On 2 June 2015 the final compromise text of PSD2 was released. The updated PSD2

Update on changes to the new Payment Services Directive (PSD2)

broadens the scope of PSD1, captures a wider range of payment transactions, and also addresses some of the concerns raised during the legislative process regarding questions of liability.

Payment service providers (PSPs) will have to ensure that they comply with its provisions by the transposition date around end-2017. In this article, which first appeared in the EPC website, Maria Troullinou of Clifford Chance LLP looks at the key changes that PSD2 will introduce and at how the text has evolved since the initial Commission proposal was published in the summer of 2013.

A similar structure, a much broader scope

The new Payment Services Directive (PSD2) retains the same basic structure as the original Payment Services Directive (PSD1). PSD2 is divided into six titles, each of which focuses on a different subject-matter. Accordingly, title I covers scope and definitions, title II deals with the authorisation and regulation of payment service providers (PSPs), title III focuses on transparency, title IV establishes the respective rights and obligations of payment service users (PSUs) and PSPs and titles V and VI set out provisions on delegated acts and implementation. In addition, the different categories of payment service are set out in the Annex.

Despite retaining the same basic structure, the reach of PSD2 is broader than its predecessor. This is because of the expansion of the territorial scope provisions and the simultaneous narrowing down of the exemptions (commonly known as the ‘negative scope provisions’).

Territorial scope

Most provisions of title III and title IV of PSD2 will now apply to a broader range of payment transactions. Specifically, transactions in non-European currencies where both the payer’s and the payee’s PSP (or the sole PSP in the transaction) are located in the European Union (EU) will be caught, as will ’one leg out’ payment transactions in all currencies (i.e. where only one PSP is located in the EU).

‘One leg out’ transactions were outside the scope of PSD1, but PSD2 now brings them in scope “in respect of those parts of the payment transaction which are carried out in the Union”. This wording operates as a limit to the reach of PSD2 and seeks to offer some comfort to PSPs who would not be able to fulfil their obligations in respect of transactions (or components thereof) taking place outside of the EU over which they have no control (e.g, because these are subject to foreign systems and rules). PSPs will need to carry out an impact analysis and assess which parts of each transaction qualify as having been “carried out in the Union”; in the absence of guidance as to the precise meaning of this wording, this may not be a straightforward exercise.

Negative scope

PSD2 amends some of the exemptions established under PSD1. Changes to the “commercial agent” exemption attempt to address the divergent interpretations taken by some EU Member States, making clear that the exemption applies when agents act only on behalf of the payer or payee (not both).

Where agents act on behalf of both parties (e.g. in respect of e-commerce platforms) the exemption will only apply in cases where the agent does not come into possession, or have control of, clients’ funds.

Moreover, it will no longer be possible to use the same payment instrument within more than one limited network, or to acquire an unlimited range of goods and services and therefore the “limited network” exemption will now only be available to genuinely small networks. PSD2 also limits the scope of the mobile device content exemption to individual payments that do not exceed 50 euros and, on a monthly basis, transactions not exceeding 300 euros in aggregate per subscriber.

The Automated Teller Machine (ATM) exemption set out in Article 3(o) of PSD1 which was removed from the European Commission’s (the Commission) original PSD2 proposal, has now been reinstated. ATM operators will be subject to obligations to provide customers with information on withdrawal charges — both prior to the transaction and on the customer’s receipt — aiming to enhance transparency.

PSD2 seeks to minimise divergent interpretations around the application of certain exemptions. In certain cases, PSPs pursuant to PSD2 will have to notify competent authorities, so that an assessment can be made as to whether the requirements of an exemption have been met.

Expanding the market

PSD2 creates two new types of PSP, commonly referred to as ‘third party payment service providers‘ (TPPs) and attempts to strike a balance between opening up the payments market and maintaining appropriate security standards for online payments.

PSD2 contains provisions requiring EU Member States to ensure that all payment institutions have access to payment account services provided by banks. This is designed to prevent banks from refusing to open and maintain bank accounts for payment institutions. Although the right of a bank to reject account applications on valid grounds (such as anti-money laundering concerns) would not be affected, banks that decline to provide a bank account to another payment institution will have to explain the rejection to the regulator.

Under PSD2, payment initiation service providers (PISPs) are required to be authorised but are subject to a reduced minimum own funds requirement of 50,000 euros. Account information service providers (AISPs) are expressly exempt from authorisation, but are subject to a registration requirement. Both types of entity have to hold professional indemnity insurance or a comparable guarantee in order to ensure that they are able to meet liabilities arising in relation to their activities, as PSD2 aims to achieve a level of supervision commensurate with the risk such new entrants introduce into the system. PISPs that want to provide different payment services involving holding users’ funds will need to obtain full regulatory authorisation.

The post Update on changes to the new Payment Services Directive (PSD2) appeared first on Accourt Payments Specialists.

UK card fraud losses rose by £29 million in 2014, a 6% rise on the previous year. Most of  this increase was

Cross border vulnerabilities of UK fraud

due to cross-border fraud, with domestic losses remaining flat.

In the UK, FICO previously reported a 25% increase in cross-border fraud on debit cards in 2014, compared to 2013. 47% of the fraudulent transactions were taking place in the US – a pattern that seems related to the delay in US adoption of EMV technology. The first wave of the EMV liability shift takes place in October 2015 in the US.

“Banks in the UK and most of Europe adopted EMV technology years ago, so it may appear that they have little to worry about from mag-stripe fraud,” said Martin Warwick, FICO’s fraud chief for Europe. “However, the trends suggest that any European plastic card can be targeted, as criminals try to ‘fill their boots’ before the US finally shuts the door on skimming fraud.”

As reported in the FICO European Fraud Map for the last three years, the leading type of fraudulent card transaction is so-called card-not-present (CNP) fraud. The percentage of fraud losses from CNP fraud averaged 41% for Western European countries, and 23% for Eastern European countries.

In the UK, ecommerce spending in the UK more than doubled between 2008 and 2014, but CNP fraud losses have grown just 1% in that time. However, it has become a greater share of UK card losses, rising from 54% of card losses in 2008 to 70% in 2014.

European Fraud Changes 2013-2014

“We are winning the war on CNP fraud, but we still have a long way to go to get CNP fraud fully under control,” Warwick said. “Authentication of customers and their devices will play an ever-increasing role.This is why FICO has been focused on advances in analytics that assess consumer behavior, and profile not just cardholders but also devices and merchants.”

France had the highest card fraud losses relative to card sales, followed by Greece and the UK, which is the same ranking as last year. Russia saw the fastest growth in card fraud losses – 24% — but card sales in the same period grew 36%.

Fraud severity levels 2013 Vs 2014

“Any market that is growing will attract criminals attention and that’s exactly what is happening in Russia,” Warwick said. “EMV  has a long way to go to reach maturity in Russia. However, overall Russia has low fraud relative to sales. The key aim for banks will be to ensure that when growth in sales slows they are also in a position to slow the growth in fraud losses”.

The post European cross-border and card-not-present fraud on the rise appeared first on Accourt Payments Specialists.

Worldpay saw over 133,000 fraudulent transactions worth £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. Over 67% of all fraudulent transactions happened online, while purchases made over the phone or by mail accounted for 19% of the total.

“Technology to guard against card counterfeiting and fraud has come a long way, yet the rates of attack are truly alarming. Card details are the weakest links in consumers’ and businesses’ defences and the one area that fraudsters know to hone in on,” comments Tim Lansdale, Head of Payment Security at Worldpay.

This graph shows the number of investigations into card breaches (i.e. known breaches) amongst Worldpay customers, by business PCI DSS level during 2011-2014. There were a total of 140 investigations held during this period.

Businesses that fail to protect their payment systems are not only left out of pocket when goods are purchased using stolen card details but also face paying for the investigation into the breach and the stiff industry penalties which inevitably follows. They are also likely to face bad publicity, which can swiftly erode the years of trust customers have built up in a business and can lead to even more lost custom in future.”

Small businesses, which accounted for 85.7% of all card data breaches, last year, make easy prey for the more advanced cyber hackers. By contrast, Worldpay has seen a 179% increase in payment security compliance amongst the UK’s biggest businesses, as the boardrooms of larger, better resourced companies look to bulk up their security in line with the card payment industry standards.

Causes of card data breaches

Regardless of business size, the clean-up costs of being targeted by hackers and suffering a card data breach can run to tens of thousands of pounds. A standard small business forensic investigation into a card data breach costs £11,250 on average and typically attracts at least a £8,000 industry penalty, not including the costs of lost goods and damage to reputation. Worldpay has seen larger businesses pay up to £100,000 for the forensic investigation alone.

“Prevention is clearly better than the cure when it comes to getting hacked. The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees,” said Lansdale.

Industries affected by card data breaches

Download the report here

Advice to businesses: How to avoid being a victim:

Card data breaches:

1. Check you meet the card industry’s standards for keeping card data safe, and that your third party suppliers do too.
2. Install all the latest patches for servers, operating systems, applications, and frameworks (Java, .NET etc.), to protect your ecommerce website.
3. Change online system log-ins from the default, and use strong passwords that hackers cannot guess.

Fraud:

1. Ask your payment processor about online protection, such as Verified by Visa, to make ecommerce payments safer from fraud.
2. Be wary of high value or unusual orders from a customer you do not know, particularly if the product can be resold easily.
3. Use the Address Verification Service, to match the customer’s delivery address with the billing address of the card owner.

The post Card fraud increases as stolen cards used once every 20 seconds appeared first on Accourt Payments Specialists.