Following the public consultation on the Second Payment Services Directive (PSD2) launched in 2022 as detailed in a Worldline blog PSD2 revision: The Next Chapter of Payment Services, the Third Payment Services Directive (PSD3) together with the Payment Systems Regulation (PSR) are poised to bring a breath of fresh air to the ever changing world of online payments.
Launched over the years from 2016 to 2020, PSD2 has mandated Strong Customer Authentication (SCA) within Member States, in a bid to fight the ever increasing fraud and provide convenient, reassuring and accessible means of authentication.
Strong Customer Authentication is mainly defined by the mandatory use of 2 out of the 3 following factors:
The application of SCA in European Member States initially received a mixed welcome. Fraud rates immediately decreased, according to the European Central Bank, with Card-Not-Present fraud declining by 12% in 2021 following the global adoption of SCA and PSD2. In the case of France, the fraud rate dropped by 37% between 2019 and 2021 thanks to SCA measures (source: Banque de France). However, SCA also had an impact on conversion rates: it requires additional steps to complete a transaction, leading to user frustration or technical mishaps.
PSD2 also introduces several ways to streamline the mandate of SCA, with the addition of exemption rules, such as low risks payment, low value payments, trusted beneficiaries and exempted types of transaction, like recurring payments or Mail Order Telephone Order(MOTO).
While these exemptions allow for a much smoother experience for end users, they are yet to be fully exploited by the different actors and have sometimes been incorrectly used to circumvent SCA.
Since the launch of PSD2 in 2019 , significant developments have occurred:
. The COVID-19 pandemic boosted online payments volumes
. New type of transactions emerged, linked to the rise of online services, such as media subscriptions, split/delayed payments and shipments
. New technologies and a change in fraud trends, now leaning heavily towards social engineering frauds.
Over the years, the balance between conversion and fraud has improved and continues to progress steadily. Our solutions Access Control Server and Trusted Authentication have successfully met expectations, consistently achieving top-class success rates across Europe. Tokenization and Worldline’s Issuer-to-Token Service Provider (i-TSP) are also progressively enhancing security and accessibility for online payments.
However, the global challenges of today and tomorrow must be addressed.
The evolution of the PSD2 directive is split into two texts: PSD3 and PSR.
Regarding authentication, PSR inherits most of what PSD2 initially covered and adds some new regulatory elements (yet to be consolidated and validated by the European Council and Parliament):
. The two factors constituting SCA can be of the same nature
. Accessibility requirements apply to payment services providers,
. Issuers are encouraged to cooperate with each other against fraud, under an EBA framework,
. Cooperation instructions with telecom institutions to fight bank employee spoofing fraud
. Issuers must refund victims of payment frauds for authorised transactions unless strong evidence of the user’s involvement in the fraud or negligence can be provided
. Outsourcing agreements are to be established to regulate liability for fraud in multi-party implementations
. The EBA is once again tasked with fine-tuning the SCA requirements and exemptions
As a regulation, PSR is expected to come into effect in 2026, pending validation of the European Council and Parliament, as well as the publication of the Regulatory Technical Standards by the EBA.
Significant attention has already been given to ensuring the accessibility of Worldline Authentication solutions for everyone, in accordance with the European Accessibility Act (EAA) standard. We are also strongly committed to maintaining compliance with these requirements in future product versions.
Discover more about our inclusive solutions.Trusted Authentication is now capable of handling multiple factors of authentication and is designed to be as modular as regulation allows. The Digital Security Suite provides local and remote protection to help financial institutions combat fraud.
Furthermore, Worldline’s Access Control Server continuously assists our partners in improving their authentication rules and success rate, with a focus on providing new solutions for monitoring and sharing fraud data.
The publication and upcoming implementation of PSD3 and PSR is an encouraging step in combating emerging frauds and consolidating the application of SCA, as introduced by PSD2 in 2019.
Through additional requirements and initiatives addressing the challenges of tomorrow, the new regulation places its bets on cooperation, accessibility and modularity to further enhance authentication within the payment industry.
Worldline has successfully assisted issuers with evolving, state-of-the-art solutions while prioritising personalised services. With the upcoming regulation, we aim to adapt our products and services with an innovative touch, equipping our current and future partners with the best tools possible to ensure compliance with PSD3 and PSR.
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below: