This article is for informational purposes only and you should not view it as a substitute for obtaining legal advice particular to your own needs and circumstances.
Whether Lightspeed is your in-store or in-restaurant point of sale, your eCommerce platform, or both, Lightspeed takes very seriously its role in your business. At Lightspeed, we aim to ensure you have the tools and information you need to be successful. Lightspeed has received a number of questions from customers in Europe about Directive (EU) no. 2015/2366, the directive more commonly known as “PSD2” or the “Second Payment Services Directive”. This article seeks to answer those questions and more.
What is PSD2?
PSD2 is a European directive that revises the rules for electronic payments services in the EU, including emerging payment services such as internet and mobile payments. The directive sets out rules concerning the security and transparency of electronic payments.
When is PSD2 effective?
While the directive itself has applied since January 12, 2016 and set January 13, 2018 as the date by which each EU country was to have incorporated it into national laws, many of the rules of PSD2 are to be implemented through regulations which are not yet in force. The deadline you have most likely heard about is September 14, 2019, being the date the new payments security requirements under PSD2 become effective for all merchants. Even though the security requirements apply to merchants as of September 14, 2019, regulators in some countries are giving merchants a grace period during which the regulators will not take enforcement action against a merchant who can demonstrate it is “taking steps” towards compliance. The existence and length of grace periods vary from country to country.
How does PSD2 impact me as a merchant?
There are a few ways merchants may be impacted by PSD2. Fortunately, for most Lightspeed customers who rely on licensed-third party payments providers, compliance obligations under PSD2 can be largely outsourced to third-party payments providers.
Is your payments provider licensed?
Does your payments provider comply with the new security requirements?
The new security regulations under PSD2 aimed at preventing fraud in digital payments will become effective on September 14, 2019. Please see “How do the new PSD2 security requirements affect Lightspeed customers?” below.
There are significant penalties for merchants who don’t meet the new security requirements, so it’s a good idea to contact your payment provider to confirm whether its services comply with the security requirements.
Do you accept credit or debit cards in your online store?
For card payments, consumer credit and debit card issuers are moving towards a new version of the 3D Secure authentication standard, 3DS 2.0 to comply with the new security regulations. As of September 14, 2019, 3D Secure authentication will be a requirement to accept payments from major consumer credit cards in your online store. For this reason, it’s a good idea to confirm that your payments provider has implemented 3DS 2.0.
How do you charge your customers?
One rule of PSD2 that is already effective is a prohibition on merchants themselves surcharging consumers for the consumer’s use of a consumer credit or debit card. If your practice is to pass through charges from card companies or payments providers to your consumers, you should seek out advice as to whether what you’re doing is still permissible.
Is Lightspeed my payments provider?
Lightspeed offers Lightspeed Payments, its native payments solution, to retail customers in the U.S. only. Lightspeed is not a payments provider today for European merchants. If you are a Lightspeed customer in Europe, Lightspeed probably referred you to one of its trusted payments partners to provide you with payments services that integrate with your Lightspeed platform.
How do the new PSD2 security requirements affect Lightspeed customers?
On September 14, 2019, new security regulations under PSD2 will become effective and require merchants to have “strong customer authentication” in place for digital payments.
There are three primary ways to authenticate a consumer for purposes of making a digital payment. Authentication can occur based on:
- a factor known to the consumer alone such as a PIN number or password;
- a factor in the consumer’s possession such as a phone or card; or
- a biometric factor such as an eye scan or fingerprint.
The requirement for “strong customer authentication” requires a merchant to verify the consumer using at least two of these three factors. This is where the term two-factor authentication – or 2FA – comes from.
Practically speaking, this new requirement means online card payments using only the information on the card itself are no longer permitted. Two-factor authentication requires consumers to also authenticate the transaction by entering a password or PIN, or confirming their identity via a code sent to their phone, among other possibilities. Some merchants have expressed concerns that these additional hurdles will reduce their online sales. Many industry professionals assert, however, that having Strong Customer Authentication increases confidence in online commerce and may ultimately result in increased online commerce.
Additionally, for card payments, the new version of the 3D Secure standard, 3DS 2.0, is required to implement Strong Customer Authentication (the original 3D Secure falls short of the requirements of 2FA). As of September 14, 2019, 3DS 2.0 authentication will be a requirement to accept payments from major consumer credit cards in your online store, so it’s a good idea to confirm whether your payments provider has implemented 3DS 2.0.
What does Lightspeed suggest I do to make sure my business complies with PSD2?
Every business is different. We’ve offered some suggestions above to ready your business for PSD2, though these suggestions are not a substitute for legal advice that is specific to the circumstances of your business. We encourage you, however, to consider doing some or all of the following:
- Confirm that your payments provider is licensed wherever you transact business
- Confirm what measures your payments provider has taken to ensure Strong Customer Authentication and Secure Communication
- Confirm your payments provider employs 3DS 2.0 for your online card payments
- If you currently surcharge consumers for using consumer credit or debit cards, seek advice as to whether you can continue to do so
Let Lightspeed know if you have difficulty getting comfortable with the steps your payments provider has taken to comply with PSD2. We’re happy to discuss your options with you.