What do the regulators do when the rules they put in place to prevent payment fraud aren’t working? They update the rules, of course, in the form of PSD2.
The second Payment Services Directive enforces minimum operating standards for companies receiving payments in order to ensure payees are who they claim to be, improving verification standards and preventing online fraud attempts.
Implementing PSD2 can be complicated, so Trustpair secures transactions across your supply chain and helps you remain compliant. Proactively detect fraud risks and secure payments with ongoing account monitoring. Contact an expert to learn more!
What is PSD2 and why was it introduced?
PSD2 is the second version of the Payment Services Directive, a European regulation for the finance and banking industry, introduced in 2019. It was introduced to update the first version of the regulation that came into force in 2007 and became outdated.
In particular, this is due to the multitude of innovations and new risks that have occurred since the original PSD. New technologies in the open banking environment require enhanced due diligence standards to protect consumers and the integrity of the economic markets.
One prominent example is that many businesses in the financial services sector relied on a single account credential login system for their customer transactions. If this had been compromised in any way, say the details were stolen, the banks would have no way of verifying that the person accessing their account, and potentially withdrawing or transferring thousands of dollars, was not the account holder but in fact a fraudulent impersonator.
Therefore, the requirements of PSD2 help to combat this type of third-party access issue and ensure that the rules for business payment service providers are as evolved as the technology of the market itself.
How PSD2 impacts fraud prevention strategies for businesses
The PSD2 compliance process requires each business to implement several measures relating to financial institutions, banks, payment service providers, and brokerages in order to prevent transaction fraud.
PSD2 brought in API standards for third parties to share data securely upon customer consent, and merchants that want to enter the open banking ecosystem must meet these API standards. This protects the security of confidential personal data shared by customers in open banking, and the integrity of any account linked with payment information.
For financial institutions, preventing fraud is all about increasing transparency. Institutions are required to share balance and account data through APIs with authorized adjacent service providers. They must also host payment initiation services to securely verify and enable payments between companies and account holders (pay by bank).
Finally, all players must interact with Strong Customer Authentication rules to prevent fraud. This requires organizations to verify the identity of the person accessing the account and confirm them as the account holder, or an authorized proxy.
Strong Customer Authentication works by requiring the customer to confirm two of the three following data categories:
- Knowledge: such as a password or answer to a security question
- Inherence: a biometric match such as facial ID or fingerprint
- Possession: such as a one-time passcode sent to a phone number or email
Banks and third parties within the financial ecosystem must perform SCA at least once every 90 days to satisfy PSD2’s anti-fraud requirements.
Why is Strong Customer Authentication (SCA) essential for fraud prevention?
It has been proven time and time again that cybercriminals can gain access to account login information. Sometimes, their hacking skills prevail, and others rely on social engineering and manipulation through phishing. In fact, there were over 300,000 phishing victims in 2022, and that figure only includes those who realized they’d been scammed!
SCA is effective because even if the account holder’s credentials have been compromised, it’s unlikely that a fraudster would be able to bypass these extra measures, keeping the account secure.
Let’s imagine that one of your colleagues is targeted by cyber attackers who send a phishing email to their account. After accidentally inputting their real login and password into a fake web page, captured by attackers, they now have the credentials.
However, when SCA is applied, it acts as a second line of defense. Without knowing answers to security questions, having physical access to the victim’s phone for a passcode, or being able to mimic their fingerprint or face ID, they will be blocked from accessing the account.
Moreover, SCA also works as an effective detection method for attempts of fraud. In providing the wrong answers or not answering, organizations can set up automatic notifications of an unsuccessful login attempt and flag suspicious activity as it happens.
Why does a business need to be PSD2 compliant?
Businesses should prioritize PSD2 compliance because the banks associated with your customer payments will refund all transactions that don’t meet the standards of the regulation. This means that organizations that take electronic payments without verifying the identity of account holders are at risk of getting things wrong, losing hard-earned revenue, and upsetting customers with a negative experience.
It’s a balance between providing an uninterrupted customer checkout journey, which has the lowest likelihood of churn, and properly validating with an authentication process, which may add friction and increase customer dropoff rates.
However, businesses don’t only have revenue to worry about; non-compliance may also lead to penalties and enforcement actions by the regulators. Alongside financial impacts, concerns over payment security could have severe reputational consequences that impact customer acquisition in the years to come.
How PSD2 affects payment providers and financial institutions
For regulated payment and financial service providers, PSD2 has caused a huge overhaul in operational and security processes.
In the case of traditional banks in particular, the move towards innovation means that they could easily become left behind if they don’t adapt. In fact, banks that constantly optimize their customer experience grow 3.2 times faster than those that don’t, proving that teams who invest in updating legacy systems are likely to stay ahead.
For fintechs, the innovation likely comes more naturally, but the sector is plagued with security concerns. With 65% of fintechs hit by ransomware attacks in 2024, compliance is still the best way to keep the personal information of your customers secure.
Preventing fraud with PSD2
PSD2 is an EU regulation for banks, fintechs, and businesses that accept payments. The regulation strengthens barriers against fraud by enforcing verification of payees in the form of Strong Customer Authentication (SCA).
Fortunately, Trustpair can help. By strengthening vendor verification and providing ongoing monitoring, Trustpair reduces the risk of supplier payment fraud. By ensuring compliance with PSD2 regulations, the platform can support your organization in mitigating its fraud risks. See it in action when you book a call with one of our experts today.
