Fintechs and corporations interested in providing and receiving payment services should be aware of the current regulations that govern the matter. This is particularly relevant to companies that offer software that fully or partially automates invoice finance. This article takes a deep dive into the process of setting up an online payment system.
A payment service provider (PSP) is a company that enables businesses to accept and process payments from their customers. This can include processing credit card payments, bank transfers, e-wallet payments, and other forms of electronic payments.
PSPs act as intermediaries between merchants and their customers’ financial institutions, managing the complex process of authorization, clearing, and settlement of payments. They provide secure payment processing services that comply with industry standards and regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).
PSPs can offer a range of services to merchants, including payment gateway integration, fraud prevention, recurring billing, and multi-currency support. They may charge fees for their services, either as a percentage of the transaction value or as a fixed fee per transaction.
The Payment Services Directive 2 (PSD2) is a regulation introduced by the European Union to regulate payment services and improve consumer protection. This directive mandates banks to give access to customers’ account data to third-party providers, subject to the customer’s absolute consent. It was enacted in 2015 and entered into force in 2018. The primary objective of PSD2 is to make payments more secure and increase competition among payment service providers.
There are many payment service providers (PSPs) available in the market today, including:
- PayPal: One of the most popular PSPs, PayPal offers online payment solutions for individuals and businesses.
- Stripe: A popular PSP for online businesses, Stripe allows businesses to accept credit card payments and offers other features like subscriptions and invoicing.
- Square: A PSP that offers point-of-sale solutions for businesses, including card readers and software for processing payments.
- Amazon Pay: A PSP that allows customers to use their Amazon accounts to make payments on third-party websites.
- Google Pay: A PSP that allows users to make payments using their Google accounts, both online and in-store.
- Apple Pay: A mobile payment and digital wallet service that allows users to make payments using their iPhone, iPad, or Apple Watch.
- Skrill: A PSP that allows users to send and receive money online and offers a variety of payment options.
- Braintree: A PSP that offers payment solutions for online and mobile businesses, including credit card processing and digital wallets.
- Adyen: A PSP that offers payment solutions for businesses of all sizes, including credit card processing, mobile payments, and e-wallets.
- Worldpay: A PSP that offers payment processing solutions for businesses, including credit card processing and online payments.
Under PSD2, payment service providers are obliged to adopt strong customer authentication measures, such as the use of two-factor authentication, to protect themselves from fraud and unauthorized access. The regulation also allows for the creation of third-party payment service providers, known as payment initiation service providers (PISPs) and account information service providers (AISPs). These providers can initiate payments on behalf of consumers and access their financial data, respectively.
PSD2 also includes provisions to protect consumer privacy and data, as well as the liability of payment service providers in the event of fraud or unauthorized transactions. Overall, PSD2 aims to make payments safer, more convenient and transparent for consumers, while promoting innovation and competition in the payment services industry.
Under the Payment Services Directive 2 (PSD2), third-party providers (TPPs) are authorized to access payment accounts of users, with their consent, to provide payment initiation services (PIS) and account information services (AIS).
To ensure a level playing field for all players in the payment services market and to ensure the safety and security of payment transactions, PSD2 provides for the regulation of TPPs. These TPPs are classified into two types: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
PISPs are TPPs that initiate payment transactions on behalf of users, while AISPs are TPPs that provide account information services to users. Both types of TPPs are regulated under PSD2 and are subject to the same requirements and standards.
To become regulated TPPs under PSD2, PISPs and AISPs must obtain authorization from the relevant national regulatory authority in the European Union (EU) Member State in which they are established. They must also comply with a number of requirements set out in PSD2, including:
- Strong Customer Authentication (SCA) – TPPs must ensure that their customers are authenticated using at least two of the following: something they know (e.g., a password), something they have (e.g., a mobile device), or something they are (e.g., biometric data).
- Secure Communication – TPPs must use secure communication channels to transmit payment transaction data and account information between themselves and the payment service provider (PSP) or user.
- Data Protection – TPPs must ensure that the personal data of users is protected in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
- Complaints Handling – TPPs must have a complaint handling process in place to deal with complaints from users.
- Liability – TPPs must accept liability for any unauthorized payment transactions initiated by them, unless the user has acted fraudulently or has not complied with their obligations under PSD2.
By complying with these requirements, regulated TPPs can provide their services in a safe and secure manner, and help promote innovation and competition in the payment services market.
To become a Third-Party Provider (TPP) under the Payment Services Directive 2 (PSD2), there are a few steps you need to follow:
- Register with your National Competent Authority (NCA): The first step is to register with the National Competent Authority (NCA) of the country where you intend to provide payment services. This will vary depending on the country, but you can find a list of NCAs on the European Banking Authority (EBA) website.
- Obtain a license: Depending on the payment services you intend to offer, you may need to obtain a license. For example, if you intend to provide payment initiation services, you will need to obtain a license as a Payment Initiation Service Provider (PISP). Similarly, if you intend to provide account information services, you will need to obtain a license as an Account Information Service Provider (AISP).
- Comply with PSD2 requirements: As a TPP, you will need to comply with the requirements set out in PSD2. This includes providing strong customer authentication (SCA) and secure communication between your system and the bank’s system.
- Obtain access to the bank’s systems: In order to provide payment initiation or account information services, you will need to obtain access to the bank’s systems. This can be done either through a dedicated interface provided by the bank or through a third-party provider that provides access to multiple banks.
- Test your services: Before you can start offering your services to customers, you will need to test them to ensure they are working correctly and comply with the relevant standards.
It’s important to note that becoming a TPP can be a complex and time-consuming process, and may require significant investment in technology and infrastructure. However, if you are able to meet the requirements and offer innovative payment services, there is a significant opportunity to grow your business and gain a competitive advantage in the market.
To access Open Banking API, you must use a valid eIDAS certificate or Open Banking (OBIE) certificate to register your application for production.
- An eIDAS certificate is a digital certificate issued under the eIDAS regulation, which is a European Union regulation for electronic identification and trust services.
To be considered valid, an eIDAS certificate must be issued by a trusted and accredited Certification Authority (CA) and must comply with the technical and legal requirements set forth in the eIDAS regulation.
The validity of an eIDAS certificate can be verified by checking the certificate’s digital signature and the chain of trust. The digital signature ensures the authenticity and integrity of the certificate, while the chain of trust verifies the identity of the CA that issued the certificate and the trustworthiness of the CA’s own digital certificate.
It is important to note that the validity of an eIDAS certificate is time-limited and can expire. The expiration date is typically specified in the certificate itself.
- Open Banking is a system that allows customers to share their financial data with third-party providers through secure APIs (Application Programming Interfaces). The Open Banking Implementation Entity (OBIE) is the organization responsible for developing and implementing the technical standards and security measures necessary to enable open banking in the UK.
To become certified by the OBIE, third-party providers must undergo a rigorous testing and validation process to ensure that their APIs meet the required standards for security, functionality, and interoperability. The OBIE provides a set of detailed specifications and test suites that developers can use to build and test their APIs.
Once a provider has successfully completed the certification process, they are listed on the OBIE’s Directory of Open Banking Third Party Providers. This directory provides consumers with a trusted source of information about which third-party providers have been certified by the OBIE and are therefore authorized to access their financial data. Overall, the OBIE certification process helps to ensure that open banking services are safe, reliable, and easy to use for consumers, while also promoting innovation and competition in the financial services industry.
The Payment Services Directive 2 (PSD2) is a European Union regulation that governs the EU payment services sector; however, certain entities are exempted from PSD2 regulations. Here are some examples:
- Payment transactions carried out by a payer or payee through a payment service provider (PSP) located outside the European Union or the European Economic Area (EEA).
- Payment transactions that involve only one payment service provider (PSP), which is the payment initiation service provider (PISP) or the account information service provider (AISP).
- Payment transactions that are carried out through payment instruments issued by merchants, such as store cards or loyalty cards.
- Transactions that use specific payment instruments, such as cash withdrawals, paper-based transactions (e.g., cheques), and direct debits.
- Payment transactions made for non-profit purposes or for social or community services.
- Transactions that are carried out between a PSP and its agents or between PSPs that are part of the same group.
It’s worth noting that even if an entity is exempted from PSD2 regulations, they are still required to comply with other relevant laws and regulations, such as anti-money laundering (AML) and know-your-customer (KYC) rules.
To learn more about this topic go to https://www.digipay.guru/blog/emergence-of-open-banking-and-api-integration/