industry news, media and special interest group information about the revised Directive on Payment Services, and for good reason. The revised Directive on Payment Services – or PSD2 – is a game-changer for the financial sector, including the Payment Card Industry (PCI).

A brief recap of the PSD story so far…

The aim of the original Directive on Payment Services or PSD instrument which was adopted in 2007 was very much aligned with the bigger economic vision for the EU – namely to create a single market for payments within the European Union. PSD:

  • Created the rules and guidelines for modern payment services across the EU
  • Simplified payments and processing across the EU
  • Was intended to promote competition by opening payments up to new entrants
  • Set an agenda for payment efficiency, innovation and reduced cost
  • Provided the legal platform for SEPA or Single Euro Payments Area

Building on PSD, the revised Payment Services Directive (PSD2) is more ambitious, aiming to create a level playing field. This was proposed by the European Commission in 2013.

The mechanism by which this has proceeded through to law does seem protracted. This informs a little on the UK’s current debate on its existing relationship with the EU and its continuing membership. PSD2 was:

  • Thrashed out by 28 different governments within the EU over some 2 years
  • Formally adopted by vote in the European Parliament on 08 October 2015
  • Text was published in the Official Journal of the EU on 23 December 2015
  • Entered into force on 12 January 2016

Where are we now?

The deadline for member states to transpose PSD2 into national legal and regulatory frameworks is 13 January 2018. This enshrines the objectives of the new legislation within the laws of individual countries. In the UK this provides the Financial Conduct Authority (FCA) with an enforceable set of compliance standards to achieve PSD2’s objectives:

  • Standardising, integrating and improving payment efficiency across EU states
  • Harmonise pricing and improve security of payment processing across the EU
  • Providing better consumer protection
  • Encouraging innovation and reducing costs
  • Create a level playing field and enable new entrant payment service providers
  • Incorporate emerging payment methods such as mobile payments
  • Bring new and emerging payment services under regulatory control

What changes does PSD2 bring?

There are three key changes that result from the implementation of PSD2:

  • Third party Access to Accounts (XS2A)
    • E-commerce providers take online or mobile payment directly from a consumer’s bank account without going via PCI intermediaries; this is known as Trusted Third Party Account Access, defined by the acronyms: TPP (Third Party Payment) and XS2A (Access to Accounts)
  • The use of API’s to take payment
    • The use of an Application Programming Interface (API) to enable payment by directly connecting the merchant and the bank
  • The ability to consolidate account information in a single portal
    • An API enables a new type of financial services company – an Account Information Service Provider or AISP – which aggregates account information to let consumers with multiple banks view all bank details in one portal

What PSD2 means for… The PCI and developers

PSD2 is an alternative, direct payment business model which is disruptive to the PCI. It carries a significant threat of disintermediation to third-party payment intermediaries. This creates a need for change, forcing PCI intermediaries to become more innovative.

PSD2 supports the expansion of the market for two key service provider roles. Intermediaries in the PCI industry may be good candidates for adopting roles as either an:

  • Account Information Services Provider (AISP)
    • To offer online services providing a consolidated view of a user’s payment accounts from across one or more payment service providers
  • Payment Initiation Services Provider (PISP)
    • Initiating payment transactions requested by the user from an account held at another payment service provider

What PSD2 means for… E-commerce and merchants

For e-commerce and other merchants this diversifies payments away from established payment gateways, card schemes and PCI networks. This eliminates costs for card schemes and other intermediaries in the PCI ecosystem.

  • The current ‘pull’ model means merchants ‘call’ for payment via a card scheme
  • An open Application Program Interface (API) communicates directly with the payer’s bank or via a third party payment initiator
  • Effectively, online payments are moving to a ‘push’ model – money is taken from a customer account via APIs and transferred to the merchant’s account

What PSD2 means for… Banks

Banks sit in a position of significant power in the new PSD2 payment model. However, industry analysts identify that the new suite of externally published APIs, that are required to open up the market to new entrants (TPPs – AISP & PISP), is likely to cause a significant departure from the ‘hub and spoke’ model which has traditionally governed the relationship between centralised data and the internal distribution channels within banking organisations.

Banks will have to ensure they implement PSD2 in line with compliance requirements and the layers defined by the Open Banking Technical Standards being developed by the Open Banking Working Group (OBWG).

What PSD2 means for… Consumers

For consumers, the implementation of PSD2 by-passes card schemes and the supporting network of intermediaries in the PCI ecosystem. This:

  • Eliminates card payment processing costs to merchants, presenting them with the opportunity to pass the savings to consumers…
  • Means dissatisfaction with the card payments is likely to become a thing of the past!
  • Requires consumers to consent to merchants taking payments from bank accounts directly via APIs
  • Creates a need for explicit consent by consumers to let TPPs use data for marketing purposes

PSD2 may be a new model but it’s still about an old value: Trust

There is little doubt that the effect of PSD2 is going to be anything other than tectonic. For the first time ever banks are able to do away with intermediates, allowing the ecommerce provider to take monies directly from a consumers account via an API. This is a fundamental shift in how the payments system works and it will have a huge impact on standards across the board.

For all stakeholders, the single most important aspect of PSD2 is trust. Consumer confidence in privacy and security must be protected at all costs. The same applies for preventing unscrupulous or prejudicial practices by the members of the PSD2 community.

Consumers will need to give their explicit consent to allow certain levels of bank account information to be made available through the APIs to the TPP businesses, AISPs and PISPs.

However, with consumer consent, TPPs have the opportunity to bring together key bank data, including income, purchasing history and debt repayments to obtain a 360 degree view of the consumer. This includes the credit risk of each individual, as well as their likes and dislikes from the product and service marketing perspective.

Such a dataset presents huge commercial opportunities, such as cross selling. However, consumers are unlikely to jump at the chance of giving their permission simply so that they can be sold to more efficiently and effectively.

The industry will need to identify a strong value proposition to ensure consumer buy-in. Above all, consumers must trust the system is secured against fraud and that data cannot be misused.

Whatever the specific trials and tribulations for the PCI, developers, banks and merchants, the overarching challenge for everyone in the industry is in securing consumer trust by adopting an exemplary approach to privacy and data security.

GDPR Compliance, Is PCI DSS The Answer?

Chris Scott on 5pm5/5pm5/5pm5

As businesses start to plan ahead to 2017, there is no doubt data protection will dominate conversations around the board room. With the publication of the General Data Protection Regulation in January 2016 the battle lines are drawn and clear timelines have been set.