In an effort to create a more integrated and efficient European payments ecosystem and make payments safer and more secure, the European Commission issued new security directives for electronic payments. The European Union’s revised Payment Services Directive (PSD) or PSD2 – not to be confused with PCI DSS compliance – contained Regulatory Technical Standards that went into effect September 14, 2019. Companies doing business in the European Union must ensure their PSD2 compliance. The companies most impacted by PSD2 are those that offer payment processing services involving credit cards or bank transfers for payment of goods and services sold to customers in the EU. If your OroCommerce webstore processes payments online, here’s what you need to know about PSD and what you must do to make your PSD compliance easier.
The original Payments Services Directive started out as a way to harmonize payment products, infrastructures, and technical standards for electronic payments all through the EU. PSD in a nutshell provided a legal framework within which payment processors operated. With PSD1, the focus was on the payment processors.
PSD2 came about as an effort to create a more consumer-friendly environment. One section of the rules deals with who can provide payment processing services. The other section protects consumers by making charges, exchange rates, and maximum execution times more transparent.
Most importantly, it allows merchant businesses to retrieve customer information (with authorization) directly from banks. For example, with your permission, Amazon can access your account directly to withdraw funds for payment of an order. They do not need to use the services of a Visa payment processor. Here’s what a new transaction look like under PSD2.
Amazon can act as a Payment Initiation Service Provider (PISP) and initiate the transfer without the need for a third party.
That’s very different from the old process where Amazon would use a payment processor to contact the bank that issued your Visa card, and money would flow from the issuing bank to the payment processor and finally to Amazon. Now, sellers can have direct access – with the buyer’s permission. But with such great power comes great responsibilities.
PSD2 Compliance for Dummies
So, for the online seller, what does this mean and who is affected?
Well for starters, it depends in which country you are located. If you are in Slovakia or Estonia, you can stop reading now. This doesn’t apply to you and you don’t need to bother with PSD2 compliance. If you are in the UK, read on but be thankful that some of the pressure has been lifted as you won’t need to comply right away.
However, if you are in the EU, Iceland, Liechtenstein or Norway and are not in one of the countries that opted out or delayed implementation and you sell any good or service in the EU or the European Economic Area and your website accepts some form of electronic payment (not a cash transaction) you are affected. So, that’s mostly everyone.
As a web merchant that accepts non-cash payments, you’ll need to decide if you want to take advantage of the new rules and act as a PISP. If so, you will need to use APIs to connect to customer accounts under PSD2’s Access-to-Accounts (XS2A) rules. Sellers that opt for this route will receive instant payment confirmation and significantly reduce costs associated with credit card processing. Of course, if sellers opt to become a PISP they must comply with all applicable RTSs. This could get complicated because with this great freedom comes great responsibility. New PISPs will need to obtain a license, will be subject to heavy regulations, and must invest significantly into technology that can safely and process XS2A services with banks. Most B2B small to mid-size sellers will not be taking this route.
By the way, even if PSD2 feels like a hassle for you as a seller, as a consumer, your transactions will be more transparent, and you’ll obtain greater protections against fraud. Fees for currency exchange will no longer be a surprise. So, there are some silver linings to this regulatory cloud.
PSD2 Compliance Checklist for OroCommerce Clients
To help you comply with the PSD2 regulation in 2019, we’ve put together this checklist to help OroCommerce clients understand what they must do. The actions you must take to ensure your OroCommerce implementation is PSD2 compliant depends on the eCommerce payment gateway you use. Under PSD2 guidelines, 3rd party providers bear most of the burden in compliance. As a seller, you must ensure that you are doing business with a third-party provider that is in compliance.
The most popular payment gateways are listed below. If your payment gateway is not listed, contact your third-party payment processor directly. If you opt to become a PISP, it’s important to reach out to OroCommerce Support right away for assistance with development of a custom solution.
To sum things up, PSD2 compliance further simplifies and standardizes digital monetary transactions. The regulations most impact banks and third-party payment processors. Most merchants in European countries need to make sure that their third-party payment processor is complying with the new PSD2 regulations. If in doubt, ask your payment processor for verification that they are PSD2 compliant. If you are considering becoming a PISP, it’s important to contact Oro Support right away regarding the necessary APIs.