The Payment Services Directive 2 (PSD2) entered into force on January 13, 2018, seeking to harmonize regulations on payments within the European Union (EU). It also aims to improve and expand consumers’ choices on the retail payment market, while also introducing more stringent security standards for online payments.
PSD2 focuses on three main areas. Firstly, it strengthens consumer rights, in particular the right to receive a refund for disputed transactions without delay and a ban on surcharges. Secondly, it requires strong authentication to view accounts and electronic payment transactions.
Strong authentication is the combination of at least two of three factors of authentication: something the consumer has (e.g. smartphone or connected device), something the consumer knows (e.g. password or secret question), and something the consumer is (e.g. fingerprint or facial recognition).
Opening the market up to new players
Thirdly, the directive stipulates that communications between banks and third-party services must be secure. The legislation extends to innovative payment services and new suppliers on the market such as fintech companies – so-called third-party Payment Service Providers (third-party PSPs).
Third-party PSPs comprise:
- Payment Initiation Service Providers (PISPs), which offer to initiate payments on behalf of customers, giving retailers assurance that the money is on its way;
- Account Information Service Providers (AISPs) and aggregators, which provide an overview of accounts and balances available to their customers.
Giving secure access to data
The directive provides that merchants, fintech companies, and banks are able to communicate via Application Programming Interfaces (APIs). Banks will therefore have to offer this secure communication channel to third-party PSPs wishing to aggregate data on bank accounts and/or initiate payment services. This will strengthen collaboration and improve interoperability between financial institutions and new banks and payment service players.
Strengthening security with eIDAS PSD2 certificates
To guarantee the level of security required by PSD2, banks and PSPs must possess two electronic certificates:
- eIDAS QWAC (Qualified Website Authentication Certificate), which enables the PSP’s and the bank’s servers to authenticate each other and keep the communications encrypted;
- eIDAS QSEAL (Qualified Electronic Seal Certificate), which enables the PSP’s and the bank’s servers to seal the contents of a transaction.
These certificates allow banks and PSPs to secure transactions, protect payment account data, and guarantee compliance with the European directive at the same time. In addition, securing transactions between the bank and the PSP allows you to ensure traceability of communications and mutual authentication between the two parties.
Building an open banking ecosystem
With the new rules laid down by the European directive, payment service players can now build an open banking system that offers a high level of security and facilitates interoperability, while preparing for the services of tomorrow.
The two types of certificates required under PSD2 are issued by Qualified Trust Services Providers (QTSPs). These are certificate authorities recognized across Europe for issuing eIDAS certificates.