Many online merchants may be facing down the ‘wrong end of the barrel’ with their current online payment processes.
Currently, online merchants have aligned their eCommerce operations with Visa’s guidance to reduce the burden and complexity of PCI DSS . There are a number of ways of interacting a webpage for making payments and this range from the following:
1. Redirect or iFrame = SAQ A (22 controls, PCI DSS v3.2)
3. Application Program Interface (API) = SAQ D (311 controls, PCI DSS v3.2)
The Payment Services Directive 2(PSD2) legislation, which comes into force in January 2018 , threatens to turn operations using options 1 or 2 on their heads. PSD2 provides a legal platform for the Single Euro Payments Area (SEPA) , seeking to update the regulation of payments in Europe, improve competition, drive down costs and enhancing the security of internet payments.
It is also reported that PSD2 is legislating that any merchant with online services will require the integration of their website with an Application Programme Interface (API) .
However, it is worthy of noting that this is likely to be a slow introduction starting with the big players (Banks and large e-Commerce operations first) .
What is PSD2? What is its intent and What is its remit?
A revision of the original PSD1, introduced in 2007, designed to provide more transparency and information for consumers, cut down execution times, strengthened refund rights, and clarified the liability of consumers and payment institutions. With the legislation in place, payments have been securely, easily and quickly made throughout the EU .
Data shows that banks could be poised to lose 43% of retail payment revenue streams by 2020 if they don't act and make themselves more appealing to both merchants and customers . PSD2 is designed to provide a much better customer journey, making online e-Commerce quicker, more efficient, convenient and safer, through the adoption of open banking via application networks connected by APIs. This new revision provides an extension from the financial services market to include e-commerce, technology companies, retailers, telecoms and even utility companies .
Impact of BREXIT on PSD2
For those companies who remain within the EU, they will continue to receive the benefits of payment data sharing through the combination of PSD2 and SEPA. UK based FinTech companies outside the EU may be tempted to relocate into the EU region.
Why might they consider doing this?
The UK e-commerce market is Europe’s largest and is set to reach £90 bn before 2020 (up from £60 bn in 2015) .
• Create a business plan.
• Apply a defined methodology .
• Engage in the assistance of a PCI Qualified Security Assessor (QSA) Company.
• Identify the additional requirements and enhancements needed to upgrade existing eCommerce operations to those required for a PCI DSS compliant API process.
• Identify the additional technologies and services required, covering the additional 139 to 309 controls.
• Escalate to the matter to higher-management, to ensure the allocation of suitable funding and resources.
All of a sudden PSD2 brings the website back into scope and, as such, the web servers, application servers, supporting network systems and, of course any connected systems. Affected companies, now need to consider the implications associated with this components being brought back into scope, for example:
• Firewalls configurations and ruleset reviews
• Secure systems configurations
• Logging and monitoring
• Change detection
• Wireless inspections
• Vulnerability testing
• Segmentation testing
• Penetration testing
The introduction of this new legislation is likely to have a significant impact on already established mature e-merchant payment operations. However, early proactive planning and action can help to reduce this impact, helping businesses to meet these new demands that come are associated with the introduction of this new legislation.
PCI Security Standards
Europa EU Rapid Press Release
FS Regulation Risk
Europa EU Finance Payments
FCA Revised Payment Service Directive
Visa Europe Images
Trulioo Services Directive Blog
Finextra Blog Posting PSD2
Fin Tech Times- Brexit-no
Pie Farm Methodology
To contact Nettitude’s editor, please email firstname.lastname@example.org.