What is PSD2?
The second Payment Services Directive or PSD2 is a European law which comes into full force on 14th September and which will make it more secure for you to make electronic payments when shopping online or using online banking services.
PSD2 aims to make payments safer, increase consumer protection and continue to foster innovation and competition while maintaining a level playing field for all parties.
While some elements of the PSD2 legislation have applied from 13th January 2018, the full rollout from September will result in changes to how you use digital payments channels and shop online by introducing added security rules referred as Strong Customer Authentication (SCA).
Each bank will communicate directly with their customers to explain how SCA will work for their accounts.
The legislation also allows for the secure provision of new services by Third Party Providers (TPPs), which is referred to as Open Banking.
Strong Customer Authentication (SCA)
What is SCA?
The principle of SCA is to increase security for electronic payments through the introduction of two factor authentication protocols. This is a security process in which you may be asked to verify your identity in two different ways such as with a password or a fingerprint . SCA will be used when accessing online payment accounts or shopping online. Customer authentication is in use today however with PSD2 it is likely to be used more frequently to provide enhanced security.
How is SCA applied?
Your identity will be authenticated using at least two of the following factors, each of which are independent of each other:
- Knowledge – something only you know e.g., password or PIN
- Possession – something only you have e.g. a card or mobile phone
- Inherence – something you are e.g. a fingerprint or voice recognition
Does strong customer authentication always apply?
PSD2 allows for the application of exemptions in some circumstances, however your bank may still choose to apply strong customer authentication if they believe the transaction requires it.
Under PSD2 the following exemptions may apply:
- Low value remote (online and mobile) transactions up to €30
Except: When a cumulative value of €100 is reached. Or when 5 payments of up to €30 have been made
- Contactless card payments up to €30
Except: When a cumulative value of €150 is reached. Or when 5 contactless payments of up to €30 have been made
- At unattended payment terminals for transport fares and parking fees
- Payments to trusted beneficiaries that you have set up through your bank
- Corporate initiated payments subject to Central Bank of Ireland security approval
- Accessing some account information – like account balance or 90 days’ worth of transactions
What is Open Banking?
Open Banking allows customers use the services of regulated Third Party Providers to provide the following:
Payment Initiation Services
When buying goods or services online from a retailer you will be offered the option to pay directly from your bank account, using an authorised TPP, as an alternative to inputting your debit or credit card details. TPPs who offer this service are known as a Payment Initiation Service Provider – PISP
Account Information Services
This allows you to use the services of an authorised TPP to help you manage your accounts in a better and more informed manner. TPPs who offer this service are known as an Account Information Service Provider – AISP.
If you choose to use these services, you must provide explicit consent to the TPP to do so.
You choose the services that a TPP can provide, and you can always choose to revoke consent at any time.
Therefore, you are always in control.
All TPPs are regulated by the Central Bank of Ireland or by the National Competent Authority of their home European Union state. Therefore, these TPPs are subject to strict security and data protection laws, similar to your bank. Your bank will check the TPP is regulated before they grant access to the TPP.
In addition, you can request information from the TPP, confirming they are a regulated entity, before you give consent.
For more information, contact your bank:
- An Post Money
- Bank of Ireland
- Danske Bank
- KBC Bank
- permanent tsb
- Ulster Bank