In this edition of Payments Dialog, Luke Evans and Peter Mollins discuss PSD2, SCA, and 3DS2 -- and what these regulations mean in the payments space.
As we've mentioned on the blog recently, PSD2 is fast-approaching (currently with a September 2019 deadline).
PSD2 brings quite a few new concepts to understand, so in this episode of Payments Dialog, we're discussing everything you need to know about PSD2 and payments regulations.
On this episode of Payments Dialog, we welcome Luke Evans, Senior Enterprise Account Manager, who is one of Spreedly's experts in all things regulation. Luke and Peter discuss not only PSD2, but what falls under it, the history of PSD, and what else might be coming down the regulations pipeline.
Have a topic you would like us to cover on Payments Dialog? Send us a note and let us know.
Update: See all the posts in this series with our regulations and compliance guide here.
Peter Mollins: Well hello, everyone. This is Peter Mollins with Spreedly, and welcome to another edition of Payments Dialog. I'm joined here today by Luke Evans, also with Spreedly, who's going to be talking a little bit about compliance and the various regulations and requirements that relate to the payments field. So, Luke, welcome. We're glad to have you here on Payments Dialog.
Luke Evans: Happy here, thanks for having me.
Peter Mollins: So, let's kick it off. I mean, I'd love to hear a bit about yourself and what you do at Spreedly, and why compliance is such an interest for you.
Luke Evans: Yeah, so again, Luke Evans, I've been with Spreedly about three years, and a senior account manager here. I guess, over the course of the last three years, I've done a little bit of different parts and roles with sales and business development, but landing in account management here most recently. So, in working with different accounts, and the larger accounts we work with here at Spreedly, compliance is obviously an important part of their business, and trying to meet compliance in regulations. And so, I'm just really interested in keeping up to speed on what the latest is in the industry so that I can guide my customers in the right direction.
Peter Mollins: That sounds great. Yeah, and I'm sure we'll get into more detail about why customers care so much about regulation, and why you hear it so much as you're managing those strategic accounts. And maybe, so we can start off and kind of get a bit of context for the regulation space, when a lot of people think about regulations, they immediately think about government regulations, but in the payments world, it seems like there more than just government regulations in mind, is that right?
Luke Evans: Oh yeah, absolutely. I mean, you have regulations from the government that are dictating how maybe payments have to operate, but you also have the card brands themselves, or the networks that payments operate in, right? So, you have regulations or mandates from those different networks, so like VISA, MasterCard, American Express, merchants and businesses need to adhere to their policies, and how they would operate in taking credit cards, for example, or different types of payments. And then, even still, you have industry influence and just different impact. So, if you're operating your business in one industry versus another, it might impact how you need to take payments, or just different things you need to be aware of. There's higher rates of fraud in certain types of industries and those types of things. So, definitely different areas that businesses need to be aware of what regulations and mandates they might be under.
Peter Mollins: Okay, yeah, and I mentioned that that kind of complexity that enters into the regulatory world, those different layers of frameworks is going to be a theme we're going to come back to, I imagine, as we talk. Okay great, so now when we think about all these different regulatory frameworks, why does it matter? Why does a merchant need to care about these different regulatory frameworks?
Luke Evans: Sure, I mean, at the most basic level, one of the things that was part of the last answer is just that there are legal frameworks that are put in place. So, all types of businesses have to operate under the different legal frameworks in their country that they're operating in. So, at that level, these regulations are dictating how they need to operate. When you talk about taking payments, for example, then you're talking about operating within other business frameworks like VISA or MasterCard, and the credit card brands. And they're setting up frameworks in order to make that transactional relationship between consumers and businesses operate at a really nice frictionless level as much as possible. So, that's important for building up reputation and trust, that consumers can come and make payments with certain businesses, and those businesses can take those payments without worrying about different fraud on both sides of the equation. So, these frameworks are really set up in order for businesses to operate much more effectively, and within the scope of taking payments, either at point of sale and in card present conditions, or even online in card not present conditions.
Peter Mollins: Okay, and I imagine if something goes wrong in a transaction, something, there's a security issues, or something similar, reputation can go the other way, I imagine, where your reputation is damaged if you weren't doing the right thing, and fines have got to accrue. I imagine that's probably a big fear of merchants as well.
Luke Evans: Yeah, absolutely. So, we were talking about fraud, where maybe someone's making a fraudulent payment, that's going to come back to the merchant in the form of a chargeback, and so there are different things that are set up in order to minimize chargebacks, but in the same token, if something larger were to occur, like a breach of credit card data at a merchant, for example, then yeah, the card brands can come in and impose fines for that, as well as even at regulatory, like legal frameworks, they might also impose fines. So, merchants and businesses really need to be aware of these different frameworks, and that they're not in violation of those, such that these types of things happen, then they're not going to be fine.
Peter Mollins: Okay, great. So, there's a lot of regulations that come at people these days, so what are some of the upcoming regulations and mandates that merchants should be aware of?
Luke Evans: Yeah, so we've had kind of a flurry, a little bit, of different regulations that have come down, or mandates, and again, if we're going and looking at what's governmental versus network based, we have a couple of different categories of those. So, in the most recent past, we've had GDPR, which is more of a privacy framework, and what's coming up soon similarly, in Europe, is PSD, or Payment Services Directive, some changes that are coming there. So those are more governmental frameworks and regulations that are coming. In terms of the networks to the card brands, we've had stored credentials, which is a recent development. It's kind of taking a couple years to come into play here, but stored credentials are basically cards on file. So, the way that you store card data, what type of agreements are you making with your consumers as a merchant, in order to store that data, as well as what's being passed onto the different payment services providers to understand that you've properly taken that information, and are storing that on an ongoing basis.
Luke Evans: And then also, we have always PCI, which is important in terms of storing credit card data. That's always an overriding and an overarching regulatory framework imposed by the card brands. And then, lastly, we have Three-Domain Secure, or 3DS, and 3DS 1.0 is being supplemented very soon here in 2019 with 3DS2.
Peter Mollins: Is it?
Luke Evans: So, lots of moving parts, lots of changing regulations and mandates over time.
Peter Mollins: Yeah, that's a lot for merchant staff to have to think about. Okay, great. So, one of the things that i keep hearing about, and you just mentioned was PSD, or Payment Services Directive and its successor PSD2, can you tell me a bit more about what they are, and was is the difference between PSD and PSD2?
Luke Evans: Sure, yeah. PSD has been around for a few years. It's a European regulation, set forth kind of by the European Commission, who sets regulations in Europe, and it was put in place to kind of increase competition by ensuring participation by banks and non-banks alike, in the banking arena there in Europe. The other side of it is, they're also trying to ensure consumer protection, by controlling the obligations between users and providers, again in banking. And this comes into play in terms of payments, because of course, banking is really behind all of credit card payments and transfer of money.
Luke Evans: PSD2 itself is coming into play here. It was put into effect. It's an upgrade of PSD that originated around 2005. It's an upgrade that was put into place in 2018. It's getting a lot more attention in 2019 in the payment space, because of some new regulations that will effect online payments, particularly. So, PSD2, it's purpose is to better protect consumers when they pay online. And then, also again, this idea of banks and non-banks being able to participate and increasing competition, it's supposed to increase some competition and make innovative developments in the online and mobile payment space as well. And really, that's going to come and effect payments and online payments here in September of 2019, and I think we'll talk about that a little bit more.
Peter Mollins: Okay, okay, great. Well, and so what is ... What do merchants have to think about when they're thinking about PSD? I mean, is there something that they need to do, or is that just ... happen behind the scenes, that the regulators are taking care of? What does a merchant have to be thinking about?
Luke Evans: Generally speak, for PSD for merchants, they have to be looking at how they're interacting with the consumers. So, there's important regulations around what kind of information they're sharing with them in terms of utilizing their payments that they share together, and just having overall ... again, this goes back to the trust factor. There's a lot of consumer based information that needs to be shared, so that merchants are being forthcoming about how they're using their payments. Particularly, with PSD2, there is a new requirement called SCA, and Strong Customer Authentication, and that's new for PSD2 versus PSD, and that's going to play a part and a role in terms of how merchants are taking payments online.
Peter Mollins: Before we get into some of the differences between PSD and the SCA that you mentioned, does everyone ... does every merchant have to comply with PSD2?
Luke Evans: Well, in terms of PSD, just generally speaking, as European regulations, so what's important is where the acquiring bank is located, and then also where consumers are located. So, it's really for European citizens and businesses in that respect. So, it has to do with doing business in Europe. And then, also what comes into play with regards to PSD2 is the concept between two-leg transactions and one-leg transactions. So, the definition of a two-leg transaction would be where the credit card is issued is in Europe, as well as the acquiring bank for the merchant is also in Europe, and those are the aspects of the two-leg transaction. A one-leg transaction would simply be either one of those criteria are met for a transaction.
Luke Evans: And so, with two-leg transactions, it's very clear that those will be regulated under PSD2. What hasn't been quite as clear is whether one-leg transactions would be regulated under PSD2, or the timing is such that they might be included in this requirement for PSD2, as well. At this point, they're not being included, but that could be something that could change over time.
Peter Mollins: Okay, and just for clarification, since there's so many acronyms going around, PSD versus SCA, can you differentiate between what those two things are?
Luke Evans: Yeah, so PSD2 is really the regulation over. SCA is kind of a primary component of that new regulation. So, Strong Customer Authentication is particularly for online commerce, and it's the idea behind providing more values of authentication that the user is, or the consumer is who they say they are when they're using a particular payment method. So, it's this idea of multifactor authentication.
Peter Mollins: Okay.
Luke Evans: With PSD, maybe it was the requirement of just a username and password, or username, password, and pin. Those are things that someone knows, but SCA brings into the idea of needing three factors, or two of three factors of authentication, and they can be of the element of knowledge, possession, or inherence, basically something you know, something you possess, or something you are. So, it brings in this idea, inherence would be something you are is more like a fingerprint or biometrics, biometric data. And so, when we talk about SCA and why that's important for PSD2, it's because merchants that are taking payments online will have to implement a way to get users to authenticate with two of these three factors.
Peter Mollins: Okay, great. Well, that makes a lot of sense. Now, 3DS2, the way I understand it, 3DS2 is a way of implementing SCA, is that correct?
Luke Evans: Yeah, so 3DS2, I mean, maybe for a second we need to talk about 3DS, or Three-Domain Secure. 3DS was implemented as a way to fight fraud online. It's going back a few years ago in Europe, some of this was implemented with 3DS 1.0. In that implementation, 3DS, a user would start a payment with a merchant online, and then be redirected to a banking website, or a webpage, for instance, to enter a second form of authentication, or a second factor of authentication, in this case, typically a pin or some sort of password. That was the implementation of 3DS. To begin with, the problem was that it created a bit of friction by having this redirected page, and consumers would drop off from the payment flow, for instance, and it wasn't really that big of a hit with merchants.
Luke Evans: With the implementation of 3DS2, they're trying to improve this consumer experience, so that there's not as much of a drop off rate, of course, with the payment flow, which is ever so important to everyone. It was created by EMVCo, which is a consortium of the different card brands, and it's kind of this way to try to bring chip and pin to online commerce, in a way. So, 3DS2 is going to be mandated by the card brands to be implemented by merchants, in order to reduce fraud online. Again, this idea of reducing fraud and card present transactions with chip and pin, they want to do the same for online commerce. So, it's a new mandate that's being put in place in 2019, and will come into play in September of 2019.
Luke Evans: So, to your question about 3DS2, and how that interrelates with PSD2, 3DS2 is trying to accommodate as well for SCA, or Strong Customer Authentication, and provide this multifactor authentication in a way to implement that for merchants. So, 3DS2 is accounting for SCA, so 3DS2 is a solution effectively for SCA and PSD2.
Peter Mollins: As you're talking through this, it sounds like fraud and privacy are a big issue. So, when ... That brings to mind for me, liability. So, do these regulations, the 3DS related regulations, or I'm sorry, the PSD2 related regulations, do those affect liability for merchants, and other players in that space?
Luke Evans: Well, where liability comes into play is really with fraudulent activity in the payment networks. So, much of the rules and things dictated around liability come from the card networks themselves, so VISA and MasterCard. They're kind of determining where in the payment transaction liability stands, if there is a fraudulent transaction. So, where it comes into play, I guess, with regards to PSD2, it's somewhat related, but it's really more the 3DS2 mandate. With a merchant that uses 3DS2, the liability will shift back to the issuing bank, considering that in the flow of 3DS2, the issuing bank is taking the information that the merchant provides on this consumer, and the card data, and making a decision of whether they see that as the authenticated user or not. So, it's somewhat related, but it's really paired between this idea of really authenticating that user, and making sure that that's a valid payment in the network, and so the networks are coming in and making decisions about where the liability falls. Today, liability can fall more on the merchant, but again, if they use 3DS2, then they can shift that liability from themselves to the issuing bank.
Peter Mollins: Okay, okay great. Well, I appreciate your thoughts on 3DS and PSD2. So, if you don't, let's switch gears. One of the other regulations that you'd mentioned earlier was from the network side, which is around stored credentials. Can you just tell me a bit about what that is, what are stored credentials, and why the mandate came into play?
Luke Evans: Yeah, stored credentials comes by many names, right? It's card on file, or it's just basically card data that's stored either by the merchant or by a payment service provider. What the card networks and the card brands are trying to do is make sure that those are stored in an accurate way, and really with a mutual understanding with that consumer that their card details are being stored. The rules have somewhat been in place in the past, but again, the card networks are just a little bit more detailed, and a little bit more particular about that information, and the rules in place. And as payments evolve, and more payments are taken online, they have to redefine how these things are dictated.
Luke Evans: One of the important factors that's coming into play with the stored credentials framework, and the mandates that the card brands are putting out, is that the data that's stored with that payment method information has to pass some information along to the acquiring platform. So, values about what type of transaction it is, if it's a recurring transaction, if it's merchant initiated, like the merchant stored the card and then made an independent transaction, or if it's consumer initiated, like the consumer literally pressed the button, said initiate a payment. Those details are now stored along with the payment method so that when it's authenticated for that first time, it's kind of related to the merchant. The merchant has the authorization to utilize that in the future, and again, this trust factor and these agreements between consumer and merchant are recorded up and down the payment chain to understand who is storing which credentials, and how they can store them and use them.
Peter Mollins: Compliance rules, I mean, they're here, and they're put in place for good reasons, but there's got to be ways that a merchant can go ahead and address compliance, and address those regulations and the underlying needs behind those regulations, but still be able to have resources that are free, so that they can focus on the business priorities that really matter to them. I mean, what do you recommend to a merchant?
Luke Evans: Yeah, so certainly, the challenge here is when a mandate comes down, or some other sort of regulation comes down that it needs to be applied across the business, and if it's a mandate, for instance, and a merchant is integrated to multiple PSPs, then they have to go and work with each PSP and understand how they have to apply that regulation for that particular API or integration that they have. So, this really kind of comes back to Spreedly's fundamental value add to merchants, in that we are a single API that then kind of aggregates all that complexity from multiple payment providers, and simply that down into one simple solution that they can implement. So, in the case of stored credentials, for example, we're actually kind of putting a framework on top of that, so that we can add multiple PSPs into that framework. So, a merchant just integrates one time to our stores credentials that utilizes the same values across different gateways. So, really just doing it that one time, and getting the benefit of connecting to multiple PSPs. We're doing that the same way, and similarly, with other frameworks for 3DS2, and other things that come down the pipe in terms of compliance that's needed for payment flow.
Peter Mollins: Okay, terrific. Well Luke, this has been really interesting, so I definitely appreciate you taking some time to talk through some of the regulations, in particular around PSD and 3DS2, and for people that are interested in other topics around compliance, we recently put out one on PCI compliance, so I definitely encourage you to take a look at that one. But again, Luke, thank you very much for taking some time.
Luke Evans: You're welcome, thanks for having me.
Peter Mollins: Absolutely, and again, to everybody out there, I appreciate you taking some time to watch the Payments Dialog. We'll be back soon with another interesting topic, and as always, please visit spreedly.com if you have a topic you'd like to be interviewed on, or think might be interesting for our listeners and views. I'd love to hear about it, and see what we can do. So, thanks again.