PSD2 – second Payment Services Directive
The second Payment Services Directive (PSD2) is the revised version (by European legislators) of the Payment Services Directive which has been implemented in German law since January 2018. A number of rules have been adopted to increase security in payment transactions and to allow further competition between payment institutions. Key points are the inclusion of “third-party payment service providers”, which offer payment initiation services, account information services and the issuance of payment cards, as well as the obligation to ensure “strong customer authentication”. Furthermore, the consumer protection rules have been strengthened.
Account information service (AIS)
The account information service is an online service for providing consolidated information on one or more payment service user accounts held with another or several other payment service providers. With the revision of the Payment Services Directive (PSD2), account information services are defined as payment services. The purpose of this service is to provide users with a complete overview of their financial situation at a given point in time. The account details can only be accessed with appropriate permission from the account holder. This service is sometimes also offered by primary banks.
Payment initiation service (PIS)
At the request of the payment service user, a payment order relating to an online payment account held with another payment service provider is initiated.
A third-party issuer is a payment card issuer that does not hold the account to be debited with the card transactions, i.e. the card-issuing institution is not the same as the institution that manages the payer’s account.
Strong customer authentication (SCA)
In order to improve security in payment transactions, the revision of the Directive on payment services in the internal market (second Payment Services Directive, PSD2) introduced the obligation to ensure “strong customer authentication”. This occurs when a payer accesses their account online, initiates an electronic payment, or carries out an action through a remote channel which may imply a risk of payment fraud or other misuse. Strong customer authentication prescribes that authentication should occur using a combination of two factors from the categories “knowledge” (e.g. password, code, PIN), “possession” (e.g. token, smartphone) and “inherence” (e.g. fingerprint, voice recognition). The new requirements have to be implemented by 14 September 2019.
Third-party payment service provider
The term “third-party payment service provider” is often used for providers of account information and payment initiation services that have been subject to authorisation and registration since the implementation of the second Payment Services Directive (PSD2). It is also used to refer to third-party issuers.