If there ever was a year filled with change it was 2020. I recently read a statistic in an INC. article that said due to COVID-19 we saw 15 years of behavior change in just 30 days. Everyone has been resilient and adaptive as they found new ways to survive. As we embrace the fact that 2020 is coming to an end, on its last day there are two additional changes scheduled to hit the payments industry across Europe: Brexit and PSD2. These changes have been in the works for years but as of December 31, 2020, they officially take effect. What does this mean to you and how can you best prepare? We worked with our Segpay compliance team to help map out a strategy for success.
It’s amazing to think that it’s been over four years since the citizens of the United Kingdom voted to leave the European Union. Fast forward to January 31, 2020, the day known as Brexit Day, the exit process kicked off with an 11-month transition period allowing the UK to leave but also continue to trade as if they were still in the EU. The time provided some breathing room to work out how trade and how border relations would work. Officials placed a deadline of October 15, 2020 for the UK and EU to reach a new trade deal, but that date came and went. We now head into the new year with implications for everyone supporting UK and EU merchants in the payment processing world.
If you’re a processor ready to support both UK and EU merchants, then you already became a licensed payment institution in both areas. Licensed processors must have financial, compliance, and support personnel in both jurisdictions. At Segpay, we secured our EU license back in September and officially opened our Segpay Ireland office. We’re ready to process merchants in both regions.
Merchants located outside the UK, will transition to our Ireland entity and license. They’ll be processed and paid out through our European banking network. Our UK merchants will remain with Segpay UK and will be processed and paid out through our UK banking network.
Processors will do the heavy lifting with almost all these changes. The only thing left for our European merchants to do is sign an agreement with Segpay Ireland, the rest will be handled behind the scenes. This change is something we’ve worked towards for years. We’ll have to wait and see what will happen when December 31, 2020 arrives.
The EU Revised Payment Services Directive was initiated back in 2007 to provide legal framework for improved payment operations in Europe. The focus of the directive was to increase competition in the payments space and provide a way to level the playing field for consumer protection. Thirteen years later, the directive has evolved through several updates including one in 2015 when the standard rolled out and was named PSD2.
The legislation focused on a more integrated EU market and more security for consumers processing payments. In 2018, PSD2 was updated requiring online and card present transactions initiated by a consumer to have a Strong Customer Authentication (SCA), meaning authentication needed to be based on different forms that only a customer knows like a pin, through a possession the customer owns like a phone, or inherence, something about the user themselves through biometrics. SCA was initially meant to be in place by September 2019 but the majority of EU Issuers were not ready, so the new mandated date was moved to December 31, 2020.
PSD2 SCA only applies to consumer-initiated transactions that are processed through EU acquires and issuers. Merchant initiated transactions like rebills and recurring transactions, when the cardholder agrees to the terms at sign up are exempt. This is because the cardholder has already agreed to the rebill terms and is not present in the transaction flow.
For merchants operating out of the EU, all EU consumer-initiated transactions, both sign-up and one click must have SCA. One of the easiest ways to comply with the PSD2 SCA requirement is to implement 3D Secure 2.0 (3DS) which may require the consumer to be prompted for a pin, security question or some other factor after they have entered the card data on a payment page.
The purpose of 3DS is to allow issuing banks to make risk-based assessments on transactions decreasing challenges while still providing SCA and liability shift. There are also customer initiation transaction exemptions to SCA. For example, if the transaction amount is under 30 Euros or if the number of consumer-initiated transaction does not exceed five since the initial SCA or if the cumulative amount of the transaction does not exceed 100 Euros since the initial SCA. There is one caveat to applying these exemptions, there is no chargeback liability shift if an exemption is applied.
These changes are all about as clear as mud so people will need to rely on their payment processors. At Segpay we implemented SCA to meet the deadline last September. We’ll be here watching the roll out of the mandate by each of the issuers as we approach the end of the year. We want to make sure we’re maintaining compliance with the regulation and create the least amount of friction for consumers as possible. After all we’ve been through plenty of change in 2020, here’s hoping these last two are a piece of cake. Need further help navigating these regulatory changes? We’re happy to lend a hand, reach out at [email protected].