As the year comes to a close, it’s always a good practice to take a step back and reflect on accomplishments, challenges and lessons-learned in your business. 2019 was a busy year for SaaS companies – made even busier by a flurry of new regulations and compliances that kept all businesses (including Maxio) on their toes.
Chances are if you are a business based in the EU, September 14, 2019 stands out to you as one of these key milestones from the year – the original deadline to comply with the second Payment Services Directive (PSD2).
But even though the deadline came and went, there are still a lot of loose ends.
Leading up to the deadline, individual national regulatory authorities issued differing guidance on enforcement timelines. And since the passing of the deadline, the EBA has issued a new opinion (discussed below). Furthermore, businesses are still grappling with the repercussions of PSD2 and what they could mean for their online sales.
So, while PSD2 chatter has quieted, you’re likely not out of the woods yet. When planning for the year ahead, there is still a lot your business should consider – starting with understanding the directive and its status in the EU country/countries where you do business.
As you look ahead into the New Year, we pulled together a quick resource for you to help make your 2020 planning easier. Read on for:
- An overview of PSD2
- Where EU countries stand relative to the deadline
- How best to stay compliant
An Overview of PSD2
By now, there is a good chance you have a general idea of PSD2 and it’s requirements, so we won’t belabor the point. You can get a deeper dive in our previous blog on the topic, or an even deeper dive in our eBook.
The condensed overview is that PSD2 is a European Economic Area (EEA) regulation that requires Strong Customer Authentication (SCA) as a means to increase security and authorization rates while decreasing online payment fraud.
When transactions meet certain requirements, SCA needs to be collected prior to processing a payment by authenticating two of three possible identification traits – something the customer owns, knows or is. The most common way to collect and confirm SCA is via the 3D Secure (3DS) protocol.
Here is an overview of what the process looks like:
- When a customer initiates an online transaction, the issuing bank will flag transactions that require SCA based on a number of criteria
- Your payment gateway will receive this request and initiate 3DS in order to authenticate the customer
- Businesses must be using a PSD2 compliant billing solution that supports 3DS workflows to present, capture, and pass the SCA identification traits back to the payment gateway’s 3DS service
- Once SCA is confirmed, it is sent back to the issuing bank to successfully process the transaction
Because payment gateways are ultimately on the hook for initiating 3DS and establishing SCA, all the major players worked hard to achieve compliance by the September 14th deadline. And because billing platforms play a crucial role in this process and also need to uphold the new standards, the Maxio team worked diligently to ensure that customers were compliant by the deadline by updating all impacted integrations.
Where EU Countries Stand Relative to the Deadline
While payment gateways and billing platforms like Maxio were prepared for PSD2 by the deadline, many impacted EU entities were not expected to be. In response to this, the European Banking Authority (EBA) published an opinion in June that the National Competent Authorities – the regulators for EU countries – could allow additional time for implementing the Strong Customer Authentication requirements in the PSD2 Regulatory Technical Standards. In other words, they gave regulatory bodies in individual countries the power to create their own timelines for the PSD2 deadline.
This regulatory flexibility, however, led to non-uniformity across the EU with regard to PSD2 enforcement timelines. After issuing the June opinion, the EBA gathered data from a variety of stakeholders across the EU. Most preferred there to be a standard EU approach and timeline for PSD2 implementation and enforcement.
As such, the EBA issued an opinion in October which stated that implementation of SCA requirements should be completed by the end of 2020. However, prior to this opinion, several countries announced an 18-month extension, and it is unclear what will transpire in those cases.
A lot to keep up with, right? Even in the process of writing this blog post, I had to rewrite multiple times just to keep it accurate and timely. (There’s a chance that it might be outdated again as you’re reading right now, although I’ll do my best to keep things current.) Regardless, it is important to note that the implementation will occur over time.
With variability in implementation timing among all involved, you should operate under the assumption that SCA could be required for applicable transactions at any time, thereby impacting your business if you are not prepared.
How to Stay Compliant
Rather than deal with this uncertainty – sitting and waiting to find out when the PSD2 deadline will inevitably be set for the EU country where you do business – it is best to prepare your business now.
This way, you avoid getting caught off guard. If your business is caught out of compliance with PSD2 it could cripple your ability to process transactions and collect revenue. When you consider that just one hour of downtime in online transactions can translate to anywhere from $100,000-$5 million in lost revenue, this is a mistake that any business cannot afford to make.
If you are working off of a homegrown billing solution or working directly with a payment gateway, the responsibility to ensure your integrations are compliant and to verify that your payment gateway provider has achieved compliance on their end falls solely on you.
We outlined the appropriate steps to take to achieve PSD2 compliance in our eBook.
Another – and far easier – way to stay compliant is by working with a billing platform like Maxio. Through this approach, you are effectively compliant with minimal effort because we have taken care of all the heavy lifting.
We know that sweeping regulations can be extremely stressful and taxing on our merchants, which is why we want to reduce the burden for as many businesses as possible.
For the next 60 days, we are offering a free month plus free premium onboarding to any new customers in the EU that sign on with Maxio for PSD2 compliance. (Just mention this blog post to one of our billing experts to take advantage of this offer.)
Whether you’re already a Maxio customer, use another billing platform or are going it alone, we urge all businesses to start their preparation planning sooner rather than later — even those that are not immediately impacted.