For many Americans, a trip abroad conjures up images of scenic vistas, Roman ruins or Parisian cafes. For U.S.-based businesses, however, doing business abroad is often less idyllic.  Complicated four-character acronyms threaten operations at every turn. Often lost in the sea of European-based regulations is the second Payment Services Directive (PSD2). Understandably, many companies have focused much more on compliance with the General Data Protection Directive (GDPR) than on PSD2. But with less than a year until full PSD2 compliance is required, it is time for merchants to prepare.

• PSD2 Alphabet Soup

PSD2 is the second attempt by the European Commission to regulate the rights and obligations of payment services users and payment services providers (PSPs). Among the directive's aims is to level the playing field for PSPs, offer better consumer protection and improve payment efficiency in the European Union. Accordingly, all the parties in the payment landscape— consumers, banks, FinTech companies, and merchants—are impacted by PSD2.

PSD2 applies in the European Union member states (together, the member states). Although PSD2 was adopted in October 2015, its implementation occurs in phases. First, by January 2018, member states were required to issue enacting legislation providing for transparency and security requirements for all electronic payment transactions. Second, PSPs are expected to implement all security requirements, including the Strong Customer Authentication requirements, and provide access to their accounts by September 2019.

Understanding PSD2 involves at least three key concepts. First, PSD2 aims to promote competition by breaking banks' monopolies over customer financial data. Account providers (i.e., banks) are required to offer application programming interfaces (APIs) by which third-party payment providers (TPPs) and account information service providers can access customers' bank accounts. Second, PSD2 contains a number of other consumer-focused provisions, including a reduction of the fee that a user could be forced to pay in the event of an unauthorized transaction. Third, Article 97 of PSD2 requires PSPs to implement so-called “Strong Customer Authentication” or “SCA” to authenticate a user when the user accesses an online payment account, initiates an electronic payment or carries out any action through a remote channel.

To provide guidance on what constitutes strong customer authentication, the European Banking Authority (EBA) promulgated the regulatory technical standards (RTS). The RTS requires that SCA be based on two or more independent elements categorized as knowledge (something you know, such as a PIN or password), possession (something you have, such as license, credit card or mobile phone), and inherence (something you are, such as a biometric fingerprint scan or face scan). The RTS imposes additional requirements designed to guard against fraud, including dynamic linking, cloning protection and authentication element independence.

And while the RTS identify a number of exceptions—such as low value transactions and transactions to trusted beneficiaries—a number of common payment and authentication methods may not comply with the RTS.    

• Scope of RTS and Responsibility for Compliance

While much ink has been spilt over the applicability of PSD2 to supposed one-leg (out) transactions, RTS requirements likely apply only to “two-leg transactions”—where the consumer's card issuing PSP and the merchant's card acquiring PSP are both located in a member state.

Ultimately, it is up to the consumer's card issuing PSP to determine whether the RTS requirements apply and SCA must be applied to a given transaction. The merchant's card acquiring PSP may seek to apply one or more of the exemptions available to SCA, but the consumer's card issuing PSP makes the final determination. The result is that merchants face uncertainty with the determination of the application of SCA to transactions with their customers.

Therefore, it is important that merchants understand from their card acquiring PSP what measures are being taken to deal with the RTS requirements and what impacts SCA will have on the customer checkout experience. The key for merchants is to ensure that SCA is implemented in a way that meets the RTS requirements but does not create undue checkout friction that causes their customers to turn away. There are also added benefits to SCA in the form of reduced fraud rates, which is a key goal of the RTS requirements. There can also be a liability shift to the card issuing PSP for specific fraudulent chargeback reason codes for transactions where the buyer does not physically present their card (so called card not present or CNP transactions) that are authenticated using 3DS 2.0 as a SCA method.

• Global Economy, Global Concerns

Just like Americans, Europeans can indulge with a royale with cheese or sip a grand iced latte. In a global economy, merchants operating in Europe need to prepare for PSD2. Compliance will impact point-of-sale (POS) transactions and CNP transactions, alike. As previously described, a number of traditional methods of authentication, such as transactions utilizing magnetic stripe cards, are not PSD2 compliant. Although PSPs—not merchants—are responsible for PSD2 compliance, the impact could be felt by merchants. Depending on their underlying contractual relationship, PSPs may, for example, refuse to process POS or CNP transactions where the merchant lacks PSD2 compliant hardware.

Mobile transactions, moreover, are not immune. For example, a mobile user interface (UI) may have to add a layer of friction by accommodating a one-time, dynamically linked password.  Depending on a business's mobile UI, this fix may be more complicated, costly, and time-consuming than it seems.

With a little less than a year until PSD2's final deadline, businesses still have time. Merchants, however, should not delay evaluating their PSD2 readiness.

Chris Kohler is Senior Legal Counsel at PayPal where he is responsible for the Braintree line of business.

Justin Steffen is a litigation partner at Jenner & Block LLP, a technologist, and a founder of his firm's FinTech industry group.