Possession
What I own
29 / 09 / 2023
Following the public consultation on the Second Payment Services Directive (PSD2) launched in 2022 as detailed in our blog, the Third Payment Services Directive (PSD3) together with the Payment Systems Regulation (PSR) are poised to bring a breath of fresh air to the ever changing world of online payments.
Following the public consultation on the Second Payment Services Directive (PSD2) launched in 2022 as detailed in our blog PSD2 revision: The Next Chapter of Payment Services, the Third Payment Services Directive (PSD3) together with the Payment Systems Regulation (PSR) are poised to bring a breath of fresh air to the ever changing world of online payments.
Launched over the years from 2016 to 2020, PSD2 has mandated Strong Customer Authentication (SCA) within Member States, in a bid to fight the ever increasing fraud and provide convenient, reassuring and accessible means of authentication.
Strong Customer Authentication is mainly defined by the mandatory use of 2 out of the 3 following factors:
What I own
What I know
What I am
The application of SCA in European Member States initially received a mixed welcome. Fraud rates immediately decreased, according to the European Central Bank, with Card-Not-Present fraud declining by 12% in 2021 following the global adoption of SCA and PSD2. In the case of France, the fraud rate dropped by 37% between 2019 and 2021 thanks to SCA measures (source: Banque de France). However, SCA also had an impact on conversion rates: it requires additional steps to complete a transaction, leading to user frustration or technical mishaps.
PSD2 also introduces several ways to streamline the mandate of SCA, with the addition of exemption rules, such as low risks payment, low value payments, trusted beneficiaries and exempted types of transaction, like recurring payments or Mail Order Telephone Order(MOTO).
While these exemptions allow for a much smoother experience for end users, they are yet to be fully exploited by the different actors and have sometimes been incorrectly used to circumvent SCA.
Since the launch of PSD2 in 2019 , significant developments have occurred:
Over the years, the balance between conversion and fraud has improved and continues to progress steadily. Our solutions Access Control Server and Trusted Authentication have successfully met expectations, consistently achieving top-class success rates across Europe. Tokenization and Worldline’s Issuer-to-Token Service Provider (i-TSP) are also progressively enhancing security and accessibility for online payments.
However, the global challenges of today and tomorrow must be addressed.
The evolution of the PSD2 directive is split into two texts: PSD3 and PSR.
Regarding authentication, PSR inherits most of what PSD2 initially covered and adds some new regulatory elements (yet to be consolidated and validated by the European Council and Parliament):
As a regulation, PSR is expected to come into effect in 2026, pending validation of the European Council and Parliament, as well as the publication of the Regulatory Technical Standards by the EBA.
Significant attention has already been given to ensuring the accessibility of Worldline Authentication solutions for everyone, in accordance with the European Accessibility Act (EAA) standard. We are also strongly committed to maintaining compliance with these requirements in future product versions.
Discover more about our inclusive solutions.Trusted Authentication is now capable of handling multiple factors of authentication and is designed to be as modular as regulation allows. The Digital Security Suite provides local and remote protection to help financial institutions combat fraud.
Furthermore, Worldline’s Access Control Server continuously assists our partners in improving their authentication rules and success rate, with a focus on providing new solutions for monitoring and sharing fraud data.
The publication and upcoming implementation of PSD3 and PSR is an encouraging step in combating emerging frauds and consolidating the application of SCA, as introduced by PSD2 in 2019.
Through additional requirements and initiatives addressing the challenges of tomorrow, the new regulation places its bets on cooperation, accessibility and modularity to further enhance authentication within the payment industry.
Worldline has successfully assisted issuers with evolving, state-of-the-art solutions while prioritising personalised services. With the upcoming regulation, we aim to adapt our products and services with an innovative touch, equipping our current and future partners with the best tools possible to ensure compliance with PSD3 and PSR.
The third blog is already available ! A shift towards a new horizon: Unveiling Open Finance through PSD3: A shift towards a new Horizon: Unveiling Open Finance through new regulation.
Payment Services Directive X (PSDX): Directive aiming at regulating payment services and payment service providers in the European Union.
Payment Services Regulation (PSR): Regulation resulting of the revision of PSD2 and dealing with the rules and obligations around payments.
European Banking Authority (EBA): Supervisory authority (1 out of the 3) contributing to technical standards related to banking.
Strong Customer Authentication (SCA): Multi-factor authentication regulation to increase the security of electronic payments, as defined initially by PSD2.
Regulatory Technical Standards (RTS) : technical definitions and specifications, brought by an European Supervisory Authority, on top of a legislation.
Financial Data Access (FIDA): Framework establishing rights and obligations to manager customer data sharing in the financial sector.