There are a lot of exciting changes on the horizon, petpreneur! The online economy is changing, and if you’re a business that processes payments from European customers, pay extra special attention because the rules of online payment processing are getting an upgrade.
The European Union (EU) passed a new regulation called the Revised Payment Services Directive (PSD2). The new regulation may include some stuff that will impact your business. Don’t worry though – most people are probably good to go already, but it’s still a smart idea just to take a more detailed look at the new directive and what it means, especially with payment processing requirements for the European Economic Area (EEA) and people accepting payment from EU customers.
There’s a lot of new ground here and no one is an expert yet, but we’ve compiled some helpful Q&As from various sources to help you understand and make sense of it all.
Trust me, it’s all a lot simpler than it may seem.
Q: What is PSD2 and why should I care?
A: PSD2 is a revision of the 2009 Payment Services Directive established by the EU to promote commerce across different member states in the EU. It sounds like a totally great idea because it should create healthy competition and innovation among businesses (who doesn’t like seeing new tech to make life easier?!) and security in the payment processing sector. The directive includes 11 new mandates.
“One of these mandates is around strong customer authentication (SCA) and includes guidance around exemptions and challenges,” writes Brian Gaynor, Executive Director for European Product Solutions at J.P. Morgan. SCAs become a game-changer for those businesses selling to EU customers, including many of the wonderful businesses we work with here at Working With Dog. If you’re one of these, Gaynor covers this and much, much more here and I HIGHLY suggest you give it a read.
Another focus of the director involves third party providers (TPPs). EU banking customers can now consent to have their information, including transaction history, given and used by a TPP who, in turn, may create new financial products based on the data.
This may include anything from new apps for bill payment to a customer’s current checking balance being displayed during a point of sale. Imagine looking at your Amazon shopping cart and next to your total, seeing your current bank balance. Pretty helpful, right? Retailers may even start offering loans, either through their own financial branch or through another TPP, to encourage customers to make a purchase they may not be able to afford at the point of sale.
This will change online shopping forever, at least for the EU (for now). And the compliance deadline for businesses and organizations is right around the corner: September 14, 2019.
Q: Will PSD2 affect me?
A: Maybe. If you take payment from EU customers, then yes, it will impact your business.
PSD2 requires EU customers to provide 2 methods of identification—which I outline in the next section. What this means though is the buying process will now include an extra step. Before, a person may have logged in to their account and that was their only step to verify who they were. Now they’ll have to prove their identity through a second means, too—and you’ll want to make sure this extra step in the buying process is easy and painless.
Think about this: If you sell some type of subscription to a EU customer – let’s say the customer is auto-enrolled to purchase 1 bag of dog food a month – then that person may have extra steps to take to make that purchase, which could become a nuisance each month if it’s not streamlined.
Remember, the more difficult it is to buy, the more likely the person won’t buy, so it’s important that you look at how your payment processor has addressed this potential issue.
Psssttt….many of them have already figured it out for their system and are doing a fantastic job.
Q: What is Strong Customer Authentication?
A: Strong Customer Authentication (SCA) means businesses must provide multiple ways to verify a customer’s identity before they can make a purchase. All EEA merchants or people selling to EU customers MUST verify a customer’s identity in at least 2 of 3 methods.
As with almost anything, there are exceptions to the new rule, including total purchase price and fraud risk. You can find more details about it here.
Q: What is two-factor authentication?
A: It’s a fraud-prevention tool, essentially. Two-factor authentication is a way of making sure people are who they say they are. Businesses now must be prepared to verify identity through 2 of 3 methods.
There are three ways to verify: what the customer knows, what the customer owns and what the customer inherited.
- Knows: this may include a password login to an online cart or security question to be answered before a purchase can be made.
- Owns: a push notification may be sent to the customer’s phone for verification.
- Inherited: typically a company will use a fingerprint or another biometric such as face recognition to verify identity.
Q: Does this apply to online payments only or all payments (including in-person)?
A: This only applies to online payments.
Q: What questions should I ask my payment processor to see if I’m ready?
A: Many payment processors have already figured out the nitty-gritty of this. But to make sure, when talking with your payment processor, ask:
- Are you ready for the new European Strong Customer Authentication regulations coming into effect on September 14, 2019?
- If not, what’s the timeline for implementation?
Q: What questions should I ask my developer to see if I’m ready?
For others, here’s a good start to get the conversation going:
- Does my eCommerce plugin/software support the new European Strong Customer Authentication regulations coming into effect on September 14, 2019?
- If not, what’s the timeline for implementation?
- How often are my plugins updated?
A good rule of thumb is weekly…at minimum! Keeping plugins updated means you have the best chance of being ready for these types of new regulations.
- If you have a subscription service, ask: Will all my users on subscription have to re-authenticate for their payments to be accepted? When can I ask them to do this in preparation, if required?
Don’t fret on any of this, petpreneur! September 14 is the final date for compliance, meaning many companies have spent a lot of time and effort transitioning into compliance with the regulation. The European Banking Authority has also developed an interactive single rulebook. It’s a comprehensive reference that should get you some more answers.
Chances are you’re probably ready to rock-n-roll, and if you’re not, you still have time to communicate with your payment processor and developer about this.