The PSD2 Directive has completely transformed the financial digital ecosystem, turning banks into open and collaborative entities with their direct environment, especially with their customers and with third parties that have the possibility to access their data. It was approved on October 8, 2015, but it was not until September 14, 2019 that it entered into force in all member states of the European Union.
One of the most important aspects of this directive, which has already been transposed into Spanish law, is payment initiation services (PIS). Let’s take a look at what they are, how they work and what has changed with the approval of the PSD2 Directive.
What are PIS?
PIS are a type of service that use online banking to make payments over the Internet, where means of payment (such as a credit card or bank account) do not need to be used in the transaction.
Through a platform that acts as a bridge between the merchant and the customer, the customer enters all the necessary information to carry out the transfer, such as the amount of the transaction, the account number, etc., and informs the merchant that the transaction has been launched.
This way, the user can shop over the Internet in a totally transparent and secure way. Both parties to the transaction benefit from this service:
- The seller, because it has the assurance that the payment has been made, allowing it to initiate the delivery of the good or provide the service without delay, as soon as the order is given.
- The consumer, as they are safe in the knowledge that they will not have to provide their bank details to the store every time they make a purchase.
So these services provide a suitable and secure solution for both companies and users, as they guarantee the possibility of making online purchases even if the payer has no payment method available.
How do payment initiation services (PIS) work?
Payment initiation services work in a simple way: once a customer has agreed to allow an external provider to access his banking details, a payment interface owned by PISP will ask the user for information, and the user will then choose his bank and enter his online banking credentials to complete the process.
The bank then validates the credentials and authorizes the request for the payment transaction. A digital signature is then requested. Strong Customer Authentication (SCA) is applied—an additional verification factor on top of the regular password, which can use biometric elements, such as the user’s fingerprint or face, or a one-time code sent to the user’s mobile.
Once the authentication is carried out, the transaction is carried out and the operation is paid.
All bank details are sent through encrypted codes that use JSON arrays, both for data input and output, which the user accepts when entering their bank credentials. In general, the volume of data transmitted is not too high, as the customer data, the target account, the amount of the transaction and little else are sufficient. That’s why PISPs can offer highly agile solutions and seamless payment platforms.
What changes in PIS under PSD2?
Although payment initiation services already existed before the PSD2 Directive was implemented, its entry into force has forced banks to open their customers’ data up to third parties, upon request. This new legal requirement is prompting a surge in new companies which aim to offer services obtained from their applications, i.e. what are known as payment initiation service providers (PISP).
These are companies that offer applications that act as intermediaries between financial institutions and merchants, and allow the issuance of direct transfers between banks and the digital store, following authorization by customers.
Some interesting examples of payment initiation service providers in Europe are Trustly in the Scandinavian countries, Sofort in Germany or Ideal in the Netherlands.
Enhanced security
Security is one of the areas that has been most strengthened by the approval of the PSD2. Despite the opening up of bank details, PSD2 ensures that customer security is not compromised. In fact, under the Directive the PISP are obliged to apply a series of strong authentication measures, and are also forbidden from accessing any information other than the data necessary to run the specified service.
Authorized PISP are also legally required to immediately log off the user’s bank account once the payment order has been placed and the execution of the transaction completed. All these measures are designed to guarantee that transactions are private and prevent malicious use of customer data.
Payment initiation service applications (PIS)
As open banking becomes more prevalent, payment initiation will be applied in many sectors and its use will become widespread. It has many different applications, such as:
- Payments between individuals (P2P payments), allowing a person to make a direct transfer from one bank account to another, instantly and from any device such as a mobile. It can be used to make direct payments between users on collaborative and social economy platforms.
- Automatic and conditional payments: one of the fastest growing banking operations in recent years is automatic transfers from one bank account to another. However, PIS aim to go a step further, as they can allow you to schedule transfers conditional on user-defined parameters. For example, so that a company can make variable payments to all employees who have worked overtime or made sales over a certain amount.
Banking APIs, the element that make PIS possible
But how can this whole process be materialized technically speaking? It is actually quite simple thanks to the opening-up of banking APIs. Thanks to them, any PISP can access the customers’ banking data in real time and integrate all this information in its applications in a simple, agile and—naturally—standardized, way.
In other words, the payment initiation service is not performed by a human being, but a source code which uses all the necessary specifications to ensure that the transaction is carried out properly and without compromising the user’s security.