When the original Payment Services Directive (PSD) for the European Union was created, the intent was to increase pan-European competition in the payments space while at the same time levelling the playing field for non-banking industry companies. It also intended to protect consumers with clear, standardised customer and refund rights and provide faster payments to be made no later than the next day.
By 2015, the European Parliament had moved on to the Revised Payment Service Directive (PSD2). With the PSD2, the Parliament is looking to create more protections for consumer purchases online, increase the safety of cross-border payments and promote innovation in mobile and online payments.
On January 12th, 2016, the PSD2 went into effect, giving member countries 2 years to adopt PSD2 regulations into local government legislation. But what else was left to do? What’s currently going on with the PSD2? And how will it affect merchants?
Creation of the RTSs
There are two main pillars that the PSD2 rests on. The first is the establishment of common means of communication for transferring bank data that is also secure. The second is meant to increase the security and authentication requirements for transferring that data. Basically, making sure all technical solutions can understand one another, and that any communication is well protected.
The Regulatory Technical Standard, or RTS, was the document being developed that would help standardise how communication will be handled as well as what strong authentication and security really means. The challenge was to build an RTS that made the requirements clear without forcing banks and third parties into using technology that might become obsolete, and even insecure, almost as soon as the standard was published.
Because the RTS defines how banks and 3rd parties handle security and communications, the draft needed to be completed and approved in a timely manner so that these businesses – from banks, to merchants, to third-party fintech companies – could begin building their payment tools in a compliant way.
The good news is that the draft was completed, and approved. The bad news is that the RTS wasn’t completed until late August of 2016, and required a comment period before approval.
Businesses are allowed at least 18 months after approval to implement the regulations, but because of the late approvals, businesses will now have until at least late 2018 and possibly until early 2019 to adopt the technical standards. This leaves a gap between when PSD2 must be adopted at the local government level, and when banks and 3rd party providers must adhere to the RTS.
As it is written and approved, the RTS does accomplish the goal of creating a flexible set of rules for banks and third parties, while still leaving the door open for the industry to define best-in-breed protocols to meet the standard.
What Does This Mean for Merchants?
The directive gives merchants the opportunity to ask consumers if they can access their bank directly, instead of being forced through a gateway provider to process payments.
By becoming a Payment Initiation Service Provider (PISP) under the PSD2, a merchant can connect to bank accounts directly to debit funds for a transaction, increasing the speed at which funding occurs and decreasing the need for an interim payment gateway. However, becoming a PISP may be a complex process, and potentially costly. In addition, PISPs must follow the technical regulations regarding secure account access and authentication. This adds additional cost with the need to develop secure applications or license software from third parties that must also adhere to the RTS.
But to be able to become a PISP, merchants must follow the regulations laid out in the RTS. The delay in the RTS draft and its subsequent approval adds an additional hurdle for merchants entering the payments field for the first time.
The delay doesn’t mean that merchants will lose the chance to become PISPs. It merely means that there may be a delay before they are fully able to implement solutions that allow them to safely, and securely, access their customer’s accounts within the regulations outlined in the directive.
Despite a number of road bumps, including delays in the RTS and Brexit, the PSD2 is continuing to move forward. The directive requires banks, merchants and third parties to meet the regulations outlined in the RTS to be compliant when processing transactions, but the PSD2 has also done the industry a favour in taking their time and putting forth technical standards. These standards allow businesses to grow and adapt their technical implementations to meet the rules of the directive while at the same time taking advantage of the newest technologies and industry standards.