EU Payment Services Directive 2017 (PSD2) & Strong Customer Authentication



Download your free eBook now so you can read later when you have more time!



by Natasja Bolton, Managing Information Security Consultant. [Published on 11/12/2018]


PSD2: came into affect in January 2018

To be followed by the security measures and SCA requirements of the Regulatory Technical Standards (RTS) in September 2019.


• Aims:
– Address the growth of online remote payment fraud;
– Stimulate innovation and competition in the payment services market;
– Level the playing field for existing and new players in this market;
– Increase security and improve consumer protection for payment transactions and access
account information.


PSD2 applies to:

• All 28 EEA countries
– Austria; Belgium; Bulgaria; Croatia; Cyprus; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Italy; Latvia; Lithuania; Luxembourg; Malta; Poland; Portugal;
Republic of Ireland; Romania; Slovakia; Slovenia; Spain; Sweden; The Netherlands; and United Kingdom.
Plus: Iceland; Lichtenstein; and Norway.
• Applicability based on the country location of the servicing Payment Service Provider (PSP).


What does PSD2 enable?



EU Payment Services Directive 2017 (PSD2) & Strong Customer Authentication



Account Servicing Payment Service Providers (ASPSPs):
• Financial institutions (usually banks) provide accounts to customers and from or to which the customer issues payments.
• Responsible for giving AISPs access to customer accounts with their consent.

Account Information Service Providers (AISPs):
• Given access to account information by the ASPSP.
• Consolidates customer’s financial information (balance and transaction data) from payment accounts held across one or many ASPSPs.
• Can support personal financial management by providing analysis and oversight of spending and revenue patterns.
• Allowed to access customer account information without prior commercial agreement of the ASPSP.



EU Payment Services Directive 2017 (PSD2) & Strong Customer Authentication


Payment Initiation Service Providers (PISPs)
• Initiates payments on behalf of the customer from the customer’s account with an ASPSP.
• Allowed to initiate payment transactions without prior commercial agreement of the ASPSP.

Account Servicing Payment Service Providers (ASPSPs):
• Financial institutions (usually banks) provide accounts to customers and from or to which
the customer issues payments.
• Responsible for giving AISPs access to customer accounts with their consent.


Benefits from PSD2

• More protection from fraud.
• Greater choice when initiating electronic payments:
– Pay direct from bank accounts;
– Payments from all devices.
• More visibility – holistic view of finances – easier to manage and control spending.

Merchant Businesses
• Can offer a wider range of payment options.
• Increased competition between PSPs; more choice of providers.
• Possible cost advantage: payments received direct from payer’s account vs. payment methods
that levy interchange fees.
• Reduced volume of fraudulent transactions.


Authorisation and Regulation

All payment services providers (PSPs) to be authorised and regulated by the relevant national competent authority (e.g. FCA in the UK):

• As electronic money institutions or;
• Payment institutions.

Under PSD1, authorised entities were those that provided:
• Services enabling cash to be paid into or withdrawn from a payment account and operations
of a payment account;
• Execution of payment transactions – such as direct debits, credit transfers and card payments;
• Issuing of payment instruments (e.g. issuing credit or debit cards);
• Acquiring payment transactions;
• Money remittance.


Under PSD2, authorisation is also a requirement for:
• Account information services (AISPs);
• Payment initiation services (PISPs).


Potential impact on marketplaces/online booking platforms

Platforms that bring together and act as agents for buyers and/or sellers;
• May no longer be able to rely on the ‘commercial agent exemption’ from licensing as a
regulated PSP;
• Commercial agent exemption now only available when acting on behalf of either the payer or
the payee;
• If acts as intermediary for both buyers and sellers without itself selling the product or service,
and receives payments that are owed by buyers to seller, must now apply to become a licensed
provider of regulated payment services;
• Unless the platform does not possess or control funds (i.e. relies on a licensed payment service
provider to do this).


PSD2 implementation

Regulatory Technical Standards (RTS): the implementation requirements
• To be complied with by PSPs.
• Covers the requirements for:
– Transaction monitoring mechanisms to enable detection of unauthorised or fraudulent payment transactions;
– Strong Customer Authentication (SCA), authentication codes and dynamic linking;
– Exemptions from SCA;
– Confidentiality and integrity of authentication data;
– Secure and open communication. ASPSPs must provide AISPs and PISPs at least one free interface (API) enabling a secure communication channel to access payment accounts.


PSD2 RTS Applicability

• Online access to a payment account (savings accounts are excluded).
• Any electronic payment.
• Any action through a remote channel which may imply a risk.

• Face to face and unattended proximity payments;
• Remote ecommerce/mcommerce payments including in-app payments;
• Credit transfers and setting up of electronic mandates;
• Online and mobile banking;
• Payments in any currency.

• Mail order and telephone order (MOTO);
• Unattended transport fare or a parking fee payments;
• Limited network/closed loop payments;
• Direct debit;
• Anonymous prepaid transactions;
• Inbound cross-border transactions: payment account held by a PSP outside of EEA or payment card issued outside of the EEA.


Webpage URL

Find out more about our Cyber Security and Compliance Solutions

Request a Callback

Potential impact on online booking platforms

Platforms where there is no payment transaction;
• Online booking platforms where card details are provided as a guarantee but no payment transaction takes place: may not be in scope.
• But this may be an ‘action through a remote channel which may imply a risk’? (No specific guidance has been issued on this).
• Any subsequent ‘no show’ payment transaction would be MOTO; hence not in scope for SCA.


Platforms taking pre-payments or a deposits;
• Some platforms accept Advanced Purchase or deposit bookings but the payment transaction
is not online:
– Payment is manually re-keyed by the merchant as Card Not Present MOTO.
• Will be in scope and SCA will need to be applied at point of purchase.
• Requires technical and process change to ensure SCA is implemented for these.


What is Strong Customer Authentication (SCA)?

Authentication process that validates the identity of the user.


Authentication based on the use of at least two factors:
– Knowledge – something only the user knows;
– Possession – something only the user possesses;
– Inherence – something the user is.


• Factors must be from two different categories and independent of each other.
• Process designed to protect the confidentiality of the authentication data.
• A single device, such as consumer’s smart phone, can be used for both authentication
and shopping:
– Mitigate risk through use of separated secure execution environments (software
within the device) and measures to ensure integrity of device or software.


For remote transactions


EU Payment Services Directive 2017 (PSD2) & Strong Customer Authentication


Successful authentication must result in the generation of an authentication code; used by the authenticated user (consumer) to access their payment account and to make online payments.


A dynamically generated code that must be linked to the payment transaction amount and recipient and may only be accepted once by the PSP.


Dynamic linking is not required for proximity payments: EMV Chip and PIN transactions fully comply with SCA requirements.


Exemptions – when PSPs do not need to apply SCA:

AISPs accessing consumers’ account – SCA only the first time and every 90 days.
Low-value contactless payments – payments €50 or below; as long as the cumulative amount or number of transactions since the last SCA does not exceed €150 or 5 consecutive payment
Payments to trusted beneficiaries – consumer-defined white lists held by the ASPSP. SCA applied to create or amend the beneficiary.
Subscription or recurring transactions – for the same amount to the same payee. SCA is applied to the first payment. SCA is needed for variable amount ‘Merchant Initiated Transactions’: businesses may need to ask customers to white-list them as trusted beneficiary or use direct debit.
Low-value remote electronic payment transactions – payments €30 or below; as long as the cumulative amount or number of transactions since the last SCA does not exceed €100 or 5 consecutive payment transactions.
Secure corporate payments – if dedicated payment processes and protocols are used and levels of security ‘satisfy’ the competent authorities. Exemption covers corporate payments made with ‘lodged’ cards (e.g. corporate card held by company travel agent) and payments made using virtual card numbers.
Remote low-risk transactions: Transaction Risk Analysis (TRA).

PSP has the right to avoid SCA provided:
– Its overall fraud rate is below reference thresholds (Exemption Threshold Values) as set by European Banking Authority (EBA) for the type of transaction;
– Transaction monitoring mechanisms are in place to enable real-time risk analysis and risk scoring;
– No risk factor has been identified for the payment, such as abnormal spending or behavioural patterns, unusual information about payer’s device/software access, malware infection,
abnormal location of payer, high-risk payee location etc;
– The risk monitoring engine has been assessed by qualified auditors.
Majority of 3D Secure (3DS) providers already apply TRA when using risk-based analysis to decide whether to challenge a transaction.


Exemption Roles



• Neither payee nor merchant can decide whether or not to apply an exemption.
• Only PISPs (e.g. the merchant’s acquirer) and ASPSPs (e.g. the payer’s bank or card issuer) can exempt transactions from SCA.
• The merchant’s PISP may apply an exemption for:
– Contactless payments at POS;
– Unattended terminal for transport and parking;
– Recurring transactions;
– Low-value transactions;
– Transaction risk analysis (TRA).
• If the merchant’s PISP applies the exemption:
– It will be liable for the transaction;
– The ASPSP may still override the exemption.


Webpage URL

Find out more about our Cyber Security and Compliance Solutions

Request a Callback

SCA Responsibilities & Expectations

The merchant business’ role
• To support SCA methods (e.g. integrate 3D Secure 2.0 by April 2019);
• Analyse their PSP’s fraud rates, select a low fraud rate PSP to maximise use of TRA exemption;
• Work with PISP to agree an exemption strategy:
– To take merchant preferences into account;
– To ensure a low friction consumer payment experience.
• Consider implementing own fraud management program.
– If agreed with PISP and if PISP fraud rate is below reference thresholds;
– May give merchant more control over when to apply the TRA exemption.


The acquiring business’ role (the PISP)
• May operate their own SCA methods or rely solely on ASPSP’s SCA process;
• Make sure their merchants support SCA:
– For card payments, the card schemes have mandated 3D Secure 2.0 support by merchants,
acquirers and issuers by April 2019.
• Have the most effective transaction monitoring, risk analysis and fraud controls:
– To keep fraud levels at or below reference thresholds;
– To maximise ability to request TRA exemption.
• Be prepared to accept liability in order to maximise frictionless transactions and conversion


The customer bank’s or issuer’s role (the ASPSP)
• Provide adapted customer interface or dedicated interface allowing AISPs and PISPs access
to payment accounts information and payment initiation:
– Dedicated interface to be ready for other providers to test by March 2019;
– Allow any AISP or PISP access as long as they have clear consumer consent and are
properly registered.
• Implement SCA;
– That PISPs and AISPs can fully rely on.
• Support whitelisting of trusted beneficiaries, apply SCA when list entries are added,
amended or deleted;
• Have effective transaction monitoring, risk analysis and fraud controls:
– To keep fraud levels at or below reference thresholds;
– To maximise ability to offer TRA exemption.


PSD2 & SCA – Conclusions

PSD2 opens up the payment services market, enabling new services that support developing consumer technologies, on a level playing field for all.


PSD2 will have noticeable consumer and merchant impacts: both parties will have more payment options and, through the application of SCA, a reduced risk of fraud.


PSD2 enhances consumer rights and increases consumer trust:
– Reduced liability for non-authorised payments, prohibits surcharges based on
means or location of payment;
– Enforces stronger security for data access and payments.
Streamlined SCA processes (e.g. 3DS 2.0’s support for biometrics) and effective risk analysis and fraud management will be key to:
– Maximising application of SCA exemptions;
– Minimising disruption (frictionless transactions);
– Maximising conversion rates and business growth.

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms