PSD2 & Magento 2: Payment Services Directive & 3D Secure 2.0 Explained 

The world of retail banking will never be the same. In 2018, an essential change to the EU legislation called PSD2 took effect so that banks are no longer monopolists on their customers’ account data. What is the Payment Service Directive? How will PSD2 impact e-commerce in general and Magento 2 in particular? How to prepare for the new changes? You will find answers to these and other questions below.

UPD (19.08.19): LESS THAN ONE MONTH IS LEFT!

You might have already received an official email about PSD2. If not, you will find its content below. Less than one month is left, so it is time to start preparing. 

According to the official message, “This new directive has a significant compliance impact on most payment processing services” which is no longer a secret but it’s necessary to draw the attention of merchants to this problem once again. The new standard influences credit cards or bank transfers for goods & services sold to customers in the EU, so compliance with PSD2 is the responsibility of every merchant. Of course, if the directive applies to you. Therefore, Magento recommends all Merchants to review and understand it. Otherwise, customer payments may be declined as a result of the start of PSD2. As a Magento 2 merchant, you won’t only lose sales but also customers. 

Magento is introducing the following changes and recommendations only for payment integrations that are native to Magento: 

Magento Commerce 2.X

• PayPal – continue using the current Magento built-in integration.
• Braintree – use the official extension that will offer 3D Secure 2.0 prior to the deadline or use the Magento integration in upcoming version 2.3.3+ or 2.2.10+.
• Authorize.net – use the official extension (recommended) or the Magento integration in upcoming version 2.3.3+ or 2.2.10+ with a 3D Secure provider like CardinalCommerce. 
• CyberSource – use the official extension. 
• eWay – use the official extension.

Magento Commerce 1.X

• PayPal – replace PayPal with Braintree or upgrade to Magento 2.3.x.
• Braintree – use the official extension.
• Authorize.net – check the Devblog page for updates on official Authorize.net extensions for M1 as they become available.
• CyberSource – use the official extension.
• eWay – use the official extension.

For all other payment integrations, check whether your payment provider supports PSD2’s SCA requirements. Look for alternative solutions at the Magento Marketplace or our blog. 

PSD2 Explained

On 14 September 2019, the Strong Customer Authentication portion of PSD2 goes into effect allowing bank customers to give third-party providers access to their bank account data, which can be used to initiate payments by third-parties directly from customers’ bank accounts. 

Since banks have lost their monopoly on customer’s information, the standard order of things may be changed within the next few years. According to PSD2, any third-party company can process the corresponding information providing bank customers with various services. Even businesses can rely on third-party providers to manage their finances. 

The main goal of the Directive is to unify payment systems within the European Economic Area and increase banking choices for consumers. Let’s take a look at other important aspects related to PSD2.

Sooner rather than later

In the long-term perspective, the Payment Service Directive may reduce the role of banks to being a safe place for storing money while other organizations will provide other financial services, such as paying bills, making transfers, or analyzing spendings. 

Imagine that your Google or even Facebook account offers the ability to do all of the operations mentioned above within just a few clicks. You can automate these processes, creating a schedule of events. Such opportunity looks very promising from the perspective of reducing the time and effort required for various routine procedures. 

As for banks, they have to provide third-party service providers with the corresponding data. And, as you might have already guessed, open API is a standard required for the information exchange. It will enable third-parties to build financial services on top of any banks’ infrastructure.

Competition

Let’s be honest: the monopoly of banks leads to relatively weak financial services. Of course, some of them provide very user-friendly customer accounts with intuitive management features, but there is still room for improvement. But PSD2 will dramatically impact the market revamping the competitions. Banks will no longer be the only institutions that offer financial management. The appearance of third-party organizations in this sphere will drastically change it. Third-party organizations will have to provide better services than banks currently offer. At the same time, the appearance of highly-competitive platforms unrelated to banks will positively affect common financial institutions. The stronger the competition is – the better products and services we get. Thus, PSD2 will fundamentally change the payments value chain. 

Changes

The main goals under the directive include innovated and reinforced consumer protection as well as enhanced security of internet payments and account access. Unfortunately, this initiative is aimed at the EU and EEA only. However, it is a huge market that can set an excellent example for other economies. 

As for the financial landscape, PSD2 introduces two new types of players:

• PISP;
• AISP. 

Let’s find out what are these types of organizations. 

AISP

AISP stands for Account Information Service Provider. Such organizations are the service providers who have access to the account information of bank customers. They analyze users’ spending behavior or aggregate account information from several banks under the same dashboard. It seems that we will soon face a new generation of accounting services. 

PISP

PISP stands for Payment Initiation Service Provider. Such organizations provide services in the field of transactions initiating a payment on behalf of users. Thus, the two most common workflows for PISP platforms include P2P transfers and bill payments.

Since it doesn’t look logical that one company is responsible for financial analysis and another one helps you streamline payments, we hope that there will be providers who combine the features of AISP and PISP. Having everything in the same interface is always better than switching between two apps. 

Now, when you understand the core principles of the Payment Services Directive 2, let’s take a look at how it will impact the following areas: banks, e-commerce in general, and Magento in particular. 

The SCA impact 

According to 451 Research, Europe’s online economy risks losing €57 billion when Strong Customer Authentication goes into effect. However, 87% of businesses still believe that SCA will increase the strategic importance of payments. So, what is the SCA impact on European businesses? 

As always, all companies can be divided into two groups:

• Businesses that have been proactively preparing for SCA;
• Businesses that don’t do enough to get ready for SCA.

While companies from the first camp can expect a reduction in fraud losses and provide better checkout experience for existing customers, those that are not fully prepared are under the risk of destroying the existing customer relations and decreasing revenue.

According to Stripe, only 44% of European businesses will face the new legislation head-on. 24% of companies will implement 3DS2 shortly after the deadline. This situation may cause €57bn loss in economic activity. 

So, what is the SCA impact?

• Many European businesses will face SCA unprepared;
• Small businesses will be impacted disproportionately;
• The risk of cart abandonment tends to increase;
• SCA will emphasize the importance of online payments for businesses.

What are the key fears caused by SCA? 

• Integration complexity;
• Implementation cost;
• Cart abandonment. 

How to avoid these issues and get ready for SCA? Read the following guide to find more detailed recommendations. Also, check this webinar by Stripe: New payment regulations: planning for SCA.

Also, watch this video for a better understanding of what PSD2 is:

PSD2 & Banks

Perhaps, PSD2 will affect banks the most. For them, it poses substantial economic challenges caused by the following factors:

Growing tension

As we’ve already mentioned above, the appearance of new AISP and PISP services can either turn banks into a safe space for storing money or force them to provide better services. Despite the role of banks, the growing competition of service provides will positively affect the life of users in any case.

According to Evry, banks will lose 9 percent of retail payments revenues to PISP services by 2020. It is also necessary to draw your attention to the fact that banks may find it increasingly challenging to offer loans after non-banks take over customer interaction. 

Even if the impact is not as huge as specialists predict, banks still have to challenge the following issue:

IT costs

In any case, banks will have to spend more money on growing IT costs. First of all, PSD2 includes new security requirements which should be implemented according to the schedule. Secondly, banks have to open their APIs which is also a complicated process that requires time and money. 

Customer expectations

It is quite hard to surprise a modern internet user with any digital services. Perhaps, the introduction of augmented reality or 3D will be game-changing, but it doesn’t seem that we will get something revolutionary new within the next few years. Furthermore, many companies still provide outdated digital experience and limited opportunities. But the rising customer expectations and increased digitalization force banks to experiment with their APIs, collaborating with financial technology companies and focusing on customer-centricity. Although the future landscape will be unrecognizable, only the most agile players will remain at the market. How to join the significant league today? 

Recommendations

The evolution of customer journeys is the only factor that will help banks remain their competitive advantages over providers of financial services. Furthermore, it is valid for both retail and corporate environments. 

Unfortunately, no bank can deliver all use cases to all customer segments. Therefore, every organization should focus on a particular section to get the most out of it. Staying focused on use cases where they can beat the competition, banks should follow the following recommendations on how to build a successful PSD2 strategy:

Fast-follower approach

After defining the bank’s ambition, it is necessary to execute a fast-follower approach creating a mechanism to identify, test, and scale-up use cases. You should be faster than your competitors. Otherwise, gaining new customers will become a way more challenging task.

Use case evaluation

Next, it is necessary to evaluate comprehensive use-cases, weighing the strategic impact of potential business opportunities caused by PSD2. Different use cases have different potential at different stages. If something seems more profitable at the beginning, it may be less efficient within a long-term period due to the appearance of newer options or better alternatives. You always have to evaluate numerous aspects: gains and losses in revenue, technology upgrade costs, bank culture changes, and even talent pool.

Data Potential

Also, you have to evaluate the potential of internal data, which is your core asset. The right use of information flow can drastically improve your market position. So applying analytics to domestic data reserves is another recommendation that will help you face PSD2. By evaluating the data potential, you can:

• Enhance fraud detection;
• Improve customer relationship management;
• Provide better credit scoring.

Note that specialists recommend acting aggressively to optimize the use of proprietary data. The two main directions include cross-selling and loan pricing. Also, note that both retail and corporate banking should treat their internal data as a core asset.

Finance-based ecosystem

If you already have a finance-based ecosystem  – leverage it. If not, you will have to build one. In both cases, significant management attention and capital investments are required, but it is the only way to stay competitive. And it is the only way to face the opportunity to:

• Retain customer touchpoints;
• Generate additional customer data;
• Increase pricing power;
• Discover new sources of revenue, etc. 

IT design

According to PSD2, banks should provide open APIs to third-party companies. Therefore, it is necessary to define the strategy for assessing the IT implications of the new legislation for transaction platforms and groupwide systems. You not only have to provide the required access level but also make it efficient for your company. Leverage IT architecture to reduce costs and improve response times. Your IT design should include the following features:

• Flexibility;
• Security;
• Fast-evolving fraud controls;
• Regulatory standards.

Partnership

You must admit that it is almost impossible to become a number one banking organizations alone. Therefore, the next important step is to identify potential technology partners. Thus, you will leverage the strengths of fintech innovators and established technology providers. It is even possible to partner with other banks to deliver flexible technology solutions.

PSD2 & E-Commerce

In addition to banks and payment providers, the Directive impacts e-commerce as well. E-commerce businesses can also take full advantage of PSD2. By ensuring compliance, they will minimize the impact on clients and cardholders.

Authentication

Here, we should pay separate attention to the Strong Customer Authentication portion of PSD2, which is designed to improve the security of transactions for both merchants and consumers. Being a mandatory component of PSD2, SCA will soon have a direct impact on businesses selling online. Card issuers will quickly be forced to pass two-factor authentication during every transaction. Payments should be authenticated via something the customer:

1. Knows: password, security question, or PIN;
2. Has: hardware token, phone, or other devices;
3. Is: fingerprint, iris scan, facial recognition, etc.

Note that at least two of these three elements should be utilized. As for the primary way ecommerce businesses will meet these authentication requirements, it is 3D Secure 2.0 (3DS 2.0), which is described further in this post.

Conditions

SCA is required when specific conditions are met. Both the acquirer and issuer should be located within the EEA. However, a vast majority of transactions won’t be challenged due to the fact that banks and card issuers already recognize legitimate transactions automatically. As for 3DS 2.0, it will only provide banks with additional data points required for improving decision-making.

Below, you can find several exemptions:

• Trusted beneficiaries;
• Low-value transactions;
• Recurring transactions.

As a consumer, you can add businesses you trust to a list of trusted beneficiaries, but only if your bank provides the corresponding option. It is still unclear how this option will be implemented.

If a transaction is less than €30, it can be an exemption. Note that no more than five transactions in a row on a single payment instrument can occur.

In the case of recurring transactions, SCA is applied to the first transaction only if other transaction and recipient are the same.

For the full list, visit the European Banking Authority.

Seamless Buying

The appearance of an additional authentication step may increase the current crat abandonment rate in the short-term perspective. As for the long-term run, it will positively affect e-commerce since the industry will become more secure and reliable, attracting more potential buyers. As for the inconvenience caused by the new authentication procedure, customers will take them for granted.  

Luckily, you can already make your e-commerce website more secure and at the same time, provide the least disruptive buying process following the recommendations below:

• eWallet payment methods: Apple Pay, Google Pay, PayPal, and others already include two-factor authentication. Since customers got used to them, you can utilize eWallets to be PSD2-compliant and provide a seamless buying experience.
• Find partners with extensive banking relationships to ensure maximum authorizations and conversions. This step will also help you make your e-commerce business PSD2-compliant and user-friendly.
• Use monitoring. As in the case of banks, it will help you optimize the most efficient payment processers. The modern tools let you monitor authorization rates and look for inconsistencies or outliers. Furthermore, some platforms can utilize monitoring to route traffic to higher performing methods automatically. Find a reliable partner to implement the required changes.
• Leverage mobile. Since 3DS 2.0 was designed for mobile devices, you can enhance your mobile buying experience. Authentication on smartphones and tablets can be intuitive and user-friendly, giving your consumers a way to make a purchase seamlessly.

PSD2 & Magento 2

Now, when you are familiar with the PSD2 impact on e-commerce, we’d like to draw your attention to its more specific area – Magento. The platform already lets you cut down on fraud and increase payments security with 3D Secure mentioned above.  

What is 3D Secure? 

Let’s say a few more words about the 3D Secure protocol, which is designed to reduce fraud as well as increase security for online credit and debit cards transactions in Magento 2 and other systems. 3D Secure is based on the three-domain model. The following structure provides an additional security layer for a customer purchase: 

• Acquirer Domain; 
• Issuer Domain;
• Interoperability Domain.

Under Acquirer Domain, 3DS assumes a merchant or acquirer in which credit/debit cards details are entered (your Magento 2 website). As for Issuer Domain, it’s a bank that issued a credit/debit card. Interoperability Domain is an infrastructure that supports the 3D Secure protocol and payment transaction (a payment gateway).

To make a purchase possible, 3D Secure uses XML messages. It sends them over an SSL connection to share the required cardholder authentication info. 

Note that different financial services already provide their own implementation of 3D Secure. For instance, you might have already used Visa’s “Verified by Visa” or Mastercard’s “Mastercard SecureCode.” By providing customers with these payment options, you make your Magento 2 website more PSD2-compliant. 

As we’ve already mentioned, the implementation of 3D Secure protocol adds an authentication step to the customer purchase flow. In most cases, buyers face a popup with a link redirecting to a bank’s page. Alternatively, it can be an iframe provided by the issuer bank. All of these elements contain a field where a customer can enter an SMS code, password, or one-time token to pass the second step of the authentication procedure. Thus, cardholder’s identity is verified. 

Unfortunately, 3D Secure verification is not an obligatory step. It can be skipped even if the 3D Secure verification is enabled for the cardholder’s account. 

3D Secure 1.0

3D Secure 1.0 is a relatively old protocol. It was introduced more than a decade ago by Visa. In 2019, payment providers started updating to 3D Secure 2.0. As for the first version, it incorporates the following algorithm:

1. A customer enters credit card details -> a merchant’s website requests 3DS verification context from the payment gateway;
2. The gateway sends a request to the issuer bank -> the bank returns a verification context, which can be an iframe, popup, or link to the bank’s 3DS verification page;
3. The gateway proxies a response from the issuer bank to the merchant’s website. The site shows the popup/iframe or redirects the customer to the bank page.
4. The customer verifies their identity. One of the following methods might be applied: SMS, email, password, or one-time token. Next, the issuer bank sends an acknowledgment to the payment gateway. The gateway proxies it to the merchant’s website.
5. The merchant’s website responds according to the issuer bank’s acknowledgment: creates order and makes a payment transaction or rejects it. 

However, more secure online payment transactions are not the only change 3D Secure provides. It also has several drawbacks. For instance, an additional checkout step. 3DS verification is usually represented as a popup or iframe. It can be difficult for customers not only to specify additional information, which results in increased cart abandonment but also to differentiate between the issuer’s bank popup/iframe and a fraudulent website, which results in other security issues. Mobile devices do not always correctly display 3DS popups so that a transaction may not be possible since a customer is unable to provide the required details 

3D Secure 2.0

To address these issues, EMVCo developed a specification for 3D Secure 2.0  to improve the initial verification mechanism with the following benefits: 

• Frictionless checkout;
• Non-payment authentication; 
• Native mobile integration;
• Better performance;
• Prevention of unauthenticated payments.  

The analysis of the merchant’s contextual data is the main feature of 3DS 2.0. Contextual data may contain the following information about each customer: 

• First and last names;
• Billing addresses;
• Emails, etc.

This information is shared across payment providers to improve the analysis mechanism and reduce transaction risks. The extended list of authentication mechanisms includes face and voice recognition as well as fingerprints scanning.

As for the verification flow of 3D Secure 2.0, it is similar to the one introduced in 1.0, but in most cases, customer identity verification is not necessary: the issuer bank makes a verification decision based on contextual data. Since 95% of payment transactions are low-risk, only 5% of transactions are based on the full authentication mechanism. 

However, all 3D Secure 2.0 services should be compatible with the 1.0 protocol. This requirement is mandatory. It helps to keep the security level when 3DS 2.0 is not supported: the new verification flow is replaced with the one introduced in v1.0. 

Impact on Magento 

According to Payment Service Directive 2, all payment providers should apply Strong Customer Authentication in the EU. The UK is included as well! Below, you can see the schedule: 

• April 2019: Issuing banks should get 3DS 2.0-ready. 
• September 14, 2019: SCA goes into effect for all EU and EEA e-commerce transactions under PDS2. 
• October 11, 2019: the 3DS 2.0 scheme becomes mandatory. 
• 2020 and onward: 3DS 2.0 launches worldwide. 

It is still uncertain, how much time will it take to implement the changes worldwide, but European Magento 2 merchant should be ready as soon as possible.

Magento 2 SCA: Recommendations 

Below, you will find key payment providers who will make your Magento 2 website SCA-compliant. Utilize them to make sure customers payments will not be declined.

• PayPal: the current Magento built-in integration is 3D Secure 2.0-compatible – continue using it for Magento 2 SCA.
• Braintree: the official module will offer 3D Secure 2.0 compatibility before the deadline. Braintree integration will support 3D Secure 2.0 from Magento 2.3.3 making it SCA-compliant.
• Authorize.net: use the official extension (recommended) or the Magento integration in upcoming version 2.3.3+ or 2.2.10+ for Magento 2 SCA.
• CyberSource: the official extension is enough to follow the Magento 2 SCA requirements;
• eWay: use the official extension to make your Magento 2 website compatible with PSD2, 3D Secure, and SCA;
• Stripe: Radar is Stripe’s SCA-ready solutions help you build payment flows that adapt to SCA requirements and any relevant exemptions.

You can find more 3D secure-compatible payment integrations on the Magento Marketplace here: Payment Integration extensions. Also, contact your payment provider regarding their recommendations on supporting the PSD2 SCA requirements. 

It is also necessary to mention that Magento will remove the following core integrations in favor of official modules: CyberSource, Authorize.net, eWay, Worldpay. The official extensions provide the most up-to-date features and are available for free. This approach will help merchants avoid duplication and get the latest updates on the schedule.

Magento 2 PSD2 & Integrations

Now, when you are familiar with the implementation of 3D Secure in Magento 2, let’s focus on another aspect of PSD2 – third-party services that replace banks in various processes from the analysis of your expenditures to financial transactions. Although it is too early to talk about any particular companies, we already know how to prepare your Magento 2 website to this side of PSD2. With the help of the Improved Import & Export extension, you will effortlessly integrate your e-commerce website with any third-party systems enabling powerful data analysis and simplified transactions. 

Below, we explore the module’s features, that make the Magento 2 PSD2 involvement deeper. 

Automated Import & Export

Our module lets you automate import and export of any data via schedules or event-based triggers. 

Schedules

The Improved Import & Export Magento 2 extension uses cron, allowing you to create any custom schedules of updates. At the same time, you can select one of the predefined values which are customizable as well. 

However, import and export jobs with no schedules are another opportunity provided by our module. 

Note that it is possible to launch every scheduled profile whenever you want. 

Thus, the module lets you provide a third-party financial institution with the required data on a daily, weekly, or monthly basis automatically. 

As for the configuration process, it is as simple as the following gif illustrates: 

Events

Alternatively, the Improved Import & Export Magento 2 extension provides the ability to create event-based triggers that transfer data to an external system every time a specified action takes place. For instance, you can provide external systems with an update every time a new order is placed. Follow the link below for more information regarding triggers: How to Run Magento 2 Import or Export After Specific System Event or Process.

Advanced Mapping Features

Advanced mapping opportunities is another great feature that lets you integrate your Magento 2 website with third-party systems. When you import data from external systems, our module enables you to replace third-party attributes with ones used in Magento 2 to allow the import procedure. In the case of export processes, Magento 2 attributes are replaced with the required ones. There is no need to do anything in data files. Let’s find out what opportunities are under your disposal.

Mapping Presets

Mapping presets introduce the most straightforward way of importing/exporting any data with the Improved Import & Export extension. The mechanism behind them is quite intuitive: you select a preset of a third-party system you are going to connect to, and the module replaces all the unsupported attributes automatically. Take a look at the following gif image to see how simple this process is: 

Matching Interface

Alternatively, you can match attributes manually in a corresponding section of an import or export profile. Select a third-party value and specify an internal one in front of it. You can also add a default attribute value which is provided to all items related to the attribute. You can see the illustration of this feature below: 

Attribute Values Mapping

In addition to attributes, the Improved Import & Export Magento 2 extension provides the ability to map their values. The algorithm is the same as the one described above. For more details, read this article: Attribute Values Mapping.

Attribute Values Editing

If the previous feature is not enough, our module lets you edit attribute values in bulk. The Improved Import & Export extension supports the following commands: 

• Add a prefix to multiple attribute values;
• Add a suffix to numerous attribute values;
• Split various attribute values;
• Merge many attribute values.

You can combine them and create conditions increasing the efficiency of the applied changes. Check this article for further information: How to Modify Attribute Values During Import and Export in Magento 2.

Category Mapping

Besides, our module lets you match external categories to ones used internally, reducing the number of difficulties that usually occur when products are transferred from other platforms to Magento 2. The Improved Import & Export module allows mapping external product categories to ones used in your catalog as follows:

To create new categories right in the import job, choose a parent category, and specify a new one that will be generated automatically. You can find more information about this feature here: Category Mapping.

Attributes On The Fly

And if a data file provided from an external system lacks attributes, the Improved Import & Export Magento 2 extension lets you create them on the fly via the following general form:

Attribute|attribute_property_name:attribute_property_value|…

The feature is described here in more detail: Product attributes import.

Extended Connectivity Options

Another fundamental difference between Improved Import & Export and the default data transfer tool of Magento 2 or even third-party solutions is the ability to work with numerous file sources.  

Multiple File Standards

Firstly, our module supports various file standards. In addition to the default CSV, it also works with  XML, JSON, ODS, and Excel as well as file archives! 

Multiple File Sources

Support for numerous data sources is another benefit of the Improved Import & Export Magento 2 extension. Our module lets you import files from:

• FTP/SFTP. Transfer data files using a local or remote server.
• Dropbox. Use a Dropbox account to establish a connection between the two systems. Alternatively, you can rely on Box, OneDrive, Google Drive, iCloud, and Amazon Drive.
• URL. A direct URL can be used to import a data file as well.

Alternative Ways of Import & Export

Note that the following alternative ways of import and export are not represented in Magento 2 by default. However, our module not only enables them but also makes the corresponding data transfers intuitive and straightforward.

The Improved Import & Export extension provides the ability to leverage REST, SOAP, and GraphQL to create API connection with external systems. For instance, you can transfer data between your store and ERPs, accounting platforms, CRMs, and various financial tools. Note that all API connections support other extension’s features so that it is possible to leverage mapping, schedules, and attributes on the fly while transferring data via API.

Intermediary services represent another alternative source of updates. With our extension, you can rely on Google Sheets, Office 365 Excel, and Zoho Sheet, transferring data to your e-commerce store. The following image shows how to use Google Sheets to move data to Magento 2:

And of course, the Improved Import & Export extension opens completely new possibilities with support for WSDL and WADL. For further information, follow the link below and contact our support:

Get Improved Import & Export Magento 2 Extension

Final Words

PSD2 will change not only the current banking system but also impact e-commerce and Magento. Our favorite platform already provides payment gateways compatible with the new requirements. As for integration with third-party systems that let you avoid banks as service providers, it can be established with the help of Improved Import & Export Magento 2 module. Make your e-commerce website 3D Secure-compatible to process all payment transactions and let your customers enjoy the new shopping experience.