PSD2 - Content and Deadlines

PSD2 is the abbreviation for the new EU Payment Services Directive, which came into force on 14 September 2019. The new regulations are primarily intended to ensure greater security for merchants and customers in online payment transactions.

Payment Services Directive 2, or PSD2 for short, is an update of the European Union's payment guidelines, which were established in 2007. Probably the most relevant part of the new regulations is the change for electronic payments. With the introduction of Strong Customer Authentication (SCA), all online payments must now be authenticated by two of the following three factors:

Something you know

Password, PIN

Something you have

Smartphone, Credit card, Wearable

Something you are

Fingerprint, Face recognition

In order to complete an electronic transaction, two of the three factors mentioned must now be successfully fulfilled.

Exceptions

Payments by direct debit and bank transfers are completely excluded for 2-factor authentication. Small transactions, a whitelist, payments between companies, payments in the form of subscriptions or mail/telephone orders are excluded from the regulation under certain conditions.

Hotel industry

In order to ensure that online bookings can continue to be made without problems on the hotel's own website, you should double check the details with your payment provider. 

If the credit card is required as security for a reservation or to debit a deposit, this security will lose its value in the future. For no-shows and cancellations, it will be even more difficult for the hotelier to collect the agreed fees in the future. If prepayments for bookings via OTAs are not processed directly via virtual credit cards, the guest's credit card data must be manually entered into the hotel's own terminal and debited as before. However, this will probably no longer be possible in the future due to the SCA guidelines.

Deadlines

The new EU regulation entered into force on 14 September 2019. This means that a Strong Customer Authentication is obligatory for every payment on the Internet. However, the European Banking Authority (EBA) has provided the national supervisory authorities with the option of granting a temporary postponement for the service providers concerned, but there is currently no uniform solution across Europe. 

The German financial supervisory authority Bafin thus declared that payments are still permitted until 31.12.2020 even without the stricter SCA regulations. The Austrian Financial Market Authority (FMA) has also granted a postponement of the implementation period for strong customer authentication until 31 December 2020. The authorities in Italy, Ireland and the Netherlands have also extended their deadline to the merchants.

Stay up to date and sign up now for our monthly newsletter.