Nettitude Blog

The Potential Impact of PSD2 on E-Commerce Merchants

Posted by Media marketing on Aug 24, 2016 11:54:41 AM



BLOG-LAPTOP Figure 1: eCommerce


Many online merchants may be facing down the ‘wrong end of the barrel’ with their current online payment processes.


Currently, online merchants have aligned their eCommerce operations with Visa’s guidance to reduce the burden and complexity of PCI DSS . There are a number of ways of interacting a webpage for making payments and this range from the following:


BLOG-TUG-OF-WAR Figure 2: EC/PCI SSC Tug of War


1. Redirect or iFrame = SAQ A (22 controls, PCI DSS v3.2)
2. Redirect or JavaScript created form = SAQ A-EP (192 controls, PCI DSS v3.2)
3. Application Program Interface (API) = SAQ D (311 controls, PCI DSS v3.2)

The Payment Services Directive 2(PSD2) legislation, which comes into force in January 2018 , threatens to turn operations using options 1 or 2 on their heads. PSD2 provides a legal platform for the Single Euro Payments Area (SEPA) , seeking to update the regulation of payments in Europe, improve competition, drive down costs and enhancing the security of internet payments.
It is also reported that PSD2 is legislating that any merchant with online services will require the integration of their website with an Application Programme Interface (API) .

However, it is worthy of noting that this is likely to be a slow introduction starting with the big players (Banks and large e-Commerce operations first) .

What is PSD2? What is its intent and What is its remit?

A revision of the original PSD1, introduced in 2007, designed to provide more transparency and information for consumers, cut down execution times, strengthened refund rights, and clarified the liability of consumers and payment institutions. With the legislation in place, payments have been securely, easily and quickly made throughout the EU .

Data shows that banks could be poised to lose 43% of retail payment revenue streams by 2020 if they don't act and make themselves more appealing to both merchants and customers . PSD2 is designed to provide a much better customer journey, making online e-Commerce quicker, more efficient, convenient and safer, through the adoption of open banking via application networks connected by APIs. This new revision provides an extension from the financial services market to include e-commerce, technology companies, retailers, telecoms and even utility companies .

Impact of BREXIT on PSD2

For those companies who remain within the EU, they will continue to receive the benefits of payment data sharing through the combination of PSD2 and SEPA. UK based FinTech companies outside the EU may be tempted to relocate into the EU region.

Why might they consider doing this?
The UK e-commerce market is Europe’s largest and is set to reach £90 bn before 2020 (up from £60 bn in 2015) .


If you are a merchant with online offerings, employing a redirect, iFrame, redirect or JavaScript created form, you are likely to be impacted by this new legislation. Consequently, with only 18 months before PSD2 becomes effective, these organisations are urged to start planning for this now:

• Create a business plan.
• Apply a defined methodology .
• Engage in the assistance of a PCI Qualified Security Assessor (QSA) Company.
• Identify the additional requirements and enhancements needed to upgrade existing eCommerce operations to those required for a PCI DSS compliant API process.
• Identify the additional technologies and services required, covering the additional 139 to 309 controls.
• Escalate to the matter to higher-management, to ensure the allocation of suitable funding and resources.


All of a sudden PSD2 brings the website back into scope and, as such, the web servers, application servers, supporting network systems and, of course any connected systems. Affected companies, now need to consider the implications associated with this components being brought back into scope, for example:


BLOG-CALEDAR Figure 3: PSD2 Go Live Date


• Firewalls configurations and ruleset reviews
• Secure systems configurations
• Logging and monitoring
• Change detection
• Wireless inspections
• Vulnerability testing
• Segmentation testing
• Penetration testing


The introduction of this new legislation is likely to have a significant impact on already established mature e-merchant payment operations. However, early proactive planning and action can help to reduce this impact, helping businesses to meet these new demands that come are associated with the introduction of this new legislation.

Visa Europe
PCI Security Standards
Europa EU Rapid Press Release
FS Regulation Risk
Europa EU Finance Payments
FCA Revised Payment Service Directive
Visa Europe Images
Starling Bank
Trulioo Services Directive Blog
Banking Tech
Finextra Blog Posting PSD2
Cee-Fintech PSD2
Fin Tech Times- Brexit-no
Fin-extra Blogposting
Pie Farm Methodology

To contact Nettitude’s editor, please email

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Subscribe Here!

Recent Posts

Posts by Tag

See all