Académique Documents
Professionnel Documents
Culture Documents
What is PSD2?
PSD2 applies to payment services in the European Union (EU) and is framed by European Banking Association (EBA). The
directive focuses on all electronic payments including card present and card not present transactions. PSD2 provides
data and technology driven directive to regulate the previously unregulated third party payment service providers. In
doing so, it increases competition with the aim of making payments and account access more innovative, transparent,
efficient, and secure for the consumers.
Introduction of New Players: PSD2 defines the role of Third Party Providers (TPPs) and their services. There are two
types of TPPs viz. Payment Initiation Service Providers (PISPs) may initiate a payment transaction directly from the
customers bank account and Account Information Service Providers (AISPs) consolidate the customers account and
transaction details from multiple banks in one portal
Transparent Access to Accounts: PSD2 formulates the rules for access to the customers accounts (XS2A). Banks are
mandated to open their core banking infrastructure via APIs to licensed TPPs. This will allow TPPs to provide account
information services and enable payment initiation services.
Strong Customer Authentication: SCA is an authentication process that shall include two or more authentication factors
viz. knowledge, possession, inheritance (biometrics). PSD2 mandates the use of SCA whenever the customer initiates
any electronic payment transaction, whether it is to make a payment or access their bank/TPP services.
As per the draft technical standard published by EBA, SCA has to be applied in the following 3 cases
Online access to payment accounts e.g. bankss e-banking or via an AISP
Initiation of online payment transactions including card present and card not present transactions
Any action through a remote channel that may imply a risk of payment fraud, e.g. pin change
PSD2 brings into the jurisdiction, one legged transactions, i.e. those payment transactions where the payers or the
recipients PSP is based outside of the EU. So, SCA has to be performed for these transactions as well. Hence the impact
of PSD2 is more global instead of localized to Eurozone as anticipated earlier.
However, EBA has allayed fears of banks, merchants, e-commerce companies etc. by bringing in the clauses for
exemptions from Strong Customer Authentication. The exemptions for SCA are debated, because of the need to find a
balance between security, fraud reduction, innovation, competition, user-friendliness and accessibility. In the guidelines,
the situations where a PSP is not obliged to use SCA include when the customer is:
Making a contactless payment at point of sale
Accessing their payment account data again (subject to time limit)
Paying for transport and parking
Making a low-value payment
Paying a trusted beneficiary
Making a recurring transaction for the same amount
Moving money to another of their account(s) at the same PSP
Making a low-risk, remote payment and the PSP has low levels of fraud loss
As observed, many of the clauses above correspond to either fixed restricted usage rules or prior authenticated parties.
But the final case provides PSPs with certain level of control for transaction provided they perform Transaction Risk
Analysis. It lays down the foundation of Risk Based Authentication (RBA) of the payment transactions thus playing crucial
role in reducing customer friction.
What it entails for the PSPs is that, using these transaction monitoring systems, they shall be able to record above-
mentioned parameters and further use them to validate incoming payment transactions from fraud perspective. PSPs
can use above parameters to risk rate the payment transactions and in-turn use it as a criterion to avoid Strong
Customer Authentication. As per PSD2 guidelines, PSPs on a minimum shall
Calculate a risk score based on the transaction monitoring parameter discussed above
Identify any abnormal behavioral pattern from the payer
Look for unusual information about the payers device/software
Check for malware within the authentication procedure
Look out for known fraud scenarios
Check for abnormal locations for the payer
Verify whether the payee is in a high-risk location
If there is a fraud indication in any of these checks, then that shall call for either strong customer authentication for the
transaction or rejection of the transaction. The final outcome desired is that by using these checks, PSPs shall be able to
keep their fraud rates below the reference fraud rates set by EBA for remote payment transactions. By achieving this,
they shall be able to accept and process payment transactions without applying further SCA and thus shall be able to
provide better customer experience. Reference fraud rates asset by EBA are mentioned below
This section underlines the need of real time fraud management. This is because being able to know the trends in fraud
rates on a daily basis will allow PSPs to tune authentication policies. Otherwise how will the PSP know the fraud rates at
the time of reporting? Also daily fraud rate is a better measure of fraud rate compared to the daily average fraud rate
which is computed at the end of quarter.
Conclusion
Need of the hour for the PSP is to balance security and customer experience. As evident from the EBA guidelines, there
is no one way to attack the problem and a multi-pronged strategy is needed. PSPs should adopt hybrid approach to
fraud detection and prevention which should include rules based system, behavior profiling of customers/devices/users,
link analysis between entities, and machine learning based predictive risk scoring. All these features can reduce fraud at
the bank while also reducing false positives which in-turn will help the PSPs to provide better customer experience.