BBVA API Market
The PSD2 Directive has completely transformed the financial digital ecosystem, turning banks into open and collaborative entities with their direct environment, especially with their customers and with third parties that have the possibility to access their data. It was approved on October 8, 2015, but it was not until September 14, 2019 that it entered into force in all member states of the European Union.
One of the most important aspects of this directive, which has already been transposed into Spanish law, is payment initiation services (PIS). Let’s take a look at what they are, how they work and what has changed with the approval of the PSD2 Directive.
PIS are a type of service that use online banking to make payments over the Internet, where means of payment (such as a credit card or bank account) do not need to be used in the transaction.
Through a platform that acts as a bridge between the merchant and the customer, the customer enters all the necessary information to carry out the transfer, such as the amount of the transaction, the account number, etc., and informs the merchant that the transaction has been launched.
This way, the user can shop over the Internet in a totally transparent and secure way. Both parties to the transaction benefit from this service:
So these services provide a suitable and secure solution for both companies and users, as they guarantee the possibility of making online purchases even if the payer has no payment method available.
Payment initiation services work in a simple way: once a customer has agreed to allow an external provider to access his banking details, a payment interface owned by PISP will ask the user for information, and the user will then choose his bank and enter his online banking credentials to complete the process.
The bank then validates the credentials and authorizes the request for the payment transaction. A digital signature is then requested. Strong Customer Authentication (SCA) is applied—an additional verification factor on top of the regular password, which can use biometric elements, such as the user’s fingerprint or face, or a one-time code sent to the user’s mobile.
Once the authentication is carried out, the transaction is carried out and the operation is paid.
All bank details are sent through encrypted codes that use JSON arrays, both for data input and output, which the user accepts when entering their bank credentials. In general, the volume of data transmitted is not too high, as the customer data, the target account, the amount of the transaction and little else are sufficient. That’s why PISPs can offer highly agile solutions and seamless payment platforms.
Although payment initiation services already existed before the PSD2 Directive was implemented, its entry into force has forced banks to open their customers’ data up to third parties, upon request. This new legal requirement is prompting a surge in new companies which aim to offer services obtained from their applications, i.e. what are known as payment initiation service providers (PISP).
These are companies that offer applications that act as intermediaries between financial institutions and merchants, and allow the issuance of direct transfers between banks and the digital store, following authorization by customers.
Some interesting examples of payment initiation service providers in Europe are Trustly in the Scandinavian countries, Sofort in Germany or Ideal in the Netherlands.
Security is one of the areas that has been most strengthened by the approval of the PSD2. Despite the opening up of bank details, PSD2 ensures that customer security is not compromised. In fact, under the Directive the PISP are obliged to apply a series of strong authentication measures, and are also forbidden from accessing any information other than the data necessary to run the specified service.
Authorized PISP are also legally required to immediately log off the user’s bank account once the payment order has been placed and the execution of the transaction completed. All these measures are designed to guarantee that transactions are private and prevent malicious use of customer data.
As open banking becomes more prevalent, payment initiation will be applied in many sectors and its use will become widespread. It has many different applications, such as:
But how can this whole process be materialized technically speaking? It is actually quite simple thanks to the opening-up of banking APIs. Thanks to them, any PISP can access the customers’ banking data in real time and integrate all this information in its applications in a simple, agile and—naturally—standardized, way.
In other words, the payment initiation service is not performed by a human being, but a source code which uses all the necessary specifications to ensure that the transaction is carried out properly and without compromising the user’s security.
In just one year, the second European Payment Services Directive—or PSD2 as it is better known—has created a new scenario combining innovation and security, in which banks have been progressively opening up access to their infrastructure to third parties.
On December 23, 2015, Directive 2015/2366 of the European Parliament and Council, known as the PSD2 directive, was approved, providing a new regulatory framework for the use of mobile payments, tools from non-banking institutions and enhanced security. What do these changes mean compared to the first PSD and how do they affect companies?