PSD2: More Than a Handful of Change is on the Payments Horizon

4 min read

06-Jul-2022 16:40:41

The payments landscape is constantly changing and evolving. Why? In short, fraud prevention. As hackers get smarter, payment security and standards must stay at least one step ahead. With both online payments and online fraud on the rise, customers need to be confident that their payments and card details are secure, whilst operators must be 100% certain that their payment offering is watertight.

And there are some important changes on the horizon. You may be aware of new legislation coming into place in the UK affecting the world of payments. It’s worth taking a few minutes to figure out what this PSD2 regulation means for you as an operator as well as for your customers.

So, what’s the big regulation change and when is it happening?

What is PSD2? Payment Service Directive 2. This is a regulation that’s being implemented across the payments industry which will affect all banks, businesses, and customers across Europe. It includes various changes to improve customer security and protection for payment processing, but the main change to be aware of is the requirement for Strong Customer Authentication (SCA) for all electronic payments.

When is it being enforced? PSD2 has already been enforced across the EU but the deadline for the UK has been extended until 14th March 2022.

After this date, the merchant will be charged a higher transaction rate or an additional fee for a non-secure transaction. But don’t worry, GladstonePay will be fully compliant. Additionally, Google Pay and Apple Pay transactions are automatically SCA-covered by their nature.

Payments terminology

Understanding payments terminology

Let’s take a step back for a second and look at the lingo. After all, acronyms are all well and good, but only if we know what they mean. Here are some payment terms you might hear being thrown around in relation to these new changes:

What is SCA? Strong Customer Authentication – You know when you make a payment on your phone and use touch ID or facial recognition to confirm it? This is a great example of SCA. Essentially, it’s a way of double-checking that someone is who they say they are, and it requires at least two of the following:

Something you know – password, pin, secret fact
Something you own – mobile, wearable device
Something you are – fingerprint, voice pattern, facial features

SCA Payments (2)

Payments made through GladstonePay will now ask the user for an SMS code or password as part of the authentication process. But not always...

SCA exemptions

SCA won’t be required for every single payment. There are a few situations that will be exempt, with the ones most relevant to you as an operator being:

Low-value transactions – anything below the value of £30 will be exempt from SCA. So, a customer paying for their £7 circuits class most likely won’t be affected. However, if the customer initiates more than five consecutive low-value payments or if the value of the total payment exceeds £100, SCA will be required.

Subscriptions – any regular payment that stays the same amount each time is also exempt, so a monthly membership fee won’t require SCA each month, only when it is first set up.

This means that in the leisure industry, the transactions most likely to require SCA will be:

Annual membership fees paid up-front as a lump sum
Joining fees plus the first monthly payment (if the total exceeds £30)

What is 3DS? 3-Domain Secure – this is a protocol designed to provide an extra layer of security to debit and credit card transactions and is a way to achieve SCA. You might have seen this as ‘Verified by Visa’ or ‘MasterCard SecureCode’ or similar when making an online purchase. Currently, after being redirected to your bank’s 3D Secure page, you will only be required to prove your identity if the transaction is deemed to be ‘high risk’. However, when SCA is enforced, this double authentication will happen every time (excluding the exemptions listed earlier).

3DSv1 vs 3DSv2? There are now two versions of 3DS. Both are compliant for SCA purposes, but 3DSv1 can cause issues for merchants by flagging transactions as non-secure which can levy additional charges or higher transaction fees. Whereas 3DSv2 uses enriched data flows to provide a much smoother customer experience so is the recommended way to achieve SCA. Implementation of 3DSv2 also counts towards a firm’s overall PCI compliance level when it comes to their annual acquirer review.

How does PSD2 affect me?

The good news is if you’re using a payment gateway that is implementing changes to become compliant, or already adheres to these regulations, there’s nothing you need to do. Our own payment gateway, GladstonePay, uses a hosted page integration that has already been updated to 3DSv2 and meets all PSD2 and SCA requirements, so in this case, you’re good to go.

If you use an alternative payment provider, you might have already been informed of their current or planned compliance with the new PSD2 regulation. If not, it’s worth asking them what their plan is for full transparency.

Get ahead of the game

Being aware of these changes now means you’ll have plenty of time to inform your customers that an additional step might be involved in their payments from March. It’s also a good opportunity to educate your customers on what genuine banks won't ask for (eg. full password or PIN number) to help protect them from fraud. Not currently using GladstonePay?