Online payments. The security of PSD2

Article

Online payments. The security of PSD2

Among the objectives of the European Union in the construction of an efficient single market is the construction of a common market for payment services.

In Spain, since 2009, common bases have been established in the regulation of the provision of payment services, transposing the content of European directives (Directive 2007/64/EC).

Since then, technological progress has made it necessary to adapt the regulations governing means of payment, given that new agents are establishing themselves in a market that goes beyond the national market, and that makes it necessary to have more reliable ways for users to make online payments.

Elaborate a safer and more reliable environment are at the basis of the approval of a new Directive in 2015 (Directive (EU) 2015/2366), directive that is transposed in Spain in 2018 through Royal Decree-Law 19/2018, of November 23, which has as main objectives:

  1. facilitate and improve security in the use of Internet payment systems.
  2. to reinforce the level of user protection against fraud and potential abuses, with respect to that provided for in Law 16/2009, of November 13, 2009.
  3. and promote innovation in mobile and internet payment services.

The Royal Decree establishes a fractioned entry into force, depending on the subject matter, whose total term was established for September 14, 2019, however this term, due to the complexity in its application, has been extended by the European Banking Authority (EBA) approving a moratorium of 15 months. Thus, companies will have until December 31, 2020 to implement the necessary technologies to adapt to the directive (banks and technology companies developing online payment tools).

The major milestone set for the achievement of the objectives established in the progress of this regulation is Enhanced Customer Authentication.

What is Strong Client Authentication?

The standard clearly establishes its definition:

It is based on the use of two or more elements categorized as:

  1. knowledge (something known only to the user).
  2. possession (something that only the user possesses)
  3. inherence (something that is the user) biometric identification.

These elements are independent, i.e. a breach of one does not compromise the reliability of the others, and are designed to protect the confidentiality of identification data.

When will strong authentication be implemented?

Only in online payments, in these cases:

  1. a) online payment;
  2. b) initiate an electronic payment transaction;
  3. c) performs through a remote channel any action that may involve a risk of payment fraud or other abuses.

This being so, one of the sectors that will be most affected will be the tourism sector (35% of e-commerce in Spain), since for its future contracting transactions it has been using cards as a guarantee of payment.

What is the benefit for hoteliers?

This new legislation will mean an investment for tourism companies as well as an impact on the customer experience, but the positive aspect to be valued is how to reduce the undesirable consequence for hoteliers of bank rejections in online charges on services actually provided, and impossible to prove when customers used cards of different ownership than the customer staying, and that once rejected VISA only admitted as proof of consent the signature of the obsolete datafono ballot.

Now, the reinforced authentication will force the customer to send via pin, fingerprint, or any similar means implemented by his bank, to send his consent to the charge, which will gradually decrease the practice of rejections on online payments, as well as admitting reservations made fraudulently by users who in reality do not have authorization for the use of the card they present for payment, and which facilitated the subsequent rejection of the charge by the real holder.

Now, in this type of situations, the proof of authentication must be kept by the payment service provider, having to prove that the payment transaction was authenticated, accurately recorded and accounted for, and that it was not affected by a technical failure or other deficiency of the service provided by the payment service provider. Therefore, hoteliers may approach such entities in their opposition to the rejection received by the customer, requesting proof of such authentication in addition to providing documentation verifying the provision of the service. Claim that must receive a response within 15 days.

On the other hand, fraudulent use of card data, which could be used by dishonest employees, is completely eliminated, since all charges require double authentication of the customer.

The payment service provider is obliged to keep the documentation and records that enable it to prove compliance with the obligations for at least six years.

In the case of returned operations, what is new?

To the customer:

  • 50 (depending on your bank) for losses arising from unauthorized payment transactions resulting from the use of your lost, stolen or misappropriated card by a third party, unless you have acted fraudulently yourself, in which case you will bear all losses from the fraudulent transaction.

For hotels:

  • The hotels may receive during the 2 months following the authorized payment transaction, rejection of the charge by the payer, although the payment service provider will have the proof of the reinforced authentication so that the hotelier can oppose the rejection.
  • If the transaction is fraudulent, it may be rejected up to 13 months after the transaction, in which case the payment service provider will be responsible for rectifying the unauthorized payment transaction.

Exclusions from the application of double authentication:

  • It does not apply to transactions of users that are not a consumer or a microenterprise. Therefore, PSD2 does not affect the management of payments to suppliers.
  • If so negotiated, double authentication may be waived for individual payment transactions not exceeding 30 euros.

In conclusion, tourism companies, thanks to the application of this regulation, will have greater security in online payments, since its application should increase consumer confidence for purchases made and paid in a non face-to-face manner.

Paloma Aguilar (Lawyer T&L)

Article published in the February edition of the monthly newspaper CEHAT