PSD2: What does this directive mean for your nonprofit?
Thousands of years have passed since human beings made the first exchange of goods using a coin; the first donation made followed later.
Since then, the payment market has evolved immensely: we invented paper money, then credit cards. We have moved payments online through e-commerce, and new methods of payment have risen, some of them even involving our mobile devices.
The next big step in this journey will be the PSD2 (Payment Services Directive), the Directive of the European Union on Payment Services that will shape the digital payment sector in the coming years, and in some cases, has already done so.
The PSD2 will bring some innovations, like Open Banking, make our transactions more secure with the SCA (Strong Customer Authentication), and will open new opportunities to provide new and better services to your donors. However, this also means there will be some inevitable changes in the way you operate.
In this article you’ll find out what the PSD2 is about, what it means for your organization, and what you can or need to do.
The Payment Services Directive 2 (PSD2)
The PSD2 is a directive from the European Union which is intended to regulate digital payments across the EU, following the PSD1 of 2007.
The key points of this directive are:
– Rules of Open Banking
– Third Party Payment Providers
– and SCA (Strong Customer Authentication)
Open Banking is the possibility for third party services to have access to your bank details. For example, you could subscribe to an online service that (under your authorization) could access information from your bank or financial accounts and provide details of your various investments or expenses in one place.
This will also allow the creation of new Third Party Payment providers: services that will allow you to start a payment online with a payment service provider, which is not the bank in which you have your account (you may have seen services like these that are part of the FinTech environment)
The SCA (Strong Customer Authentication)
In order to render digital transactions more secure, the Strong Customer Authentication rule requires that, for online payments, the person who pays must identify himself through at least 2 of these elements:
something you know:
for example, a pin or a password
something you own:
for example, your phone, or a hardware token
something you are:
for example, your fingerprint, or your face ID
This means that, when you pay online, after you have entered the CSC, security code of your credit card, (“something you know”), you may be asked to validate the transaction by entering a code generated by the app on your phone (“something you own”) or entering your fingerprint on your bank app (“something you are”).
Exceptions to SCA
The SCA, depending on the payment method, may require from the payer some additional actions that could lead to the loss of the payment.
The directive also includes some exceptions in which the SCA is not required.
The main ones are:
- Payments below 30 euros (5 in a row with a maximum of 100 euros sum).
- Subscriptions, like regular donations (if the payment is activated by the merchant, it could also be of a variable amount).
- Trusted beneficiaries (whitelisting): after you have made an online payment, your bank may ask if you do not wish for the SCA to be requested for future payments made to that same merchant.
- “Low risk transaction exemptions”: if the percentage of fraud that the Payment service provider witnesses is below some strict threshold, the Payment service provider may ask not to apply the SCA.
Those are the main exceptions. For a complete overview and more details, read this “Stripe Guide to SCA”.
Please consider that banks may, in any case, decide to be even more strict, and not to apply those exceptions (as an example, you may be required to authenticate yourself even for a transaction of 10 euros).
The steps we have to take
As of January 1st 2021, SCA has not yet been fully applied. Most European countries have decided to take a step by step approach, which will be different from country to country. As an example, in France, SCA will be mandatory as follows:
- In January, for payments above 1,000 euros
- In February, for payments above 500 euros
- In April, for payments below 500 euros
For a more complete overview of the different approaches by country, take a look at this article.
This SCA thing seems to be annoying, doesn’t it? Wasn’t it just easier to pay without authentications?
You are right! But think about it this way: when you go to a hotel, it would be nice to show no ID or reservation number. You would just walk through the door, say your name and that’s it. So much time would be saved during the check-in, and there would be much less stress (“where is my ID? It was in my wallet just a second ago…”).
However, that would allow anyone to easily pretend to be you. This would be a great risk for hotels, and would make anyone else feel uncomfortable.
On the other hand, to be 100% safe would mean to have way too many security systems in place: the price of the room would also increase, because the hotel would have to pay for the increased security.
Standard check-in procedures are a good balance between these two needs: to ensure the identity of those who come into the hotel, and the need to get your room easily. This procedure protects the customer because it’s mandatory in all hotels.
So, think about SCA as a way to let your donor feel (and be) more safe when they give to your organisation. Giving is also a matter of trust, and those rules are intended to strengthen your donors’ trust in your organisation.
Someone once said, “it is difficult to make predictions, particularly about the future”. But based on what we know, we can make some guesses.
- After a few months of difficulties (you may expect a few more failed transactions), people will get accustomed with SCA, and will understand the value of being more safe, being that digital transactions will continue their rise in replacing cash and other traditional payment methods, like checks.
- Credit and debit cards, after their apogee, will go into decline: they are more expensive than new payment methods, which also happen to be easier to use and compliant with SCA (think of wallet payments on your mobile phone).
- Due to the Open Banking and the rise of the FinTech movement, new Payment Service Providers will be created; they will be easy to use with integrated services, many of them based on mobile devices. If your donation form accepts credit cards only, it’s time to reconsider adding other advanced payment methods or you may lose some opportunities.
Integrations of different payment gateways will be a key point in the growth of online donations.
- Payment methods will be a way to qualify and customize your service to donors. In fact, your organisation would have to send your supporters the right request, at the right moment, for the right action, allowing them to pay with the right method of payment.
The way the donor pays will become another detail to customize.
What iRaiser can do for you
We are managing the technological improvements and our tools embed all requirements needed in order to be PSD2 compliant: so your donors can be safe, and you can rest assured. 😉
Being a SaaS company, we can easily deploy our solution: without complex & technical activities on your side.
We operate all across Europe, and we have a dedicated team for integrating payment gateways: we monitor news and changes in the payment market, to continually provide up-to-date solutions. Moreover, we work with FinTechs to provide you with all the innovation allowed by the PSD2.
Have more questions about PSD2?
Alberto Ghione – Set up and Support Manager Italy
Tony Bourdier – Chief Technology Officer