Account Information Service Providers - service providers are authorized to view the customer’s payment account information, if such consent is given by the customer (PSU). Mostly AISPs provides an aggregated view of the accounts a customer maintains with numerous banks along with their transaction details. The AISPs can also provide the facility to analyze the PSU spending patterns, expenses, and financial needs.
An ASPSP is any financial institution that offers a payment account with online access. Mostly these are banks and other financial institutions. The ASPSPs are obligated by PSD2 to grant access to the account and transaction data on their customers’ payment accounts to TPPs through APIs.
For all credit transfers, card transactions and e-money transactions reported, including those initiated by PISP, the PSP should report whether strong customer authentication has been used or not. Strong customer authentication means authentication based on the use of two or more elements that are independent, in that the breach of one element does not compromise the reliability of any other element, and designed in such a way as to protect the confidentiality of the authentication data, with the elements falling into two or more of the following categorie:
Where strong customer authentication is not used, the PSP should report under which of the following exemptions the transactions have taken place. These exemptions and their application are determined in the regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA-RTS).
An API Developer creates and configures APIs, Products, and policies for provider organizations of which they are a member. An API Developer can be a member of one or more provider organizations.
A piece of client code that accesses APIs to interact with a service, system, or content. Applications are typically web applications or mobile apps.
Consent is a main part of PSD2 regulation and working with third party providers. The only way TPPs can act on behalf of the PSU is if the customer has given explicit consent to have such permissions. In other words, no consent means no authorization.
A competent authority is any person or organization that has the legally delegated or invested authority, capacity, or power to perform a designated function. For PSD2 the competent authority in each EU member state will have primary responsibility for monitoring compliance and enforcement of PSD2.
Authentication code which is linked to 'dynamic' elements of the transaction (amount and payee's account specified by the payer, date and time). The purpose is to limit the risk of fraud when processing an electronic remote payment transaction
Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market. It provides a legal structure for electronic identification, signatures, seals and documents throughout the European Union. It is referenced in the RTS when applicable.
Euro Banking Association is an industry forum for the European payments industry. Their role in PSD2 is to promote the interests of their members and help them to adapt to PSD2 in addition to sponsoring the Open Forum on Open Banking. Also known as ABE.
European Banking Authority is an independent EU body which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. For PSD2 they have responsibility for developing the Regulatory Technical Standards and guidelines.
Is a membership organisation created in 2002 by the major European banks. The main task of the EPC is the development of the Single Euro Payment Area. (SEPA) a key initiative of PSD1. They represent their members’ interests in the development of PSD2, for example by preparing responses to the developing Regulatory Technical Standards.
PSD2 Exemptions are most widely talked about in the context of exemptions from using Strong Customer Authentication, for example for parking or ticketing payments or for payments where the threshold is met based on Reference Fraud Rates for the payment value.
Along with Knowledge and Possession, Inherence is one of the factors required for Strong Customer Authentication for PSD2. Inherence refers to providing authentication via something you are, a biometric check is an example of inherence.
A natural or legal person who is the intended recipient of funds that have been the subject of a payment transaction.
A natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order.
An act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee. It becomes a remote transaction when initiated via Internet or other distance communication device.
Payments Services Directive 2 (PSD2) is a piece of European legislation that requires financial services to contribute to a more integrated and efficient payments ecosystem.
A European initiative to process payments within 10 seconds between European accounts in euro and supported by the Euro Banking Association. In the context of PSD2, this will further facilitate the use of bank accounts for retail payments through Payment Initiation Services (PIS).
Interchange is the fee paid by the retailer’s merchant acquirer to the card issuer each time a card payment transaction occurs. Historically, the relative expense of fees for lower value transactions has led to merchants making surcharges to offset the cost to them of payments by debit or credit cards. PSD2 will severely limit surcharging on such transactions.
Know Your Customer refers to the authentication needed to secure payments. This is managed either through Strong Customer Authentication or Transaction Risk Analysis. Further requirements are documented in the Fourth Money Laundering Directive.
A Merchant is an entity supplying either goods or services generally in return for payment, typically via payment cards. PSD2 is concerned with securing the payments from customers to merchants through the customer's Payment Service Provider.
Refers to the opening up of banking systems to third parties to allow them to provide services directly to their joint customers. Open Banking is one of the main drivers of PSD2 the objective is to improve consumer choice and increase competition in the banking sector. Open banking will be achieved through the development of APIs. Also known as Access to Accounts (XS2A).
The privacy law for the European Union, which entered into force on 25 May 2018
An electronic service facilitating payment by a third party from a customer’s payment account via APIs or Open Banking.
Payment Institution was created by the enactment of the first Payment Services Directive. They can offer customers a range of payment-related services that are defined in the directive. Payment Institutions are regulated but not to the same degree as PSPs as there are limits on the services they can offer.
A regulated entity which allows customers to initiate payments without the customer needing to directly access their bank account or use a debit or credit card. PSD2 allows authorized PISPs authorized access to bank accounts through an API. Payment Initiation Services can be provided by existing retail banks, payment service providers or by third parties.
With the PSD2, third-party providers that were previously unregulated are now classified as payment service providers and therefore fall within the Directive’s scope of applicability. Third-party payment service providers can offer payment initiation services, account information services, and payment cards where payments are debited from accounts held with other payment service providers. Third-party payment service providers are now subject to supervision and monitoring by the NCA (national supervisory authority). Credit institutions have the right to also begin operating as payment initiation or account information services.
The PSD2 gives payers the right to use third-party payment service providers and obligates the account servicing payment service provider to provide the third-party payment service provider with a (dedicated) interface that can be used to initiate transfers (e.g. to online retailers), download account information, or query available card funds.
Payment institutions domiciled abroad are registered by the supervisory authorities in the respective country. These registers are also available online.
Qualified Web Authentication Certificate. This certificate is used when a third party firsts opens an interaction with a financial institution and is used to establish a TLS session with the ASPSP. The QWAC replaces the usual web certificate that would be used to establish a TLS session.
The purpose of this certificate then is to identify the third party and to ensure that messages sent between the two parties are not read or stolen. A certificate used to establish a TLS session sits in the transport layer and is validated by the Web browser.
This Qualified Electronic Seal Certificate is sent together with messages that a third party would send to a ASPSP during one of the consent processes. The purpose of this certificate is to validate the identity of the sender of the message (i.e. the TPP) and to ensure that the contents of the message have not been tampered with while it was in transit.
The Regulatory Technical Standards (RTS) are the regulatory requirements set by the EBA to ensure that payments across the EU are secure, fair and efficient.
Payments that are made when the payer and the payee are not in the same location, an online payment or payment over the telephone are examples of remote payments. PSD2 is concerned with limiting fraud in remote payments.
Strong Customer Authentication as defined by EBA Regulatory Technical Standards is an authentication based on the use of two or more elements categorized as knowledge (something only the user knows [for example, a password]), possession (something only the user possesses [for example, a particular cell phone and number]) and inherence (something the user is [or has, for example, a finger print or iris pattern]) that are independent, [so] the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data.
In the context of PSD2 this was the pre-cursor to API access to accounts (XS2A) and relies on third parties holding some security credentials for their customers. Whether screen scraping is allowed by PSD2 in some specific cases is still under discussion.
Provide services which are based on access to payment accounts provided by a PSP who is not the ‘account servicing’ PSP (ASPSP), in the form of payment initiation services and/or account information services. AISPs PISPs and PIISPs are examples of TPPs for PSD2.
In PSD2 exemptions are made that means that those with low fraud rates can avoid using burdensome Strong Customer Authentication for payments using Transaction Risk Analysis.
Transaction Account Number, the unique code that the payer uses to confirm the payment order.
This is a term, coined before Open Banking, which refers to access to payment accounts by third parties acting on behalf of the Payment Service User. The basic requirements are set by the European Banking Authority which define how data from bank accounts is accessed for PSD2. It makes it mandatory for banks to set up access to bank account data via API, although there are multiple standards for APIs including those from the Berlin Group, due for consultation in Q4 2017 This will enable consumers to logon to their bank accounts on a third-party provider’s platform without exposing their bank login data to them.