Ecommerce Businesses, are you protecting your payments? A guide to PSD2

Netmatters Ltd
Posted by Netmatters Ltd
4th October 2019
PSD2 compliance

As more people go through digital adoption, nowadays it is more common to pay with an electronic payment method, with a recent study stating that 54% of the British public would prefer to pay with their debit card instead of cash. The U.K also has the highest ecommerce spend per capita with more people choosing to shop online than on the high street.

However, with fresh cyber risks every day and with some of the largest companies hitting headlines recently due to cyber-attacks, people are now more concerned than ever that their personal data is going to be exposed.

It was because of this, that the EU Payments Directive created a new law aimed to improve consumer rights and enhance online security. Every business needs to recognise this new law and implement the relevant changes to their policies to ensure they are covered.

Payment Services Directive: An overview

Adopted originally in 2007, the legislation was established to create a single market for payments in the EU to encourage safer and more innovative payment services. The legislation also aimed to make cross-border payments in the EU as easy, efficient and secure as payments within the country you were located. 

The PSD predominant purpose is to provide the legal framework within which all payment service providers must operate. 

From a customer point of view, the key with PSD2 was to increase customer rights, guarantee faster payments, describe refund rights and give clearer information on payments. 

From a technical point of view, the key was to tackle the rising levels of fraud and enhance overall security processes. The new legislation will also have a big impact on how businesses can take payments from customers.

How is it changing?

The key to take away from the new legislation is that the customer is at the heart of it.

In order to enhance customer rights, a number of steps have been put in place: 

  1. Terms and conditions are now much clearer and therefore customers can make an effectively informed choice. Similarly, the currency and exchange rights are clearer and more direct, leaving no hidden surprises.
  2. Complaints must now be dealt with in a timely and appropriate manner. 
  3. Incident reporting now has a structured process, regardless of the incident that arises.
  4. Card issuers are also required to make funds available to customers as soon as the final payment is known.
  5. Surcharges are also now prohibited on certain consumer card transactions. Surcharging is banned on consumer credit cards, debit cards and pre-paid cars across the EU.

The security bit:

The main factor to consider is how payments are now taken. The new law introduces a two-factor ID requirement for certain transactions. In order to make a payment, two forms of ID need to be provided. These include

  • Knowledge – something only the customer knows such as PIN or password.
  • Possession- something only the customer has such as a mobile phone or payment card
  • Inherence – something unique to the customer such as their fingerprint

Prior to these new rules, it was stated that 97% of online transactions were frictionless, however, with the idea to reduce fraud, the new law implies that now 1 in 10 payments made online will require two-factor certification.

With customers more likely to have to jump through hoops to be able to make a purchase, you may be concerned about cart abandonment. Whilst this new legislation will impact certain transactions, there are some exceptions:

  • Low value transactions up to €30 – this is capped at 5 transactions per card or transactions totalling €100
  • Low risk transactions – this is allowed when the acquirers fraud rate is between 0.01-0.13%
  • Low risk transactions – this is allowed when the acquirers fraud rate is between 0.01-0.13%
  • Secured corporate payments – corporate payments made with secure protocols will not have two-factor ID requirements.

What does it mean for my business?

If you’re an ecommerce business with a payment system on your site, you’re the ones who will be effected by this change. Although the law has been introduced, the official deadline for SCA compliance is 14 March 2021. This means business have 18 months to get themselves ready.

After this date, firms not meeting the relevant requirements will face enforcement. Although you have time to get the right processes in place to ensure two factor authentication and frictionless payments are successful through your website, don’t leave it until the last minute.

We are experts in creating bespoke payment systems for ecommerce clients. We understand the new laws and how to implement them effectively so that your business remains compliant. 

If you are looking to build a payment system for your website, or upgrade an already existing one, we want to help. Get in touch using the contact form below or call our helpful team on 01603 515007