PSD2 Is Coming to the EU – Are You Ready?
Companies that sell in the European Union have dealt with many changes over the years to payment services, cross-market regulations, and individual country mandates. However, selling to multiple countries in the region still requires working with a lot of different laws and service providers. To try to keep up with the growth of eCommerce around the world, the EU has been attempting to simplify EU commerce. With this in mind, they have passed several laws regulating data, copyright, payment services, and more.
Payment Services Directive
In 2007, the EU passed the Payment Services Directive to increase competition and standardize consumer protections. The regulation was mostly aimed at creating more competition in the payment industry throughout Europe. It did so by defining new rules around what companies could provide financial services. While it did succeed in its goal of opening the market somewhat, there were still problems with the payment industry that were hindering eCommerce growth in the region.
Additionally, the original PSD sought to add some standardized consumer protections in place for customers making purchases between countries. Though implementation was fairly widespread, new problems and the rapid increase in eCommerce made it necessary for regulators to consider updating the regulation.
Payment Services Directive 2
A new regulation, Payment Services Directive 2 (PSD2), was passed in 2015. While there was still a focus on the financial industry and increasing competition to keep costs down, this form of the regulation also focused on protecting consumers by reducing fraud prevalent in the eCommerce industry. To do so, they established several components to the law, each with its own implementation plan and schedule. Two of the most important implementation dates occur in 2019.
While this law does not have any jurisdiction over companies operating solely in countries outside of Europe, the changes will affect any eCommerce business that operates in the EU. If you ship to any country within this region, you will need to comply with the new regulations.
Key Changes In 2019
There are two main deadlines for the law this year.
- March 14 – By this date, banks and other traditional financial institutions had to create and open a testing environment for third party businesses to utilize an API to gather information. Essentially, this part of the law is meant to create more competition for payment services, decreasing prices and fees. The intent is to decrease the reliance on specific banks for payment services.
- September 14 – This date is the final deadline for companies in the EU to implement Strong Customer Authentication (SCA). This regulation is meant to reduce fraud and requires companies to use multiple identification factors on nearly any online purchase. This is not limited to any specific type of business. Anyone that sells online in the EU will be required to meet these standards, though there are a few exceptions to the rule.
How It Will Affect eCommerce
While the payment changes did not have a direct effect on eCommerce businesses, they could indirectly impact them. With more payment services competing in the market, companies may have to accept more forms of payment and see changes in fees or services offered. Since only the testing environments are in place right now, any results from this part of the regulation may not be seen for some time.
SCA, on the other hand, will have an immediate effect. Companies that fail to implement 2-factor authentication correctly could end up paying significant fees or facing severe penalties. Though there are exceptions that would allow companies to bypass the verification requirements on certain transactions or with strong fraud protections in place, ensuring that exceptions are handled correctly will be essential to avoid any problems. Putting strong fraud protection in place that offers 2-factor authentication will therefore be very important.
Potential Consequences of PSD2
The regulations may slow down the checkout process, creating frustrations for customers.
As with the implementation of EMV chips in credit and bank cards, you will need to train customers with new expectations about the checkout process. It may take longer or require more steps to checkout than what is currently required. For customers that are used to one-click ordering and other convenient checkout processes, this will be an adjustment. Clear communication about what changes to expect and how this could benefit them may help during the initial transition, but you should have a strategy in place to handle complaints and any issues that occur because of the new regulations.
Companies may see significant fines if rules are not clearly followed.
As previously mentioned, it’s still unclear exactly what the consequences will be for non-compliance with the law, but companies will likely be vulnerable to large fines or other penalties. As each country will be implementing their own enforcement, using exemptions incorrectly or failing to authenticate purchases could result in fines from multiple sources. Even if enforcement is not immediately in place, leaving your company open to potential consequences in the future is a bad idea.
Reduced Fraud and Increased Competition
Companies should see a reduction in fraud and better competition for payment service if the rules are implemented correctly.
The goal for PSD2 is two-fold: to create more competition in the finance industry and to reduce fraud in the EU. If SCA works the way it is meant to, companies may see an increase in the available options for payment services and less fraud overall in their companies. However, as we have seen in the past, regulations rarely stamp out all crime. It will be imperative for companies to monitor any changes made to ensure that new threats are not allowed free reign while attention is focused elsewhere.
Any shop that makes sales in the EU should consider adding a module from the Addons Marketplace that enables 2-factor authentication. There are several available, so you’ll want to consider which will work best for your business model, checkout process, and payment provider.
Another option for meeting the authentication rule is to work with your payment service provider. They should have options available directly through them to meet this requirement. If they do not, consider looking for a new service provider or adding an additional one that works specifically in the EU as they may have more options available.
If you want to avoid having to meet this requirement on every purchase, your last option is to find a strong fraud prevention solution. There are exemptions available for companies that can prove they already weed out fraud and verify customer identities. However, ensure that you speak with a legal representative before implementing any fraud solution. If the solution you choose does not meet the legal requirements for an exemption, you could still be liable for penalties and fees.
Shops that don’t sell in the EU should still consider putting stronger fraud prevention or even 2-factor authentication in place. Reduced fraud can help the bottom line of any business. Plus, if this process works well in the EU, other nations may adopt similar policies as they did with the EMV chip. Being prepared can help your business stay a step ahead of the competition and keep your revenue heading in the right direction.