CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 724
- Points
- 113
In September 2019, the transition period to the new standards of the second payment services directive of the European Union Payment Services Directive 2 (PSD2) ended. At this point, banks and payment service providers (PSPs) had to bring the legal and technical part in line with the directive.
What changes the directive brings - says Nazar Malinovsky, lawyer, CEO of Beforis.
Open banking and new players
The directive introduces the principles of open banking (Open Banking), which essentially deprives banks of a monopoly on user data. Banks are obliged to open their APIs and, with the consent of the account holders, share customer data with third parties.
Such changes in the financial ecosystem bring new players to the market - AISP and PISP.
Account Information Service Provider (AISP) - service providers that have the ability to collect information about the financial activity of users in different payment institutions. For example, a client will be able to view information about all accounts opened in different banks in one application.
Payment Initiation Service Provider (PISP) - providers that will be able to process payments on behalf of the payer. With their help, customers will be able to pay for the service directly from their bank account, buy goods online or transfer money.
The banks themselves are getting in the new model of work a somewhat cumbersome name Account Servicing Payment Service Provider (ASPSP) - the provider of payment services, servicing the account. ASPSP will now be directly communicated by AISP and PISP through new interfaces that look similar to the Facebook login window for authorization on external sites. That is, the client will not need to enter any data for payment, but only log in to the bank to confirm a particular operation.
Of course, the transfer of data, like payment transactions, will only take place with the consent of the client. And the responsibility for storing information and managing consent lies with banks and payment institutions.
Strong Authentication: Additional Payment Protection Measures
As part of the directive, new technical authentication standards for accepting online payments - Strong Customer Authentication (SCA, strong authentication) - are becoming mandatory.
Strong Customer Authentication is a requirement developed by European regulators to reduce the likelihood of fraud and make online payments more secure.
In order for the payment processing system to be SCA compliant, you need to add one more step to the checkout process - authentication.
According to SCA requirements, authentication must include at least two of three components (three are recommended):
Certain types of payments may be excluded and not subject to SCA rules, in particular:
PSD2 and Ukraine
How relevant is the introduction of PSD2 for residents of Ukraine?
The provisions of the directive do not apply to Ukraine. However, in July 2019, the NBU announced its intention to "harmonize national payment legislation with European in accordance with the requirements of the Association Agreement with the EU."
Over the past year, we have seen positive changes in the financial sector - the abolition of the mandatory sale of foreign exchange earnings, the transition to the IBAN standard. This includes the abolition of individual foreign exchange licenses, which made it easier for Ukrainians to invest abroad.
Yes, this is still not enough to talk about the active implementation of PSD2. Nevertheless, the directive sets a global vector of development, and Ukraine is moving in the right direction.
What changes the directive brings - says Nazar Malinovsky, lawyer, CEO of Beforis.
Open banking and new players
The directive introduces the principles of open banking (Open Banking), which essentially deprives banks of a monopoly on user data. Banks are obliged to open their APIs and, with the consent of the account holders, share customer data with third parties.
Such changes in the financial ecosystem bring new players to the market - AISP and PISP.
Account Information Service Provider (AISP) - service providers that have the ability to collect information about the financial activity of users in different payment institutions. For example, a client will be able to view information about all accounts opened in different banks in one application.
Payment Initiation Service Provider (PISP) - providers that will be able to process payments on behalf of the payer. With their help, customers will be able to pay for the service directly from their bank account, buy goods online or transfer money.
The banks themselves are getting in the new model of work a somewhat cumbersome name Account Servicing Payment Service Provider (ASPSP) - the provider of payment services, servicing the account. ASPSP will now be directly communicated by AISP and PISP through new interfaces that look similar to the Facebook login window for authorization on external sites. That is, the client will not need to enter any data for payment, but only log in to the bank to confirm a particular operation.
Of course, the transfer of data, like payment transactions, will only take place with the consent of the client. And the responsibility for storing information and managing consent lies with banks and payment institutions.
Strong Authentication: Additional Payment Protection Measures
As part of the directive, new technical authentication standards for accepting online payments - Strong Customer Authentication (SCA, strong authentication) - are becoming mandatory.
Strong Customer Authentication is a requirement developed by European regulators to reduce the likelihood of fraud and make online payments more secure.
In order for the payment processing system to be SCA compliant, you need to add one more step to the checkout process - authentication.
According to SCA requirements, authentication must include at least two of three components (three are recommended):
- what the user knows: for example, a password or pin code;
- what he owns: phone, card, hardware token;
- what is unique about the client: fingerprint recognition, face recognition.
Certain types of payments may be excluded and not subject to SCA rules, in particular:
- Low-risk payments: bank processors and PSPs themselves assess the risk of a transaction and decide whether to use SCA or not.
- Payments below € 30. There are exceptions here: every 5 transaction is additionally confirmed; or the next transaction after a purchase over € 100.
- Recurring subscription payments: like paying for Netflix or Apple Music.
- Payments initiated by merchants: debiting money from a saved card without the payer's participation in the checkout process. For example, cashless payments for rides in Uber.
PSD2 and Ukraine
How relevant is the introduction of PSD2 for residents of Ukraine?
The provisions of the directive do not apply to Ukraine. However, in July 2019, the NBU announced its intention to "harmonize national payment legislation with European in accordance with the requirements of the Association Agreement with the EU."
Over the past year, we have seen positive changes in the financial sector - the abolition of the mandatory sale of foreign exchange earnings, the transition to the IBAN standard. This includes the abolition of individual foreign exchange licenses, which made it easier for Ukrainians to invest abroad.
Yes, this is still not enough to talk about the active implementation of PSD2. Nevertheless, the directive sets a global vector of development, and Ukraine is moving in the right direction.
