Year in Review: PSD2 The gap between the idea and the reality

2019 was marked by the various regulations which affected IT security and the protection of personal data. The Payment Services Directive is emblematic in that it perfectly illustrates the difference between the idea underlying the adoption of regulations and the reality which sometimes contradicts the very objective of the law.

Indeed, on September 14, the rules modifying cashless payments were to enter into force and be applicable throughout the EU, as well as within the EEA. The Directive was to guarantee better protection of customers’ personal data and strengthen the security of data transmission over the Internet.

Only payment services that comply with PSD2 could be used for purchases made on the Internet using bank cards. Strong customer authentication (SCA) is one of the key elements of the new directive: those who will accept cashless payments will have to require two-factor authentication. Recall that the regulations specified the conditions surrounding strong customer authentication to be applied each time a payer accesses his online payment account, initiates an electronic payment transaction or performs an action, using a means of communication to distance, which may involve a risk of payment fraud or any other fraudulent use.

Traders are not yet fully prepared for PSD2

Businesses face another difficulty: while banks and third-party providers such as fintechs are well prepared to meet the deadline, some businesses that offer online payments could not be ready to provide a payment process complies with PSD2 from September 14.

According to an EU-wide study on the payment platform Stripe and 451 Research, turnover will drop by € 57 billion in the first year after the application of the Directive. This would have an impact on the trade sector and would reverse the objectives which the EU was pursuing by implementing this new directive: greater security, increased protection against fraud, greater innovation by registered third parties and, above all, an improved, practical and frictionless customer experience. As a result, a large number of transactions could have been abandoned, leading to a loss of turnover for traders, and dissatisfaction with customers.

Widespread carry-over

In view of the current situation, the authorities in charge of implementing PSD2 in certain European countries have decided to postpone it in order to grant more flexibility to traders.

In France, the strengthening of authentication during online payments has been postponed to 2022 by France. The Banque de France is now planning a migration in two stages, following requests from professionals in the sector.

1) the deployment by issuers of strong customer authentication solutions

2) the migration of the 3D-Secure technical base

In the United Kingdom, the Financial Conduct Authority postponed the entry into force of the SCA until March 2020 to connect to online banking services. Note that BREXIT should not have any effect on the implementation of strong authentication in the payment sector. The Hungarian National Bank plans to postpone it for almost twelve months.

 The German regulator, BaFin, has not yet specified the duration of the additional period which is granted to the actors like the Bank of Italy, the Polish KNF, the Bank of Spain, the Dutch Central Bank (but in Dutch ), the Finnish Financial Supervisory Authority.

The new deadlines granted in each country for the implementation of the PSD2 Directive represent a chance to change the security process gradually while avoiding any economic risk. However, traders should not wait and they must seize the opportunities offered by the postponement of the Directive to better tackle this change.