Online payments. The security of PSD2

7/2/20

Online payments. The security of PSD2

Among the objectives of the European Union in building an efficient single market, is the construction of a common market for payment services.

In Spain since 2009, common bases have been established in the regulation of the provision of payment services, transposing the content of European directives (Directive 2007/64/EC).

Since then, technological progress has made it necessary to adapt the regulatory regulations on payment methods, given that there are new agents that are being implemented in a market that goes beyond the national one, and that makes it necessary to have more reliable ways for users to make online payments.

Creating a safer and more reliable environment is the basis for the approval of a new Directive in 2015 (Directive (EU) 2015/2366), a directive that was transposed in Spain in 2018 through Royal Decree-Law 19/2018, of November 23, whose main objectives are:

  1. facilitate and improve security in the use of internet payment systems.
  2. reinforce the level of user protection against fraud and potential abuses, with respect to that provided for in Law 16/2009, of November 13.
  3. and promote innovation in mobile and internet payment services.

The Royal Decree establishes a fractional entry into force, depending on the matter, whose total deadline was set for September 14, 2019, however, due to the complexity of its application, has been extended by the European Banking Authority (EBA), approving a 15-month moratorium. In this way, companies will have until December 31, 2020 to implement the technologies necessary to adapt to the directive (banks and technology companies that develop online payment tools).

The biggest milestone established to achieve the objectives established in the advancement of this regulation is Strong Customer Authentication.

What does the consist of Strong customer authentication?

The standard clearly states its definition:

It is based on the use of two or more elements categorized as:

  1. knowledge (something that only the user knows).
  2. possession (something that only the user owns)
  3. inherence (something that is the user) biometric identification.

These elements are independent, meaning that the violation of one does not compromise the reliability of the others, and are designed in such a way as to protect the confidentiality of the identification data.

When will strong authentication be applied?

Only for online payments, in these cases:

  1. a) online payment;
  2. b) initiate an electronic payment transaction;
  3. c) carry out through a remote channel any action that may entail a risk of payment fraud or other abuses.

All this being the case, one of the sectors that will be most affected will be tourism (35% of e-commerce in Spain), since for its future contract transactions it had been using cards as a guarantee of payment.

What is the benefit for hoteliers?

This new legislation will represent an investment for tourism companies as well as an impact on the customer experience, but the positive thing to assess is how the undesirable consequence for hoteliers of bank refusals in online charges for services actually provided will be reduced, and impossible to prove when cards owned by customers other than the staying customer were used, and that, once rejected, VISA only accepted as proof of consent the signing of the obsolete dataphone ballot.

Now, strong authentication will force the customer to send through a pin, fingerprint, or any similar means implemented by their bank, to send their consent to the charge, which will gradually reduce the practice of refusing online payments, as well as accepting reservations made fraudulently by users who do not actually have authorization to use the card they present for payment, and which facilitated the subsequent rejection of the charge by the real holder.

Now, in this type of situation, the proof of authentication must be kept by the payment service provider, and must demonstrate that the payment transaction was authenticated, recorded accurately and accounted for, and that it was not affected by a technical failure or other deficiency in the service provided by the payment service provider. Therefore, hoteliers may contact these entities in their opposition to the refusal received by the customer, requesting proof, of such authentication in addition to providing the documentation that verifies the provision of the service. Complaint that must be answered within 15 days.

On the other hand, the fraudulent use of card details, which could be used by dishonest employees, is completely eliminated, since any charge requires double authentication on the part of the customer.

The payment service provider is required to keep documentation and records that allow it to prove compliance with obligations for, at least, Six years.

In the case of returned transactions, what's new?

For the customer:

  • you may only be obliged to bear, up to a maximum of 50 euros, (depending on your bank) losses derived from unauthorized payment transactions resulting from the use of your lost, stolen or improperly appropriated card by a third party, unless you have acted fraudulently yourself, in which case you will bear all the losses of the fraudulent transaction.

For hotels:

  • Hotels may receive a rejection of the charge by the payer within 2 months after the authorized payment transaction, although the payment service provider will have proof of strong authentication so that the hotelier can object to the refusal.
  • If the transaction is fraudulent, you may receive a rejection up to 13 months after the transaction, in which case the payment service provider will respond with the rectification of the unauthorized payment transaction.

Exclusions from the application of dual authentication:

  • It does not apply to the operations of users other than a consumer or a small business. Then, PSD2 does not affect the management of payments to suppliers.
  • If this has been negotiated, double authentication may not be applied to individual payment transactions not exceeding 30 euros.

In conclusion, tourism companies, thanks to the application of these regulations, will have greater security in online payments, since their application should increase consumer confidence, for purchases made and paid in a non-face-to-face manner.

Paloma Aguilar (T&L Attorney)

Article published in the February edition From the monthly newspaper CEHAT