At a recent seminar hosted by the GSMA, ecosystem experts from Paul Hastings, the European Bank Authority (EBA), WorldPay and Vodafone gathered to discuss the practical implications of PSD2 and how it could shape the future of mobile payments.
The revised Payment Services Directive (PSD2) has been widely anticipated by the mobile payments ecosystem following its adoption by the European Parliament in October last year. The directive, which effectively broadens the definition of ‘payment service provider’ (PSP) and strengthens authentication standards, is designed to make the mobile payments market more competitive and secure.
As time draws closer to the date of directive’s implementation by Member States in 2018, the need to understand the effects of PSD2 will become more important. Key to understanding the consequences of PSD2 is its stipulation of two new categories of PSPs that will be authorised and supervised payment institutions allowed access to users’ bank accounts: ‘Payment Initiation Service Providers’ and ‘Account Information Service Providers’.
The introduction of ‘Payment Initiation Service Providers’ means that new PSPs will be able to initiate payments without involving the current payment schemes, allowing payers to “push” payments directly through a bank transfer from their bank accounts to the payees. This new category of PSP has the potential to drive down costs for merchants by introducing bank account payments for online and mobile commerce.
‘Account Information Service Providers’ meanwhile, will allow third party payment service providers greater access to a customer’s transactional data, should the customer allow it. This will enable customers to use feed in account details and information when using financial tools, such as budgeting services, of a new service provider.
As with another recent GSMA seminar on remote payments, central to the discussion was the issue of data and digital identity. Because PSD2 mandates the use of strong, multi-factor authentication standards, the best means of authenticating payments was also debated. Despite the recent surge of biometric authentication solutions in the market, two speakers cast doubt on the use of biometrics as a primary factor of authentication. It was claimed that the chief issue was that if biometric data is obtained by wrongdoers, this data cannot be reset, unlike passwords and PIN codes.
Operators could play a vital role in helping to verify and helping to authenticate payments. Assets such as network authentication, roaming and location are all particular to mobile networks rather than devices, making operators a valuable partner in the development of new identity and authentication solutions.
PSD2 is occurring alongside Electronic Identification and Trust Services (eIDAS) regulation as part of the European Union’s push towards the Digital Single Market. Operators have already launched pilots for eIDAS compliant cross-border authentication solutions for the use of public sector services. PSD2 and eIDAS regulation give an indication of the importance of operators and the unique way in which they can help determine identity for both the private and public sectors.
An EBA representative explained how the EBA will work on their numerous mandates in the PSD2 with special focus on the EBA’s considerations for the upcoming Regulatory Technical Standards for strong customer authentication.