PSD2 and SCA - key information on the new rules for non-cash payments
On September 14, 2019, new rules concerning the acceptance and processing of non-cash payments will enter into force in all European Union Member States. We have prepared for you key information about the purpose of the changes, their scope, legal basis and explanation of the basic concepts. You will also find information about what REVO does, what steps you need to take to prepare for the changes and ensure the highest level of security for your business. This information has been prepared with focus on the customers who are engaged in trade, services and the HoReCa industry.
KEY FACTS AND CONCEPTS
WHAT IMPACT WILL THE ENTRY INTO FORCE OF PSD2 AND SCA HAVE ON THE BUSINESS OF CUSTOMERS USING THE SERVICES OF REVO?
DO PSD2 AND SCA GUARANTEE FULL SECURITY FOR ALL TRANSACTIONS IN THE TRADE, SERVICE AND HORECA INDUSTRIES?
WHERE TO LOOK FOR SUPPORT IN ADAPTING TO NEW THE REQUIREMENTS AND IMPROVING THE SAFETY LEVEL OF YOUR BUSINESS?
KEY FACTS AND CONCEPTS
What is PSD2?
This term is short for 'Payment Services Directive 2.' It refers to the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, adopted in November 2015. This is the second such document, which is an extension and replacement of the existing (in force since 2007) Directive 2007/64/EC - the so-called PSD1. The new directive is a response to rapid changes in the payment services market resulting from the use of modern technologies and services, for which the previously applicable regulations were no longer sufficient. All EU member states, including the Czech Republic, have been given two years to comply with the provisions of the new directive.
What is the purpose of introducing PSD2?
The main goals are:
To ensure even greater security of transactions by, among other things, introducing the obligation to use the so-called SCA (Strong Customer Authentication) mechanisms;
To increase consumer protection by increasing the liability of service providers for unauthorised transactions and regulating and supervising new payment services;
To establish international standards for payment transactions and unify the EU payments market;
To introduce new categories of service providers that can provide additional services, requiring consent to access information about the Customer's account - the so-called TPP (Third Party Providers).
What does the PSD2 introduce?
The Directive introduces a number of new rules and obligations for all financial institutions that process payments, as well as for entities accepting payments within the European Economic Area. Among the main changes and new solutions introduced by the directive, you should pay particular attention to the following:
No additional fees/commissions charged for payment by consumer payment card (surcharge for the use of business cards will still be allowed).
Introduction of SCA - Strong Customer Authentication used to authorise card payments on terminals and payments on the Internet and mobile applications.
What is SCA?
SCA -Strong Customer Authentication is a relatively recent term that is part of the PSD2 Directive. In simple terms, it can be said to be a two-factor payment transaction authentication that consists of at least two elements belonging to a category:
Knowledge- the authorization must be based on information known only to the user - e.g. the PIN code;
Possession -for authorization you need something that can only be possessed by the user - e.g. a card or a phone;
Identity -authorization may require confirmation of features characteristic only for the card holder - fingerprint, facial features, voice (biometric solutions).
This will make it necessary to use a card or smartphone to confirm some transactions and enter the PIN code or use a card or smartphone and enter the confirmation code sent by SMS.
Similar rules will apply to payment transactions for purchases made over the internet or mobile applications, i.e. without the physical presence of a card or any other medium. In their case, it will be necessary to authorise transactions using 3-D Secure solutions.
What is 3-D Secure and where to get it from?
3-D Secure is a security enhancing method for authorising transactions carried out without physical use of the card (i.e. using only the card's data - number, user's first name and surname, expiry date and CVV code on the back of the card). 3-D Secure solutions are available, among others, from the largest payment organizations - Visa, MasterCard, American Express and JCB.
The 3-D Secure transaction is secured by identification and confirmation of the card holder's rights. This is usually done using a one-time password generated by means of a token or sent by SMS to a phone number assigned to the cardholder's account. Elimination of the risk of unauthorized use of the card in this way makes the cardholder fully responsible for transactions made with 3-D Secure.
Requirements for transaction authorization with 3D Secure:
Transactions must be authenticated using at least two of the three factors below.
The factors must be independent of each other and belong to different categories, e.g. loss of phone does not automatically mean compromise of password.
In the case of remote payments, the authentication must be assigned to a specific amount and recipient - the so-called Dynamic Linking.
Customers using the eCommerce payment gateway in REVO are provided with 3-D Secure service as part of the service.
What are the risks of not complying with PSD2/SCA requirements?
Non-compliance with the requirements of the new regulations has a number of consequences. Among them, the following are of particular importance:
Inability to accept non-cash payments from customers;
Inability to sell goods and services by electronic means (Internet, applications) - decrease in revenue, inability to implement sales plans;
Dissatisfaction and loss of customers who cannot shop and order services;
Loss of the image of a well-organized, efficient company;
Financial penalties imposed by payment organizations in the event of a breach of the obligations imposed by the PSD2.
IMPACT OF PSD2 AND SCA ON THE BUSINESSES OF CUSTOMERS USING THE SERVICES OF REVO?
What impact will the entry into force of PSD2 and SCA have on the business of customers using the services of REVO?
How to prepare for the new requirements?
Customer safety is an absolute priority in REVO. As a responsible business partner, we have also taken care to develop solutions and procedures so that you can use the services of accepting non-cash payments under the new rules without hindrance, engaging in their implementation to the minimum extent necessary for technical reasons. Most often they will be limited to the need to read information about changes and instruct employees dealing with transactions.
The extent to which your company is affected by the PSD2 changes depends on the range of services you use.
Large companies and enterprises using solutions integrated with cash systems.
The scope of necessary changes has been established as part of individual cooperation and technical support. Please contact your advisors and our regional sales representatives for more information.
Customers using the services of accepting non-cash payments via REVO payment terminals.
The necessary technical changes to adapt your terminals to the new rules are fully implemented by REVO specialists and will be ready to work on the day the new regulations enter into force. These changes consist of a terminal software update that is carried out without the need to act on your part. However, we recommend that you familiarise yourself with the prepared information and train terminal operators, as some of the requirements for card transaction authorisation change in a way that might be noticeable to your customers and they may ask questions.
For your convenience we have prepared a 'cheat sheet' for cashiers, which can be printed out and placed at terminals. You can download it here:
There are several language versions available for our customers from different countries.
Customers using eCommerce payment gateway.
As in the case of payment terminals, all necessary changes ensuring compliance with the 3-D Secure standard required by the PSD2, as well as the PCI DSS certificate, are implemented by REVO and do not require any actions on the part of the customers who use them. 3-D Secure solutions should also not be a problem for cardholders who will use them after 14 September to pay for purchased goods and services.
DOES PSD2 PROVIDE COMPLETE SECURITY?
Do PSD2 and SCA guarantee full security for all transactions in the trade, service and HoReCa industries?
The main objective of the introduction of the PSD2 is to ensure an even higher level of security of electronic transactions than before. Despite the modern solutions and rigours imposed by the directive, it is not in a position to guarantee that there will not be individual cases of breaches of transaction security. This is due to the fact that some daily transactions are not covered by the Directive. It is also important to be aware that not everything can be regulated by solutions introduced by law and guaranteed by REVO. Some of the issues related to the possibility of ensuring the highest level of transaction security are in the hands of the users of payment terminals and eCommerce solutions and their customers.
SUPPORT FOR CUSTOMERS
Where to look for support in adapting to new requirements and improving the safety level of your business?
Our consultants at the Merchant Service Centre and experts in the field of security and card risk elimination are at your disposal.
Phone: +420 225 092 280
Fax: +420 225 092 282
We recommend that you can download multilingual versions of the manual for cashiers, which explains the new rules of handling contactless transactions after the introduction of PSD2.
Instruction manual for sellers - cashiers (for home/office printers):
Instruction manual for sellers - cashiers (for printing house):