Open Banking payments
This article provides a description of payment transactions in an Open Banking environment. It explains what PSD2 is and how it affects banking. It describes what a Payment Initiation Service and Payment Initiation Service Provider are and how they benefit from PSD2. It provides information what Account Servicing Payments Service Provider is.
Payments in a nutshell
In online banking, payment is a digital transfer of money in exchange for services or goods. It takes place on a secure website or application operated by a banking institution. Payments are typically made after the terms have been agreed upon by all parties involved. In other words, the payer, who is a person making a payment, must come to an agreement with the payee, who is a person receiving funds for their service or goods.
Open Banking payments include the following:
Domestic payments made within one country between a payer that possesses an account or a credit/debit card in that country and a merchant that has their account registered in the same country.
Domestic scheduled payments, which are domestic payments that take place on a specified date in the future.
Domestic standing orders, which are instructions from the payer to their bank to pay a specific amount of funds to a payee at regular and set intervals.
International payments, which are made between payers and payees that have their accounts/credit cards in different countries.
International scheduled payments, which are international payments that take place on a specified date in the future.
File payments, also called Bulk or Batch Payments, which are a series of multiple payment actions made from a payment account.
Revised Payment Services Directive (PSD2) is a set of laws and regulations for payment services in the European Union (EU) and the European Economic Area (EEA). Its main goal is to make the European payments market more efficient and integrated, but it also aims to:
Make it easier for new institutions and initiatives to come into the payments market
Make payments safer and more secure, thus, reducing the risk of fraud
Promote the development and use of innovative online and mobile payments (such as Open Banking)
PSD2 came to life in October 2015, but the most important changes for payments in the context of Open Banking came into force in January 2018. Since that date, all European banks must comply with European Union regulations concerning the technical standards for strong customer authentication and common and secure open standards of communication.
Remember that regulations provided by PSD2 are for payment transactions that take place within the European Union. If a payment transaction comes from outside of the EU, stronger customer authentication is not required.
To learn more about PSD2 regulations, see the Revised Payment Services Directive.
Strong customer authentication
PSD2, in its article 4, point 29 defines authentication as a procedure that allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalized security credentials.
Strong customer authentication (SCA) is a requirement of PSD2 for payment service providers. It ensures that all electronic payments are performed with multi-factor authentication to increase the level of security.
Article 4, point 30, of PSD2 defines SCA as authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.
SCA must take place when the payer:
Accesses their payment account online.
Initiates any electronic payment transaction.
Performs any action through a remote channel which may imply a risk of a payment fraud or other abuses.
In terms of security, European banks had to update their authentication elements that they provide their customers with. They had to, for example, replace already existing solutions with, for example, cell phone messages or more advanced access tokens.
Payment Initiation Service
Payment Initiation Services (PIS) enable customers to instantly transfer money between their accounts within different banks and to make online purchases. The process takes place within their application or a website.
Payment Initiation Service flow
A customer, using a third-party provider’s application or website, clicks the Pay Now button.
The customer’s banking interface pops up and allows the customer to authenticate themselves.
Payment consent is provided to the customer with all the details, like amount, description, and payee provided for approval.
To learn more about consents, see the How consents are managed in Open Banking documentation.
If the customer approves the transaction, it is instantly made by the TTP.
Payment Initiation Services Providers
Payment Initiation Services Providers (PISPs) are service providers that facilitate the use of online banking to make payments online. They create an interface that bridges the gap between the customer’s account and the merchant’s account. They provide all the information needed for the bank to enable a payment transaction (like, for example, the amount of funds, or account number). They inform the store of a transaction taking place. In other words, PISPs can access consumer and business accounts directly by utilizing the bank’s APIs.
Before PSD2 came into life, Third-Party Providers had it difficult to offer larger-scale solutions as online banking was not regulated between different countries that belonged to the EU or EEA. Now, the payments market is much more accessible for new players and it is easier for already existing actors to provide such services. Both new players and existing actors have to comply with all rules for traditional service providers, like authorization, registration, and authorities supervision.
Account Servicing Payment Service Provider
Account Servicing Payment Service Providers (ASPSP) provide and maintain payment accounts for payment service users. They may be a bank or a similar institution. PSD2 requires ASPSPs to publish their READ/WRITE APIs to enable their customers to share their account transactions data with third-party providers (TPPs), like PISPs.
How ACP supports OB payment services
Authorization Control Plane can be treated as a safeguard for Account Servicing Payment Service Providers. ACP can be utilized to authorize and authenticate OAuth client applications (in this case, PISPs) and to authenticate the customers trying to make online transactions. Such user authentication can be also enhanced by the ACP using strong customer authentication if needed. ACP also provides a possibility to create and manage custom consent pages that can be used to get payment authorization from the users (payers).