PSD2, what’s the fuss about?

Over the past decade, we’ve seen many changes of regulations and directives relating to payment services. The changes have been driven by a need to improve not only security surrounding financial transactions, but transparency on the different types of payment services and their charges.

The Second Payment Services Directive (PSD2) is one that has the potential to revolutionise the payments industry, hence the fuss!  But what exactly is PSD2?

The aim of the Directive is to establish a single market across the EU for payments and therefore, encourage safer and more innovative payment services, and to make payments within the EU, and the wider EEA, as easy, efficient and secure as possible.

PSD2 requires financial institutions to share customer account information with third party payment services through intelligent API’s, which enables third-party organisations to develop personalised and real-time payment and information services for customers.

By breaking down the technical barriers to entry that have traditionally existed, this new approach completely opens up the payments and ecommerce ecosystem to new entrants, competition, while also making it possible for banks to incorporate third-party technologies into their own offerings.


Taking security to the next level

In addition to the enforced sharing of customer account information with third parties, another aspect of the Directive that hasn’t received as much coverage is the ‘beefing up’ of customer authentication requirements.

From September 2019, certain types of transactions will require multi-factor authentication (MFA). This means customers will have to provide at least two types of identification to complete relevant transactions. These are broken down into three main areas:


  • Knowledge – A pin or password
  • Possession – A mobile phone or payment card
  • Inherence – biometrics, such as a fingerprint


For example, a customer making a payment online could also have to confirm their identity by receiving a code sent to them via SMS which they have to submit in order to complete the transaction.

This is a positive leap forward in terms of protecting consumers against fraud by adding an extra layer of protection; however it could pose some issues for companies who accept credit card payments. The potential added friction at the point of payment could lead consumers to seek alternative ways to pay; not a great customer experience!

PSD2 doesn’t however apply to telephony payments, and as such payments can be made without the need for MFA. For contact centres, this could result in an increase of customers calling to make payments by phone.

As such, it’ll be important for organisations to handle sensitive customer payment data with the utmost care when handling telephone-based transactions, and make sure the right safeguards are in place to protect customers’ payment details.

This means technologies, including Dual Tone Multi Frequency (DTMF) masking technology, which ensures card-not-present payments remain PCI compliant, should be leveraged as an additional layer of security.


It will however be interesting to see how consumers respond and, in turn, how regulations may change in light of this. Could it be that the next step is to prevent card data being spoken over the phone? Who knows, but with all things considered it’s important that organisations scrutinise all controls around securing credit card data, as a result.

The post PSD2, what’s the fuss about? appeared first on PCI Pal.

*** This is a Security Bloggers Network syndicated blog from Knowledge Centre – PCI Pal authored by Geoff Forsyth. Read the original post at: