PSD2 and Regulation – the Consumer Domain

The card industry is not self-regulating but must abide by the laws and regulations of every country where cards payments are accepted; it may be a global payment system but one that abides to national laws.

Governments across the world also recognise the importance of e-commerce to their national economies and will take steps to protect and grow e-commerce. Also a fundamental function of any government is to prevent crime; no government can allow organized crime to threaten economic activity or to allow criminal organisations to grow rich from online fraud, use the internet to mask illegal activities, launder money or evade tax.

There is no doubt that the pace of technological development has outstripped the abilities of law enforcement and governments to regulate and police the internet, but inevitably the authorities have learned and adapted; regulations are being put in place and cyber security is now top priority. Drugs, types of pornography, weapons, unregulated gambling, tax evasion as well as plain old theft are all part of this challenge.

The payments industry spends so much time pushing against regulators and barriers to trade that it’s sometimes easy to forget the benefits regulation bring to the industry. Outside the efforts of the industry itself, ultimately its regulators and law enforcement which ensure that card payments remains a viable and safe payment option. There are also many large ecommerce merchants operating in regulated industries; the same regulatory environment which has allowed these industries to grow and thrive.

This brings us to consumers. It is consumers who day in, day out decide if they will use VISA, MasterCard or some other payment method. Consumers are the most important part of the payment eco system – yet they are also the least represented.

Again, this is a fundamental function of governments to protect rights of citizens and ultimately consumers. Europe takes consumer rights very seriously and it’s not surprising that Europe is leading in regulation to protect consumers online and setting standards emulated around the world. Data protection, privacy and confidentiality, the right to be forgotten, right to cancel and return your online order within 14 days – these are all covered by active legislations within the EU.

There are many other areas where consumers need protection. Today consumers are left without their funds for months in the case of a chargeback and the process is stressful and unfair to consumers. It is also all too easy for merchants to surcharge their clients or to take money without the knowledge and consent of the cardholder.

Enters PSD2 (the Revised Payment Service Directive). PSD2 became effective on 12 January 2016. 2017 is now a period of consultation and negotiations between the affected parties – exemptions and thresholds in particular are being negotiated during this year. 13 January 2018 is the deadline for national governments to transpose PSD2 into local legislation, thereby activating the provisions of PSD2 for consumers, merchants and the payments industry.

PSD2 will change banking as we know it. PSD2 will open up the industry and remove barriers for Fintech companies to greatly expand their ability to compete with banks. For consumers it promises next day refunds, immediate release of funds, limits to surcharging and the RIGHT TO CONSENT. PSD2 also mandates Two Factor Authentication (TFA).

TFA solves a lot of problems in one stroke; it creates an effective method for consumers to convey their consent and to be refunded immediately if their consent is absent. TFA protects both consumers from fraudsters and dishonest merchants and protects merchants from theft. TFA respects data protection and does not rely on tracking or spying on consumers which underlies today’s fraud detection technologies.

The solution for TFA with card payments is also already in place and is 3DSecure. Verified by Visa, MasterCard Secure Code, Amex SafeKey, JCB J/Secure and Discovery Protect Buy; all these constitute a technology that is installed and proven to work.

What will happen to Debit Cards? Debit Cards have been a sore issue in Europe for a long time, acting as a barrier to SEPA and blocking competition and innovation within Europe. Some cards will take the easy option and co brand their cards with established brands. Using 3DSecure for national card schemes is quite possible. Without TFA authentication, quite simply it will be illegal to use Debit Cards for online payments inside Europe, restricting use of Debit card to domestic point of sale only.

Some exemptions for the TFA requirement will apply: recurring payments for rent and utilities for example have been accepted as exemptions with the introduction of the ability to whitelist trusted beneficiaries. Unattended terminals in road transport such as toll roads are another exemption. Moto transactions will be limited to under EUR 30 and not exceed a total of EUR 100 or 5 transactions without authentication.

PSD2 does not require 3DS 2.0. 3DS 1.0.2 satisfies the requirements of PSD2 already. However, 3DS 2.0 will make the experience a lot easier, eliminating friction and allowing the provisions of PSD2, and the prevention of fraud to be achieved effortlessly by consumers, merchants and Banks.

We are witness to the birth of a new era.