As of 14th September 2019, a series of new EU-issued security measures related to card payments, the so called SCA (Strong Customer Authentication), was planned to have become effective. However, the effectuation has been postponed, which I will touch upon in a minute. It’s still a good idea though, to familiarize yourself with the rules, as they will become effective at some point later.
The new rules can force businesses, that uses corporate credit cards to handle online transactions (including payment for flights and hotels), to change their booking and payment processes. The new security measures are designed to prevent fraud related to online transactions, especially when it comes to payments with corporate cards. One way to secure this, will be to implement the use of a secondary identification factor, or two-factor identification, where PIN codes are required to process each transaction. A PIN code that only the card holder can obtain through a mobile device. As an example, it’ll be hard for secretaries to process flight and hotel bookings on behalf of others.
Background
SCA is a part of the PSD2 EU directive (Revised Payment Directive), which is what became effective as of Saturday 14th September 2019. PSD2 is a revised directive related to payments, and succeeds PSD1, which became effective back in 1997.
In Denmark, we’ve already implemented the directive, as we per 1st January 2018 implemented “Law of payments”. This ruleset took PSD2 into account and thereby also SCA. But despite being early out, here we are 20 months later, and there’s still several challenges to make it work. The issue in a nutshell is, that most of the banks API’s, which is the software that’s needed to secure integrations between banking systems and third-party applications, isn’t simple to develop. In addition to this, it’s also estimated that we’ll see issues related to the data exchanges that’s made possible through PSD2. But eventually time will tell.
The aim with PSD2 is to support the ongoing digitization of the society, so that both business life and consumer life can benefit from new financial services. PSD2 will aid innovation and development within the Fintech-sector, where Acubiz reside.
Should we panic?
No need to panic. We can draw parallels to when we had to prepare for GDPR; no one really understood all the details and the impact, but it was important to prepare well. Back then, we prepared ourselves at Acubiz, and we’re doing that once again.
The other, and major reason not to panic, is that as of 3rd September 2019, as mentioned, the Danish Finance Authority decided to postpone the effectuation of the SCA-rules in Denmark. The effectuation is postponed by 18 months. With this decision, the Finance Authority has given card issuers, payment processors and acquirers as well as online merchants another 18 months to secure compliance to the new rules.
What should we do?
There’s been quite a lot of concern if payments in Danish online stores would be rejected after 14th September 2019. But this won’t happen. In addition to that, it’s currently discussed if a common timeframe for the postponement should be set throughout the EU. Denmark is far from being the only country that’ll postpone implementation of the rules. A common timeframe will also prevent that different rulesets applies across countries and minimize the issues that this potentially could bring. But back to what you should do now. Nothing. For now, everything remains unchanged for users of payment cards.
The future with PSD2
When everything is settled, how will the world look after a full implementation of PSD2? Apart from SCA, which probably will be solved, so that card users will live with a two-factor identification, that isn’t much different from what we know from NemID, we’ll see a transformed financial sector in the future.
With the EU directive, we can expect lower prices for banking and financial services. The directive will open competition in the sector. We can expect that the banking products we use as consumers as well as payment solutions for businesses, will become more cost effective.
Is it just the banks that will lower their prices? No, probably not. The margins for traditional banking will be put under pressure, and this will happen because of new players entering the market. With PSD2 it’s possible to pass on banking data to third parties. A third party can, based on this and with your approval, access your company financial data and provide you with insight and check the market for better prices for various financial services. Probably done though an application.
Be aware
PSD2, the increased competition and the newly won data freedom will mean that you as a consumer or a business leader should be aware of who you’ll allow access to your banking data. A lot of new players will check in, including players, that doesn’t necessarily treat your data in your own best interest.