PSD2: A quantum leap towards data security and transparency

In a world ruled by digital platforms that empower customers and provide transparency, secure handling of data is a must. All organizations store Personally Identifiable Information (PII) to iron out authentication delays in any customer journey, thus making data security critical. After all, customers must trust the platform while sharing PIIs because “trust” is the foundation of a healthy and durable customer-client relationship.

What is PSD2 and how does it work?

Payment Services Directive 2 (PSD2) is a great step taken by the European Banking Authority (EBA) to safeguard customers from potential digital frauds.

This directive is a set of 3 documents, namely:

1. Strong Customer Authentication (SCA) guidelines - These guidelines mandate digital payment processors to implement 2 of the 3 authentication methods in authorizing an online transaction. The three methods are:
   i) Knowledge - something that a customer knows, like a PIN.
   ii) Ownership - something that a customer owns, like a card or QR code.
   iii) Inheritance - something that a customer inherits, like a fingerprint or voice.
2. Secure standards for open communication - With open banking becoming imminent, banks must provide a secure communication channel. Secure standards allow new players to enter into the market and challenge leading payment processors like VISA and Mastercard.
3. Incident reporting and security measures for operational and security risks - PSD2 is supplemented with Regulatory Technical Standards (RTS) published in the Official Journal of European Union (March, 2018). As APIs expose PIIs to third parties, banks need to regulate their usage. Banks need to develop transaction-monitoring and device-monitoring capabilities to detect any unusual payment patterns.

With the above guidelines in place, digital transactions carried out in the European Economic Area (EEA) will be made more secure and transparent. Enforcement of PSD2 lowers the entry barriers in the payment processing space. Consequently, banks might face increased competition from their digital counterparts. Given that technology and compliance are not blocking the process, we can expect potential forward and backward integrations from not only the new entrants but also from the merchants. 

What do the PSD2 guidelines mean, especially for new entrants?

Like most traditional innovations are perceived, we should take time out and identify the possible new entrants in payment processing. It is possible that merchants could make the relevant API calls directly. They might provide products and services without waiting for the payment processors’ confirmation. Therefore, in today’s online transactional workflow, we can expect considerably lesser order cancellations due to “no response” from the payment processor. 

While this would not cause a decline in transaction volumes handled by payment processors like VISA or Mastercard, it would mean that merchants need not rely solely on a strong infrastructure that promises a high uptime. Therefore, these processors can discard any dependency on specialty hardware while operating in the market. This helps in lowering the entry barriers in the highly concentrated payment processing space. 

How can new entrants differentiate themselves?

As already established, new entrants are going to enter this area. Let’s look at some of the features they would focus on:

1. Reduced operating costs - this is because a significant volume of real-time messages handling will drop.
2. Advanced cybersecurity features - these features will help detect any fraudsters trying to access critical information.
3. Enhanced adherence to regulatory and compliance standards - they will provide the capability to pivot to the latest reporting requirements in the future.
4. Uncomplicated process for merchant onboarding process - this is all they need to start operating with the consent of consumers and merchants.

Can new entrants become payment processors that easily?

To become an authorized third party, or as we call it - a Payment Initiation Service Provider (PISP), one must be in compliance with the Regulatory Technical Standards (RTS). I am not aware of the compliance costs, but, it definitely cannot be ignored. RTS governs the protocol to be followed for the APIs being used and outlines the fall-back rules, if something goes wrong. 

Does it matter to the consumer? 

As far as I know it doesn’t. At the current processing speeds where millions of transactions occur within seconds, the customer is not going to feel the difference at all. But if the merchants incur much lower costs in processing online transactions through PISPs and decide to pass the benefits onto the customers, it might get interesting. In a nutshell, it means that the margins of the payment processors are bound to decline.

Conclusion

In closing, we can say that payment processing has the potential to become an undifferentiated offering. To retain customers from migrating to competitors, players in this domain must have payment processing as a base offering and should also devise new solutions to top it. Some of the offerings can be multiple account aggregation, debt consolidation, and personal finance management, among others. As far as the special focus on bringing transparency in payment processing space is concerned, I expect to see some disruption in this otherwise uneventful space.