Specific problems for payment providers when applying internal company guidelines to external partner companies

Due to the increasing complexity of the financial solutions offered, new regulations for the financial markets include more and more areas such as payment transactions. Developments in digital banking and e-commerce forced the European Parliament to vote on the PSD (Payment Services Directive) and PSD 2 guidelines. The so-called PSD 21 deals with increased security in payment transactions. This is a big step towards deeper integration in the internal payments market. Since PSD 2 is to come into effect in 2018, some authorities have already issued documents that define the minimum requirements for internet payments based on PSD 1. Examples are EBA (European Banking Authority) guidelines (based on SecurePay forum recommendations) and MaSI (minimum requirements for the security of internet payments) 2 issued by BaFin, which enable the implementation of the EBA guidelines in Germany.

MaSI consists of 14 parts which define the main requirements for payment providers (PSPs). These are governance, risk assessment and control, identification of customers and protection of sensitive payment data. A quick look at the MaSI document leads to the conclusion that the new requirements enforce a broader framework that is far outside the PSP corporate landscape. Such topics are, for example, cooperation with e-retailers (Part 3 of MaSI). According to these regulations, PSPs should monitor the activities of the e-merchant (who stores and processes sensitive payment data) and check whether they have the necessary precautions in place to protect this data. If the e-retailer has no or inadequate security measures, the PSP should enforce contractual provisions or terminate the contract. Other important recommendations are in Part 12 of the MaSI, which defines the requirements for communication with customers and obliges PSPs to provide at least one secure channel to communicate with customers. In addition, the PSP should oblige the e-merchant to clearly separate the payment processes from the e-shops in order to make it easier for customers to determine whether they are communicating with the payment provider or the e-shop.

PSPs are also obliged by MaSI to carry out payment transactions with the help of dedicated software (part 10). This is also an important challenge for the IT landscape of the PSPs.

The above-mentioned topics are only selected challenges for PSPs resulting from the implementation of PSD 2. If you would like to learn more about how MaSI / PSD affects your payment transactions, give us a call or send us an email.