The second European Payment Service Directive was published in November 2015 by the European Commission in order to benefit consumers. How? improving the security of electronic payments, promoting innovation and competition between countries and suppliers, and helping to develop a more integrated and efficient payment market throughout Europe.
In addition, PSD2 lays out certain technical security measures (RTS) to improve customer identification, which will start going into effect on September 14th of this year.
What you have to do and know to get ready before PSD2 goes into effect.
Among the most relevant concepts introduced by PSD2 is the Strong Customer Authentication (SCA), which is simply a procedure required to check the authenticity of customers by using two factors belonging to one of the following categories:
This dual authentication procedure is obligatory for a customer to be able to:
It is important to note that there are cases where it will not be necessary to apply SCA, such as when paying with a gift card or for low-value purchases. Even so, card holders should be aware that this additional security step must be carried out more often than they have been accustomed to so far.
All parties involved in an e-commerce process in Europe - banks, payment service providers such as Visa or Mastercard, stores, etc. - must implement additional measures to ensure that they comply with the regulatory requirements of PSD 2.
Customers may experience changes in the way they access their accounts remotely (app or website) or in the way they make electronic payments in Europe, such as via bank transfers or physical payments with contactless cards.
At BBVA, we have been working for some time to adapt our high security standards to the new requirements of this directive, always with a view to maintaining a pleasant user experience for our customers. Therefore, whenever the regulation allows it, and we're confident that our security measures - "invisible" to customers - identify a transaction as not fraudulent, we won't require you to undergo the dual authentication, thus making the transaction more convenient. Whenever required by law, we will resort to dual authentication.
Let's take a look at some simple examples that will help you understand how these new requirements, designed to protect your money, will affect you.
1. A customer makes a payment online with a card:
2. A customer who pays in a physical store using a Contactless Card:
3. A customer who wants to access their accounts via the website or app:
Yes, it is important that we have your updated cell phone number, since we will use as an authentication factor a one-time password (OTP) that you will receive on your cell phone so you can access your accounts or carry out certain electronic transactions.
If your cell phone number had not been validated, meaning we're not sure that you are the one who is receiving the one-time code to authenticate that it is you who is on the other side, you won't be able to access your accounts via the website or app or make online payments.
It's easy to validate your cell phone number. You can do it at:
The PSD2 directive specified the regulatory requirements that are applicable to payment service providers. This regulation was published on November 27, 2017 and goes into effect from September 14, 2019 in all countries that are part of the European Economic Area - EEA.
Due to the complexity and impact that the application of strong authentication (SCA) to e-commerce has on consumers and businesses, a plan is being drawn up that will be validated with the national authority to determine when and how the SCA requirements laid out in the payment services regulation will go into effect.
Regardless of this, on September 14, the customers of every bank will be required to use dual authentication to access their accounts remotely (website and app).
Although card issuers must carry out this dual-authentication process, electronic businesses must also ensure that their online payment platform (virtual POS terminal) is able to process transactions securely, since it is possible that any payments processed in a NON-SECURE purchasing environment could be denied by the banks that issued the cards.
It is important to note that the strong authentication processes will be very beneficial for online businesses because, in addition to offering enhanced security and confidence to their customers, they reduce the potential for customer claims due to possible fraud.
Businesses may or may not have to make changes to their virtual POS terminal depending on the connection that it currently uses to process online operations. Although a plan is being drawn up that will be validated with the national authority to determine when the SCA requirements laid out in the payment services regulation will go into effect, we recommend that you make any required adjustments as soon as possible.
One of the new features for adapting to this new scenario is the creation of a new version of the secure purchase protocol, EMV 3DS (also called 3DS 2.0), which will gradually replace the current version (3DS 1.0), and whose advantages include the option of adding more information fields to enhance the consumer authentication experience.
Additionally, the new law specifies certain exemptions or exclusions for SCA that will be very useful when it comes to making customer authentication processes more flexible. These cases include:
Although the business can propose the following exemptions, it is the entity issuing the card that may ultimately require the dual authentication of the transaction.
The following transactions are beyond the scope of this regulation and therefore the SCA requirement:
If you have any questions about PSD2, or if you are interested in using any of the SCA exemptions or exclusions provided for by law, please contact:
Business Line Soportevirtual@bbva.com
Tel. 912 983 609