If there ever was a year filled with change, it was 2020. I recently read a statistic in an Inc. news article that said due to COVID-19 we saw 15 years of behavior change in just 30 days. Everyone has been resilient and adaptive as they found new ways to survive.
As we embrace the fact that 2020 is coming to an end, on its last day there are two additional changes scheduled to hit the payments industry across Europe: Brexit and PSD2. These changes have been in the works for years but as of December 31, 2020, they officially take effect.
What does this mean to you and how can you best prepare? We worked with our compliance team to help map out a strategy for success.
Brexit
It’s amazing to think that it’s been over four years since the citizens of the United Kingdom voted to leave the European Union. Fast forward to January 31, 2020, the day known as Brexit Day, the exit process kicked off with an 11-month transition period allowing the U.K. to leave, but also continue to trade as if they were still in the EU. The time provided some breathing room to work out how trade and how border relations would work.
Officials placed a deadline of October 15, 2020 for the U.K. and EU to reach a new trade deal, but that date came and went. We now head into the new year with implications for everyone supporting U.K. and EU merchants in the payment processing world. If you’re a processor ready to support both U.K. and EU merchants, then you already became a licensed payment institution in both areas. Licensed processors must have financial, compliance and support personnel in both jurisdictions.
To provide some insight into the process, here’s what we did:
We secured our EU license back in September and officially opened our Ireland office, to be ready to process merchants in both regions. Merchants located outside the U.K. will transition to our Ireland entity and license; they’ll be processed and paid out through our European banking network, while our U.K. merchants will remain with our U.K. branch and will be processed and paid out through our U.K. banking network.
Processors will do the heavy lifting with almost all these changes. The only thing left for European merchants to do is sign an agreement with our company in Ireland; the rest will be handled behind the scenes. This change is something we’ve worked towards for years, but we’ll have to wait and see what will happen when December 31, 2020 arrives.
PSD2
The EU Revised Payment Services Directive was initiated back in 2007 to provide legal framework for improved payment operations in Europe. The focus of the directive was to increase competition in the payments space and provide a way to level the playing field for consumer protection. Thirteen years later, the directive has evolved through several updates including one in 2015 when the standard rolled out and was named PSD2.
The legislation focused on a more integrated EU market and more security for consumers processing payments. In 2018, PSD2 was updated requiring online and card present transactions initiated by a consumer to have a Strong Customer Authentication (SCA), meaning authentication needed to be based on different forms that only a customer knows like a pin, through a possession the customer owns like a phone, or inherence, something about the user themselves through biometrics. SCA was initially meant to be in place by September 2019 but the majority of EU Issuers were not ready, so the new mandated date was moved to December 31, 2020.
PSD2 SCA only applies to consumer-initiated transactions that are processed through EU acquirers and issuers. Merchant initiated transactions like rebills and recurring transactions, when the cardholder agrees to the terms at sign-up, are exempt. This is because the cardholder has already agreed to the rebill terms and is not present in the transaction flow.
For merchants operating out of the EU, all EU consumer-initiated transactions, both sign-up and one-click, must have SCA. One of the easiest ways to comply with the PSD2 SCA requirement is to implement 3D Secure 2.0 (3DS), which may require the consumer to be prompted for a pin, security question or some other factor after they have entered the card data on a payment page.
The purpose of 3DS is to allow issuing banks to make risk-based assessments on transactions, decreasing challenges while still providing SCA and liability shift. There are also customer initiation transaction exemptions to SCA … for example, if the transaction amount is under 30 Euros or if the number of consumer-initiated transaction does not exceed five since the initial SCA or if the cumulative amount of the transaction does not exceed 100 Euros since the initial SCA. There is one caveat to applying these exemptions, there is no chargeback liability shift if an exemption is applied.
These changes are all about as clear as mud, so people will need to rely on their payment processors. We’ll be here watching the rollout of the mandate by each of the issuers as we approach the end of the year; we want to make sure we’re maintaining compliance with the regulation and create the least amount of friction for consumers as possible. After all, we’ve been through plenty of change in 2020, here’s hoping these last two are a piece of cake.
Cathy Beardsley is president and CEO of Segpay, a global leader in merchant services offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are always safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.
