Exploring the effects of PSD2 revision on the Authentication & Security framework

Introduction

Following the public consultation on the Second Payment Services Directive (PSD2) launched in 2022 as detailed in our blog PSD2 revision: The Next Chapter of Payment Services, the Third Payment Services Directive (PSD3) together with the Payment Systems Regulation (PSR) are poised to bring a breath of fresh air to the ever changing world of online payments.

PSD2 paving the way against fraud

Launched over the years from 2016 to 2020, PSD2 has mandated Strong Customer Authentication (SCA) within Member States, in a bid to fight the ever increasing fraud and provide convenient, reassuring and accessible means of authentication.

Strong Customer Authentication is mainly defined by the mandatory use of 2 out of the 3 following factors:

The application of SCA in European Member States initially received a mixed welcome. Fraud rates immediately decreased, according to the European Central Bank, with Card-Not-Present fraud declining by 12% in 2021 following the global adoption of SCA and PSD2.  In the case of France, the fraud rate dropped by 37% between 2019 and 2021 thanks to SCA measures (source: Banque de France). However, SCA also had an impact on conversion rates: it requires additional steps to complete a transaction, leading to user frustration or technical mishaps.

PSD2 also introduces several ways to streamline the mandate of SCA, with the addition of exemption rules, such as low risks payment, low value payments, trusted beneficiaries and exempted types of transaction, like recurring payments or Mail Order Telephone Order(MOTO).

While these exemptions allow for a much smoother experience for end users, they are yet to be fully exploited by the different actors and have sometimes been incorrectly used to circumvent SCA.

Since the launch of PSD2 in 2019 , significant developments have occurred:

• The COVID-19 pandemic boosted online payments volumes
• New type of transactions emerged, linked to the rise of online services, such as media subscriptions, split/delayed payments and shipments
• New technologies and a change  in fraud trends, now leaning heavily towards social engineering frauds.

Over the years, the balance between conversion and fraud has improved and continues to progress steadily. Our solutions Access Control Server and Trusted Authentication have successfully met expectations, consistently achieving top-class success rates across Europe.  Tokenization and Worldline’s Issuer-to-Token Service Provider (i-TSP) are also progressively enhancing security and accessibility for online payments.

However, the global challenges of today and tomorrow must be addressed.

The Payment Systems Regulation: catching up with new trends

The evolution of the PSD2 directive is split into two texts: PSD3 and PSR.

Regarding authentication, PSR inherits most of what PSD2 initially covered and adds some new regulatory elements (yet to be consolidated and validated by the European Council and Parliament):

• The two factors constituting SCA can be of the same nature
• Accessibility requirements apply to payment services providers,
• Issuers are encouraged to cooperate with each other against fraud, under an EBA framework,
• Cooperation instructions with telecom institutions to fight  bank employee spoofing fraud
• Issuers must refund victims of payment frauds for authorised transactions unless strong evidence of the user’s involvement in the fraud or negligence can be provided
• Outsourcing agreements are to be established to regulate liability for fraud in multi-party implementations
• The EBA is once again tasked  with fine-tuning the SCA requirements and exemptions

As a regulation, PSR is expected to come into effect in 2026, pending validation of the European Council and Parliament, as well as the publication of the Regulatory Technical Standards by the EBA.

Worldline aims to be a pioneer in complying with the upcoming regulation.

Significant attention has already been given to ensuring the accessibility of Worldline Authentication solutions for everyone, in accordance with the European Accessibility Act (EAA) standard. We are also strongly committed to maintaining compliance with these requirements in future product versions.

Discover more about our inclusive solutions.Trusted Authentication is now capable of handling multiple factors of authentication and is designed to be as modular as regulation allows. The Digital Security Suite provides local and remote protection to help financial institutions combat fraud. 

Furthermore, Worldline’s Access Control Server continuously assists our partners in improving their authentication rules and success rate, with a focus on providing new solutions for monitoring and sharing fraud data.

Conclusion

The publication and upcoming implementation of PSD3 and PSR is an encouraging step in combating  emerging frauds and consolidating the application of SCA, as introduced by PSD2 in 2019.

Through additional requirements and initiatives addressing the challenges of tomorrow, the new regulation places its bets on cooperation, accessibility and modularity to further enhance authentication within the payment industry.

Worldline has successfully assisted issuers with evolving, state-of-the-art solutions while prioritising  personalised services. With the upcoming regulation, we aim to adapt our products and services with an innovative touch, equipping our current and future partners with the best tools possible to ensure compliance with PSD3 and PSR.

The third blog is already available ! A shift towards a new horizon: Unveiling Open Finance through PSD3: A shift towards a new Horizon: Unveiling Open Finance through new regulation.

Glossary

Payment Services Directive X (PSDX): Directive aiming at regulating payment services and payment service providers in the European Union.

Payment Services Regulation (PSR): Regulation resulting of the revision of PSD2 and dealing with the rules and obligations around payments.

European Banking Authority (EBA): Supervisory authority (1 out of the 3) contributing to technical standards related to banking.

Strong Customer Authentication (SCA): Multi-factor authentication regulation to increase the security of electronic payments, as defined initially by PSD2.

Regulatory Technical Standards (RTS) : technical definitions and specifications, brought by an European Supervisory Authority, on top of a legislation.

Financial Data Access (FIDA): Framework establishing rights and obligations to manager customer data sharing in the financial sector.