The final changes under the second Payment Services Directive, also known as PSD2 comes into full force from 1st January 2021.
These changes relate to the implementation of Strong Customer Authentication, also referred to as SCA. This means that you will need to carry out an additional security step before you complete your online shopping.
These changes are being made right across the European Union and are designed to provide better protection for you, help reduce fraud and make shopping online even more secure.
How this is done will depend on your bank and your bank will contact you to explain what these changes mean for you.
It is important that you understand this information and take any actions required to ensure you can continue to shop safely online after 1st January 2021.
What do I do now?
As a cardholder you will get more information from your bank over the coming weeks.
If you are a retailer who has an online presence and you need support to implement SCA, contact your acquirer/gateway provider or your card scheme who will be happy to assist.
Brought to you by
- Bank of Ireland
- KBC Bank
- permanent tsb
- Ulster Bank
- An Post
- JP Morgan
- AIB Merchant Services
What is PSD2?
The second Payment Services Directive or PSD2 is a European law which comes into full force on 14th September and which will make it more secure for you to make electronic payments when shopping online or using online banking services.
PSD2 aims to make payments safer, increase consumer protection and continue to foster innovation and competition while maintaining a level playing field for all parties.
While some elements of the PSD2 legislation have applied from 13th January 2018, the full rollout from September will result in changes to how you use digital payments channels and shop online by introducing added security rules referred as Strong Customer Authentication (SCA).
Each bank will communicate directly with their customers to explain how SCA will work for their accounts.
The legislation also allows for the secure provision of new services by Third Party Providers (TPPs), which is referred to as Open Banking.
Strong Customer Authentication (SCA)
What is SCA?
The principle of SCA is to increase security for electronic payments through the introduction of two factor authentication protocols. This is a security process in which you may be asked to verify your identity in two different ways such as with a password or a fingerprint . SCA will be used when accessing online payment accounts or shopping online. Customer authentication is in use today however with PSD2 it is likely to be used more frequently to provide enhanced security.
How is SCA applied?
Your identity will be authenticated using at least two of the following factors, each of which are independent of each other:
- Knowledge – something only you know e.g., password or PIN
- Possession – something only you have e.g. a card or mobile phone
- Inherence – something you are e.g. a fingerprint or voice recognition
Does strong customer authentication always apply?
PSD2 allows for the application of exemptions in some circumstances, however your bank may still choose to apply strong customer authentication if they believe the transaction requires it.
Under PSD2 the following exemptions may apply:
- Low value remote (online and mobile) transactions up to €30
Except: When a cumulative value of €100 is reached. Or when 5 payments of up to €30 have been made
- Contactless card payments up to €30
Except: When a cumulative value of €150 is reached. Or when 5 contactless payments of up to €30 have been made
- At unattended payment terminals for transport fares and parking fees
- Payments to trusted beneficiaries that you have set up through your bank
- Corporate initiated payments subject to Central Bank of Ireland security approval
- Accessing some account information – like account balance or 90 days’ worth of transactions
What is Open Banking?
Open Banking allows customers use the services of regulated Third Party Providers to provide the following:
Payment Initiation Services
When buying goods or services online from a retailer you will be offered the option to pay directly from your bank account, using an authorised TPP, as an alternative to inputting your debit or credit card details. TPPs who offer this service are known as a Payment Initiation Service Provider – PISP
Account Information Services
This allows you to use the services of an authorised TPP to help you manage your accounts in a better and more informed manner. TPPs who offer this service are known as an Account Information Service Provider – AISP.
If you choose to use these services, you must provide explicit consent to the TPP to do so.
You choose the services that a TPP can provide, and you can always choose to revoke consent at any time.
Therefore, you are always in control.
All TPPs are regulated by the Central Bank of Ireland or by the National Competent Authority of their home European Union state. Therefore, these TPPs are subject to strict security and data protection laws, similar to your bank. Your bank will check the TPP is regulated before they grant access to the TPP.
In addition, you can request information from the TPP, confirming they are a regulated entity, before you give consent.