News & Updates

AppDirect and the Payment Services Directive 2 Regulation

By Ideas @ AppDirect / August 21, 2019

A major new regulation—Payment Services Directive 2, or PSD2 for short—is about to go into effect in Europe. As with any new regulation, PSD2 is creating new questions as companies, both in Europe and in other parts of the world, try to grasp how the new directive may impact their businesses.

With that in mind, the AppDirect team has put together this post to help our customers and other stakeholders understand PSD2, the effects it may have, and what you need to do to prepare for it.

What Is the Payment Services Directive 2?

PSD2 is a new regulation passed by the European Union (EU) that covers all member states of the European Economic Area (EEA). First introduced in 2015, PSD2 goes into full effect on September 14th, 2019.

The objectives of the regulation are to:

• Increase competition and participation from non-banks in the payment industry
• Standardize regulations for payments across all EU countries
• Increase security and authentication for all online transactions to reduce fraud

What Is Strong Customer Authentication?

One of the main mandates of PSD2 is Strong Customer Authentication (SCA). SCA is intended to increase levels of authentication for online transactions. It is achieved by technical protocols that allow for people to use two-factor authentication (2FA).

2FA is used in situations where just a username and password are not considered secure enough, so additional authentication is required. For example, when logging into a website requires providing additional information that only the user knows—such as mother’s maiden name or favorite vacation spot—or information that only the user can access, through registered phone. Recently, new types of 2FA based on user biometrics have emerged, such as fingerprint activation or face recognition.

AppDirect and Strong Customer Authentication: 3-D Secure 2.0

For online credit card transactions, the SCA protocol of choice comes in the form of 3-D Secure (3DS). The payment gateways that AppDirect and our partners rely on to process payments are in various stages of implementing 3DS.

At AppDirect, our team is in the process of integrating 3DS on protocol version 2.0 (3D2 2.0), which supports transaction authentication using biometrics, like fingerprints or facial recognition schemes that are supported by the latest mobile phones, capabilities that are not available with the original version of 3DS.

With 3DS 2.0, shoppers are redirected to their issuing bank and presented with a challenge. The the challenge is determined by the issuing bank; it can be as simple or complex as the bank prefers. Once a user passes the challenge, they are redirected back to AppDirect to complete the checkout flow.

The original 3DS process has been associated with increased buyer drop-off, since users are forced to leave the merchant checkout flow and enter the flow of the card-issuing bank. These follow-on flows can be vastly different from the merchant and may require hard-to-remember passwords that are different from users' online banking credentials. This causes increased friction during self-service checkout that can contribute to an increase in cart abandonment. The impact of 3DS 2.0 on checkout flows is not as well benchmarked by the industry, but we believe it offers a superior buyer experience.

When Does PSD2 SCA Apply?

The new PSD2 regulations impact you if you satisfy the following conditions:

• You are based in the EEA, actively market to customers in the EEA, and have acquiring banks in the EEA
• You use a credit card payment gateway that is directly integrated with AppDirect’s checkout flow where the credit card details are entered on AppDirect checkout forms.
• Redirect-based integrations are out of scope for what AppDirect can add to 3DS 2.0. In this case, the gateway hosting the card form must ensure compliance 
• Your customers add their own their credit card information. It is important to note that assisted sales transactions—that is, when a sales agent performs the checkout on behalf of an end customer—is excluded because SCA is not possible. 

The vast majority of payments running through the AppDirect platform are recurring automated payments that do not involve customer interaction and, therefore, they will be exempt from SCA.

How Is AppDirect Responding?

As part of our response to these new requirements, AppDirect has a detailed compliance plan. For details, please contact your account team if you are an AppDirect customer or partner. Otherwise, please contact legal@appdirect.com.

Ideas @ AppDirect is a leading source for trends, statistics, best practices, and other information related to the digital economy.