What is PSD2?
The Payment Services Directive (PSD) of 2007, was replaced by the Revised Payment Services Directive (PSD2) in 2015. PSD2 is a European Union (EU) Directive, administered by the European Commission to regulate payment services and payment service providers throughout the EU and the European Economic Area (EEA). The PSD2 compliance deadline was extended due to COVID-19 and other factors. Consequently, many PSD2 requirements only went into effect on January 1, 2021, while the remaining directives will be required by September 14, 2021.
The primary objective of the PSD2 requirements is to generate a more integrated European payments market, improving payments security and protecting consumers. This directive affects European banks and other financial institutions, Payment Service Providers (PSPs), and business owners. It also impacts the US and other regions of the world. PSD2 includes 117 articles.
Under the PSD2, the European Banking Authority (EBA) published Guidelines on security measures for operational and security risks of payments services. These Guidelines, which the EBA created in close cooperation with the European Central Bank (ECB), ensure equal conditions for competition, and mitigate the increased security risks associated with electronic payments. As a result, users, payment service providers (PSPs) and payment systems experience less disruption. These Guidelines were designed to ensure that payment service providers have implemented adequate security measures to reduce operational and security risks. Security measures should include the establishment of an effective operational and security risk management framework, processes that prevent, monitor and detect potential security breaches, continuous testing, risk assessment procedures, and processes to raise awareness to Payment Service Users on security risks and risk-mitigating actions.
PSD2 regulates and integrates many types of services, such as:
- Account information service providers (AISPs)
- Payment initiation service providers (PISPs)
- Account servicing payment service providers (ASPSPs)
- Third-party providers (TPPs)
What are the requirements for PSD2?
PSD2 directives are divided into several categories:
- Electronic payments: PSD2 directives include strict rules regarding the security of electronic payments. These requirements were created to protect customers’ financial data, ensure authentication, and reduce the risk of fraud
- Payment services: PSD2 increases transparency about the products and services that payment services provide and the information requirements for utilizing them
- Users and providers of payment services: This category outlines the rights and obligations of both users and PSPs
The Guidelines under PSD2 detail requirements for the security measures that PSPs must take to manage the operational and security risks associated with the payment services they offer. All PSPs must comply with all the provisions set out in these Guidelines. The level of detail should be proportionate to the PSP’s size and to the scope, nature, riskiness and complexity of the specific services that the PSP poffers or intends to offer.
Why should you be PSD2 compliant?
Digital transformation has enabled banks and other financial institutions to expand their reach to new customers using innovative solutions and new business models, but it also introduced security challenges by increasing vulnerabilities and the potential of putting customer data at risk. In an era of open banking, banks migrate to the cloud, adopt third-party digital services and expose their APIs to maintain their competitive advantage. Actions like these introduce new attack vectors which hackers can exploit to access critical systems and sensitive data, significantly increasing the attack surface.
PSD2 was created just for that reason. The revised directive aims to better align payment regulation with the market and technology’s current state. With its open banking initiative, PSD2 now enables customers to authorize a third party to add their financial information on their behalf and make payments on their behalf using their bank account. Overall, payments across Europe will be more competitive and faster for the end user, resulting in more options and better services. This will lead to greater custom confidence in the payments market.
PSD2 requires national authorities to monitor and enforce its provisions. PSPs, credit card issuers, merchants, third-party providers and other payment industry players are required to implement strong customer authentication safeguards. EU member states have the right to take enforcement actions against non-compliant organizations. Financial institutions in the EU must comply with PSD2, with noncompliance potentially leading to loss of business, legal penalties and potential breaches of data.
Noncompliance with PSD2 means that companies servicing EU customers will reach out to other PSPs that are PSD2 compliant. This effectively ensures that PSPs that fail to comply with PSD2 will suffer a significant loss of business.
How to achieve compliance?
All organizations that are working on transitioning from PSD to PSD2 or never had any standard in place to begin with, must work their way through the lengthy PSD2 articles and attempt to fully implement the necessary controls, while praying that they correctly interpreted the legal jargon.
Centraleyes enables organizations to replace inherently slow, subjective, and outdated procedures used in the past, with a highly agile, objective, and innovative solution, reducing the cyber risk and compliance team’s workload, while significantly strengthening your risk and compliance posture. This is achieved using automated workflows and alerts that cut down data collection time while ensuring PSD2 compliance throughout every stage in the process. In addition, the Centraleyes platform streamlines PSD2 compliance with customized smart questionnaires based on the PSD2 requirements, remediation planners, and an intuitive dashboard with quantified risk and compliance scores.
Payment services (PSD 2) – Directive (EU) 2015/2366