News Article

The PSD2 deadline is here. Are you ready?

Global Processing Services talks you through Strong Customer Authentication (SCA) and what you need to know for your business and customers. And if you spot an acronym or term you don’t recall, head to our GPS payments glossary. 

What is PSD2? 
PSD2 is an acronym for Second Payment Services Directive. This is a set of EU regulations aimed at improving security for credit and debit card users. The legislation came out of the European Banking Authority and was adopted into UK law.  

There are several parts to PSD2. One part is the requirement for financial institutions to implement Strong Customer Authentication (SCA) by the deadline.  

What is SCA? A set of additional checks when someone uses a payment card to verify the identity of the person who is using the card. In some instances, the cardholder will be required to verify their identity in two different ways.  

What’s the deadline for SCA to be implemented in the UK? 
Monday 14 March 2022. 

Who has to adhere to the PSD2? 
All financial institutions in the EEA and UK. 
Financial institutions who are supporting 3D Secure on their cards (required if they are offering ecommerce payments) must be able to offer SCA to their cardholders. 
These regulations apply to cards issued in the European Economic Area (EEA) and the United Kingdom. 

What do the regulations require from an SCA point of view? 
Offering SCA requires having a combination of two forms of customer authentication when a customer makes a payment on a card which has 3D Secure and has been issued in the EEA or UK.  

The customer authentication could be any two of the three below for example:

  • Knowledge: Something the customer knows, for example their PIN or password. 
  • Possession: Something they have, such as a mobile phone, card reader or other device evidenced by a One-Time Password. 
  • Inherence: Something they are, like a fingerprint, face recognition or voice recognition. 

When do these rules not apply? 
When you purchase something over the phone, when you use a pre-paid card, or when it’s a low-value payment – the EU rules consider these to be amounts under €30/ £25 among other variables. It’s also worth noting that after a certain number of low payments the cardholder may need to complete additional checks.  

How can I ensure that I can offer SCA to my customers? 

Financial institutions need to ensure they have strong customer authentication (SCA). We have a solution - an additional service, called 3D Secure which enables GPS customers to set up SCA with their cardholders. It’s an add- on service which is integrated into the GPS platform which you can access via our API. Among other tasks, we check the value and the frequency of payments, and can identify whether SCA is required, or if the payment is exempt from SCA, in real-time. 

Our GPS Apex processes billions of transactions every year and is fully-certified by Visa and Mastercard – and we test every single transaction to see whether it meets SCA criteria, so you can feel reassured. We can undertake a high level of the transaction and status checking for you. Plus, when the regulations change, we update our systems to comply with the regulations. 

Our highly-configurable platform and a full suite of APIs means customers like Starling bank and Curve can deliver real-time spending notifications to customers which is crucial to ensuring PSD2 is adhered to.  

Do GPS comply with the regulations? 
At GPS we support our customers by staying up to date with the regulatory requirements of all the territories that we operate it, giving financial institutions peace of mind with all current regulations, including PSD2, giving financial institutions peace of mind that their solutions meet the required standards. GPS are a trusted and proven partner, right at the heart of the fintech ecosystem, depended on by global brands like Revolut, Zilch and WeLab. 

GPS’ security standards mean you don’t need to be concerned about security or durability. On top of our PCI DSS L1 accreditation, we are certified for ISO 27001 (which covers information security) and ISO 22301 (which covers business continuity) and we work towards the latest measures in compliance.  

We have a solution that satisfies the rigours and expectations of tier 1 banks as we have passed the test to work with them. Royal Bank of Scotland for example, came to GPS when looking to developing their digital proposition, Bo. 

Will it positively impact my business? 
Modernising a tech stack is no longer the lengthy, technically detailed and costly task it once was. By working with specialist providers, such as GPS in the issuer processing space, financial institutions can deepen their relationships with customers, deliver better services and set themselves up for future growth. 

Want to read more? 

Third Party Providers Identity and Regulatory Checking for financial institutions providing PSD2 open banking