Payment Services Regulations Briefing

Background

The Payment Services Regulations 2017 are the regulations by which the UK has implemented the EU’s revised Payment Services Directive 2015/2366. Because this is the second version of the Directive, the Directive is commonly known as “PSD2” and we have used ‘PSD2’ for convenience in this briefing.

Although the Regulations came into force in January 2018, a key date for traders is 14^th September 2019 because this is the date from which ‘strong customer authentication’ will apply and that is the aspect of PSD2 of most relevance to traders.

Strong Customer Authentication

‘Strong customer authentication’, or SCA, is the umbrella term for a set of PSD2 requirements intended to improve the security of electronic payments for traders and customers by requiring a trader to supply the PSP with two independent authentication factors provided by the customer to generate an authentication code in order for the customer’s payment to be approved.

Most of us are probably already familiar with some form of ‘two factor authentication’ so that after entering a user name and password, we then answer a security question or enter a code received on a mobile device or generated via a card reader. Credit card providers already have the 3-D Secure scheme available for this purpose. But we are equally used to making electronic payments where we enter our credit card details online with no additional step, or where we simply click a button to use a service such as Amazon 1-Click.

SCA will apply to ‘customer-initiated’ electronic payments so that most card payments and all bank transfers will require SCA. On the other hand, recurring direct debits and certain recurring card payments are ‘merchant-initiated’ electronic payments for which SCA is not required under PSD2.

PSD2’s SCA requirements will significantly increase the use of such two factor authentication and traders need to ensure that they have processes in place to achieve this before 14^th September 2019. From this date PSPs will decline payments that require SCA but do not meet the requirements.

What are the Independent Authentication Factors?

PSD2 describes three types of authentication:

• Knowledge: Something that the customer knows, such as a password or PIN.
• Possession: Something that the customer holds, such as a credit card, mobile device, or smart card.
• Inherence: Something physically inherent to the customer, such as facial recognition or a fingerprint scan on a smartphone.

A trader only needs to supply the PSP with a minimum of two of these types of authentication from the customer for the payment to be approved. The intention is that the security of electronic payments should be closer to the security of payments in face-to-face transactions, where a customer holds a card and enters a PIN in order to make the payment.

But it should be appreciated that the decision as to which factors will be accepted, and how they will be supported, is a decision for the card issuer or other PSP and not the trader. Traders therefore need to understand what the relevant PSP will accept and set up their systems accordingly.

PSD2 also requires ‘dynamic linking’ to prevent the authentication code being ‘hijacked’ by a third party. This basically means that the authentication code generated for each transaction must be unique and specific to both the transaction amount and the recipient (i.e. those three items must be ‘dynamically linked’), and the transaction amount and the recipient must be made clear to the customer when the customer provides the authentication.

Exemptions

There are some exemptions from PSD2’s SCA requirements, but traders should appreciate that because it is the PSP which carries the responsibility for PSD2 compliance then it is the PSP’s decision as to whether, and if so to what extent, it is prepared to approve or execute payment transactions under any of these exemptions. So it is not sufficient for a trader simply to decide that some or all of its transactions fall under one of the exemptions; the trader also needs to check that the PSP will support the application of that exemption.

Those exemptions most likely to be relevant to traders are the ‘low value transaction’ exemption, the ‘low risk transaction’ exemption, the ‘trusted beneficiary’ exemption, and the ‘recurring transaction’ exemption.

Low Value Transactions / Low Risk Transactions

SCA is not needed for transactions of less than €30.

However, this exemption can only apply to a maximum of 5 transactions below €30 and then SCA must be applied to the next transaction before the series of five such transactions can start again.

In addition, SCA must be applied if the customer’s total payments since the last SCA is more than €100.

Traders should appreciate that whilst their own transactions might have a value below €30, this does not mean that the above exemption will automatically apply, because the exemption is by reference to the payment method and not solely the transactions as between the trader and the customer. So, whilst the trader may make a sale for, say €25, the trader will not know whether that is the customer’s sixth such transaction, or whether that €25 sale takes the customer above the €100 threshold, and accordingly requires SCA to be re-applied.

For UK traders, exchange rate fluctuations add an additional level of difficulty to this exemption. The UK’s Financial Conduct Authority (FCA) has said “We recognise that fluctuations in exchange rates between euro and sterling may cause operational difficulties and customer confusion. We have clarified that we expect PSPs to take a reasonable and consistent approach to dealing with such fluctuations, which may include use of rounding to a sensible sterling amount, provided the amount complies with the limits or thresholds.”

For payment transactions with telecoms operators where the PSD2 thresholds are €50 for any single payment and cumulatively €300 per month, the FCA has substituted £40 and £240 respectively, and by analogy UK traders pricing in GBP should have a €30 equivalent low value transaction threshold of around £24, at least for as long as exchange rates do not fluctuate materially.

There is also a ‘low risk transactions’ exemption where a merchant acquirer can request an SCA exemption from the card issuer based on the acquirer’s overall fraud rate on a rolling 90 days’ basis. This is a decision for the card issuer and whilst, if granted, it will then apply to all traders and all transactions of that merchant acquirer, no individual trader can rely on such an exemption being granted because it will not know either the acquirer’s fraud rate or the issuer’s risk appetite.

However, should it be relevant, the thresholds for card payments are: fraud rate up to 0.13%, transactions up to €100; fraud rate up to 0.06%, transactions up to €250; fraud rate up to 0.01%, transactions up to €500.

‘Trusted Beneficiary’

A customer can add a trader to their PSP’s list of ‘trusted beneficiaries’ through such process as the PSP may implement, with SCA being applied to that process. Payments by the customer to that trader through the PSP will then no longer require SCA unless and until the customer changes the trader’s ‘trusted beneficiary’ status.

The method by which traders may be added to such a list, or even whether such a list will be offered, is a matter for each PSP (so that a customer cannot create their own list of trusted traders, and nor can a third party necessarily find out whether or not a trader is on that PSP’s list); it will therefore be advantageous for traders to understand the practices of their customers’ main PSPs (the card issuers) in this respect and to encourage customers to add the trader to the PSP’s list in appropriate cases. Where a PSP runs a ‘trusted beneficiary’ list, this is likely to be particularly attractive to traders with customers who are ‘VIP customers’ or members of similar loyalty programmes.

‘Recurring Transactions’

Traders may be able to accept recurrent payments under, for example, a subscription agreement or an autoship programme, provided that SCA is applied to the first transaction and the payment amount is the same on each occasion.

If the payment amount changes to a new fixed level, for example an annual price increase, then SCA will need to be applied to the first transaction at that new level.

For recurrent payment arrangements in place before 14^th September 2019, the European Banking Authority (‘EBA’), which is responsible for developing PSD2’s technical standards and guidelines, has confirmed that SCA is only required if and when some amendment is made to those payment arrangements.

If the payment amount will vary between transactions then this exemption cannot be used, although the trader may still be able to use another exemption such as the ‘trusted beneficiary’ exemption depending on the circumstances.

Further, as noted above, SCA is required for ‘customer-initiated’ electronic payments, but not for ‘merchant-initiated’ electronic payments including recurring payments made by direct debit or a saved card and accordingly SCA is not required for recurrent payments under, for example, a subscription agreement or an autoship programme where the payments are made by direct debit or a saved card.

Whilst the exclusion of direct debit payments from the scope of PSD2 is relatively straightforward, the exclusion from SCA of payments made with saved cards when the customer is not present at the time the transaction goes through (‘off-session’) on the basis that these are also technically merchant-initiated transactions is in practice more likely to depend upon the PSP’s approach including its own risk assessment of such transactions which may mean that the PSP will in any event require SCA for those transactions.

If the use of a saved card is to be accepted by the PSP as a merchant-initiated transaction the trader will need to authenticate the card either when it is saved or on the first payment, as well as obtaining the customer’s agreement to that card being charged for the subsequent transactions without any further action of the customer to trigger those payments (known as the customer’s ‘mandate’).

Scope

The scope of PSD2 is not expressly limited in its territorial scope, but there are some important geographical limitations. SCA only applies where both the trader’s PSP (the merchant acquirer) and the customer’s PSP (the card issuer) are located in the EEA. This means that traders will not need to apply SCA if the payment is to be made on a card issued outside of the EEA or if the trader is contracted with a merchant acquirer licensed outside of the EEA

whether the card is issued in or outside of the EEA.

The EBA recognises that where the trader initiating a card payment is outside of the EEA then the SCA is only to be applied on a ‘best efforts’ basis on the basis that the trader’s PSP (the merchant acquirer) will also typically be located outside of the EEA in that scenario and the customer’s PSP (the card issuer) has no way of controlling SCA in such cases.

On the other hand, SCA applies regardless of the customer’s location when the customer initiates an electronic payment transaction or carries out any other action through a remote channel.

Payments for mail order and telephone orders (MOTO) are not ‘electronic payments’ for the purposes of PSD2 and so SCA is not required for MOTO transactions. (This is not expressly stated in PSD2 but has been confirmed in the EBA’s published guidance).

Contactless card payments are subject to a separate €50 payment threshold and so, given the present payment limits on this payment method, should not be affected by PSD2.

Surcharges

We should also briefly mention that PSD2 extended the surcharge ban which prohibits traders from charging consumers additional fees for making payments by certain payment methods. The scope of the surcharge ban may vary from one country to another, for example the UK has extended the ban to include B2C payments made by payment cards issued by three-party card schemes (e.g. Amex) as well as other payment methods including Apple Pay and PayPal. Even if the surcharge ban does not apply, the amount of any surcharge imposed cannot exceed the cost incurred by the merchant in accepting the particular payment method. This surcharge ban has been in place since the Regulations came into effect in January 2018.

Preparing for SCA

Steps that traders can take to prepare for SCA include:

• Understand what authentication factors the PSPs will support.
• Understand what exemptions the PSPs will support.
• Consider alternative solutions on the market if their own PSP’s SCA support seems limited.
• Design, or redesign, online processes, such as registration and check out flows, to include the relevant data fields to achieve SCA (e.g. through 3-D Secure 2.0), or to achieve an exemption, as appropriate (e.g. collecting mobile phone numbers to which codes can be sent).
• Notify customers of the trader’s preparedness for SCA.
• Test new payment processes to monitor and reduce the rate of ‘abandoned shopping carts’.
• Review and revise Privacy Policies and similar GDPR materials as appropriate to address the processing of personal data for SCA and other PSD2-related purposes.