PSD2 explained and why you should care

artifact

Since the revised PSD (Payment Services Directive) was proposed by the European Commission back in 2013 it has already created widespread of disruption in the European payment market. New payment processors are popping up almost daily, and the big banks are clearly moving to secure their positions before the directive comes fully into force in September 2019.



Why you should care about PSD2

You probably don't run your own bank, or think that you would have any interest in using security mechanisms evaluated based on the requirements in the PSD2. But even if you don’t process payments yourself there are some good reasons for taking the PSD2 into account! As long as you’re selling a service or a product, and either you or the buyer is in a EU country, the PSD2 will have an impact on your business.

You’re surely aware of one of the key benefits of the PSD2: it will enable end users to initiate online payments directly from their bank account, without going by a credit card. This offers the possibility of significantly reducing costs, but there is one major challenge: What happens when there is fraud, and the payer requests a chargeback?



Why PSD2 is a good thing

Clearly, this will be a great challenge for merchants in the future. The payment service provider (PSP) might have to refund the payer, but the money has to come from somewhere. If there is one thing that banks and payment service providers hate, it's giving away their own money! So, if you’re a merchant it becomes even more important to be sure that your transactions are valid.

The PSD2 strengthens the rights of the consumer considerably. To quote the PSD2 FAQ: «PSD2 provides a legislative basis for an unconditional refund right in case of a SEPA direct debit during an 8 week period from the date the funds are debited from the account. The right to a refund after the payee has initiated the payment still allows the payer to remain in control of his payment. In such cases, payers can request a refund even in the case of a disputed payment transaction.» Remember, this applies if either payer or payee is in the EU.



PSD2 with Okay

The Okay solution, provided either as a service or through the SDK, makes it possible for you as a merchant to prove what happened during the sale. It will help you protect yourself from these two common fraud cases:

  • Where the user claims «I didn’t order that», and starts a chargeback
  • Where an existing user is tricked into verifying an order, through malware or social engineering

The first case happens all the time. The Okay «What You See is what You Sign» mechanism gives you the possibility to show that it wasn’t some kind of bug or mistake on your part, and that the order was really placed as you have it documented.

The second scenario is more scary: What if malware targets your app, and tries to enter fraudulent orders through it? In this case it is very easy for the payer’s bank to claim that this is your liability, and that the refund should come from your funds. Using the Okay mechanisms for verifying transactions will make it nearly impossible for you to be the target of automated attacks. Even if an attack is carried out, the Okay API will give you a heads-up, so that you can delay the delivery of the service, avoiding fraud all together.

The Okay solution was initially created for banks and payment processors, in order to let them do secure customer authentication. It does not protect against a stolen identity and payment details being used for an order, but then this is the responsibility of the account service provider. But it will help protect you as a merchant against common types of fraud. As the PSD2 enters into force, securing transactions will become even more important. We in Okay are here to help you.