News
Stricter Rules for Electronic Payments
On the 14th of September 2019, the European Unions Revised Payment Services Directive (Directive (EU) 2015/236, also known as “PSD2”) did becomes effective in both Sweden and the other EU member states, which will have ramifications for both consumers, retail outlets, and online service providers. In this article, we will give an overview of the new rules, as well as their practical implementation. The directives implementation does, however, vary somewhat depending on member state and industry. For precise information on what will apply to you and your company, we encourage you to contact the national regulating authority for payment services. In Sweden, this role is filled by Finansinspektionen (the Swedish Financial Supervisory Authority).
Increased Account Access for Third-Party Service Providers
One of the main points of the directive is that it gives individuals and companies the right to allow licensed third-party service providers access to their bank information and accounts, in a manner previously limited to the actual bank which had the accounts in its care and that bank’s chosen partners. Companies interested in offering services based on third-party account access in Sweden can apply to the national regulating authority (in Sweden Finansinspektionen) for one or both of the two new licenses introduced by the directive; those for Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) respectively. The new rules will also enable increased access for the holders of certain pre-existing financial licenses, and several different categories of companies involved in the financial sector have therefore been required to renew their licenses in the runup to the new directive to ensure that they are in full compliance with the new rules.Strong Consumer Authentication
To avoid the risk of the new third-party accessing procedures being misused, and to help fight the existing problems of cybercrime and credit card fraud, the revised Payment Services Directive also prescribes a stricter system for verifying the identity of anyone who tries to use electronic payment or financial information service. So-called two-factor authentication is to become the norm when using such services, which means that customer will have to prove their identity by possessing at least two or more separate elements such as two of for example the following means of verification: possession of payment card, pin code, use of personal phone, technologically verifiable ID or electronically scanned biometric data. The directive itself does not require both means of verification to be used every time, but going forward the directive will require two-factor authentication:- At least every fifth purchase made by the same customer with the same electronic means of payment;
- Every time more than 30 Euros are spent electronically at the same time; and
- Once for every EUR 100 spent by the same customer using the same electronic means of payment.
As a reaction to the new rules, most affected service providers have also implemented their own standards, which in many cases requires more frequent two-factor authentication than the default established by the directive. There are also a few types of payments that have been exempted from the new rules. Among them are payments of less than EUR 50 per payment relayed by the providers of electronic communication services, which does not exceed a total of EUR 300 per month. The intention is to allow the continued development of so-called online micro-purchases, as well as the online ticket purchases. Another exemption applies to payments made within limited payments networks, such as those made by charge cards, which are only valid in, for example, a company or school restaurant.
So-called contactless payments using the EMV chip-technology built into most payment cards will be subject to the rules for two-factor authentication and are thereby supposed to require the use of a pin code or other authentication method at the very least at the intervals stated above. Verification methods such as only signing the receipt after using a payment card are not in compliance with the directive and are expected to disappear from the EU-market. The use of card-magnetic strips as a means of payments has been on its way to be phased out within the European Union for many years, due to the ease with which such cards can be copied (“skimmed”), and the directive is expected to greatly increase the speed of this process since magnetic strips are not sufficiently secure to serve as part of a two-factor authentication.
The practice of requiring an ID-card to be shown for the purpose of authenticating a payment might continue to be encountered in some situations. However, unless the technology of the card and that of the service provider allows the card to be verified and tied to the identity of the user (for example by stored biometric data), such verification methods compliance with the directive would be questionable and therefore likely to be phased out as well.
The situation is also complicated by the fact that it is up to the regulating authorities of each EU member state to issue guidelines for their nation’s businesses.
Officially, the directive takes full effect on the 14th of September, or even earlier depending on certain local implementation measures. In practice, certain industries will be allowed more time to adapt by their regulating authority as long as they present a clear explanation of the implementation problems they are facing and how they are to be resolved. There are, for example, payment services providers that have been able to get more time for phasing out the signature as a means of authenticating a card payment, and this practice is therefore expected to continue for some time in the restaurant sector. The full implementation of the directive is, on the other hand, expected to move faster in Sweden than in many other EU member states, due to Sweden’s well-developed infrastructure for electronic IDs and EMV chip-based card technology.
The harder authentication rules introduced by the directive are expected to increase pre-existing problems experienced by non-European visitors trying to use their card within the EU. Europe’s increasing reliance on EMV chips has, in recent years, causing problems for visitors whose cards only use a magnetic strip. Since some payment cards still lack a pin code, and others have experienced technical problems with getting pin code to work outside the cards home jurisdiction, many individuals from outside the European Union have had to rely on businesses accepting signatures, passports or simple possession of the card as means of authentication. Some older payment cards from other EU countries might suffer from similar problems, though this will most likely become rarer the further the directive’s implementation progresses.
Since all of the said alternative means of authentication are to be phased out, we strongly recommend anyone who is using a foreign payment card in Sweden to check with their bank and/or card provider if they are likely to experience any problems using the card with a pin code in Sweden. Some cards can also be locked for use outside the jurisdiction in which they were issued, though this can often be changed at will through the card providers or bank’s online portal.
Increased Customer Protection
In addition to the rules described above, the new directive also contains stricter customer protection rules, though several of these already existed in previous legislation. Among the latter is a ban pf surcharges taken out by vendors solely for reasons of the means of payment a customer has chosen to use, though situations may still arise where vendors can legitimately pass on actual costs related to a given means of payment. Payment card interchange fees are limited to a maximum of 0.2% of the transaction value for consumer debit cards and at 0.3% for consumer credit cards. Before the introduction of PSD2 similar customer protection mechanisms existed through Regulation (EU) 2015/751, as well as various local legislations implementing rules, form the approved PSD2 directive. Still, the new regulatory framework is expected to counteract the extensive legal non-compliances that have been committed against the pre-existing regulations.The directive also introduces new consumer protection standards intended to limit the liability of a consumer that have fallen victim to identity theft and/or credit card fraud to a maximum amount of EUR 50 as long as the consumer is not committed gross negligence or been in some way culpable in relation to the unauthorized transaction.