Estimated reading time: 9 minutes

Industry 4.0 has spread worldwide as the new technological revolution of the XXI century, it helps to connect people, countries, businesses, procedures, and make online payments globally and in real-time, and this year is at its peak. We are in the digital and data-driven era, where innovative technology is incorporated within organizations of all sizes to optimize processes and increase automation without human intervention. Nowadays media talks very often about the Internet of Things, Digital Transformation, Digital Marketing, Blockchain, Big Data, 3D printing, AI, Machine Learning or Smart Cities.

Even though the current Covid-19 outbreak is deeply affecting the world economies, causing business shutdowns, and suspending the activity of some specific industries and markets, it is also true that technology has played an important role in responding to its negative economic consequences (an increase of remote working, use of cloud-based digital platforms, video calls, etc.). In this technological context, building e-commerce is more than ever growing in popularity as helps businesses to reach their objectives and sales targets electronically and guarantees new digital ways to acquire new customer, track their activity and generate a wide range of economic and marketing reports, by means of a website which can be built in a cheap and simple way.

Wondering about setting up an e-commerce store in Spain? Here are 4 the most important aspects and requirements to be aware of.

What is PSD2 payment regulation?

The PSD2 is the European regulation on payment services within the Union, and its main purpose is to ensure the security of payment transactions and customer protection in Europe (also through the application of an SCA – “Strong Customer Authentication”) and forces the banking institutions to grant the access to specific (authorized and supervised) third parties, to their clients’ information so that they can carry out transactions (open banking), and which represents a turning point in the electronic commerce history.

Which is the current status of PSD2 use in Spain?

The Directive (UE) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, which is supplemented by the Commission Delegated Regulation (UE) 2018/389 of 27 November 2017, has been partially transposed in Spain through the “Real Decreto-Ley 19/2018, de 23 de Noviembre, de Servicios de Pago y otras medidas urgentes en materia financiera”(Original law). The European regulation has been gradually implemented in Spain since 2018, and it represents a huge revolution in the Fintech Industry as it liberalizes the financial data and also opens up the legal way to access the bank and to get the customers’ data through API integrations.

The subject matter of the regulation is the payment service providers:

  • Credit institutions,
  • Electronic money institutions,
  • Post office giro institutions,
  • Payment institutions,
  • The ECB and national central banks,
  • The Member States and public authorities.

The Spanish National Bank, through his informative note issued on 18 October 2019, has granted to the payment service providers a new due date (31 December 2020) for the full migration to the application of the Strong Customer Authentication (SCA) in remote electronic card-based payments.

Strong customer authentication (SCA) and Application exemptions

E-commerce merchants which carry out transactions in the European Economic Area, shall integrate payment service solutions which comply with the PSD2, and eventually, apply standards for strong customer authentication within the online payment processes.

From now on, it won’t be enough to introduce all the personal details of the credit card during the online purchase, now the customer shall authorize an additional security frame through a procedure of authentication based on two or more elements which are categorized as knowledge (PIN code, secret answer, etc.), possession (phone mobile, token, etc.) and inherence (digital print, voice, facial recognition, etc.) and shall result in the generation of an authentication code.

For example, when a customer is buying online a new TV, selects his item, adds it in the shopping cart, and initiates the procedure of secure payment (https://) at the e-commerce. For this purpose, introduces his personal data and the data of the electronic card (owner, number of the card, date of expiry and security code). This represents the first phase of authentication, and the e-commerce until now, was able to directly charge the amount on his bank account without any additional step. Notwithstanding the above, it is true that a great number of e-commerce were already implementing 3D Secure protocols (two-steps authentication) in online payments. From the 1st of January 2021, an additional procedure of authentication could be mandatory when purchasing at the merchant website: After the customer introduces his credit card data, in the event the SCA procedure has been considered obligatory by the payment service provider, the customer shall bear an additional procedure of authentication, which could, for example, turn out to be a numeric code received on the mobile phone unique for that online purchase. 

However, payment service providers shall be allowed not to apply strong customer authentication under the following circumstances: 

  • Contactless payments which do not exceed EUR 50 at point of sale
  • Unattended terminals for transport fares and parking fees
  • List of trusted beneficiaries, created by the customer
  • Recurring transactions (subscription model)
  • Credit transfers between accounts held by the same natural or legal person
  • Low-value transactions (does not exceed EUR 30)
  • Low-level risk transactions, following specific reference fraud rates for either remote electronic card-based payments or remote electronic credit transfers

In the last resort, the payment service provider of the customer (issuer) will decide if an exemption can be applied, regardless of the decision of the payment service provider of the e-commerce (acquirer), and this SCA procedure will be carried out through an API. 

3D SECURE PROTOCOL 2.0

To prevent electronic transactions from fraudulent behaviour, and to guarantee an appropriate procedure of SCA, 3D Secure protocols are designed to be an additional layer for online purchases by credit card. Since 2019, a new 3D Secure Protocol 2.0 is available (“frictionless flow”), and which guarantees a smooth shopping experience for customers and native mobile integration more user-friendly. Now e-commerce merchants can ensure that the authentication process looks and feels consistent with the rest of the website or app. 

For all these reasons, e-commerce merchants shall verify if the payment service provider uses a 3D Secure protocol which complies with all the PSD2 requirements, and also examine how the online purchase flow works, in order to minimize frictions during the process and increase the user experience, showing the authentication activity “invisible” to the cardholder. Not to mention that a satisfied customer might add the e-commerce in his trusted list of beneficiaries which allows the payment service provider not to apply the SCA.

Security in the Online Payments vs Sales Conversion Rates

The new regulation requires to the payment service providers the obligation to implement appropriate security measures to guarantee the confidentiality, authenticity and integrity of the information attached to the electronic transactions. The measures shall be documented, proved periodically, evaluated, and audited in accordance with the applicable laws, in order to offer a banking service adapted to the new technologies.

In spite of the fact that the e-commerce merchants are not subjects of the PSD2 regulation, they shall keep in mind the relevant direct and indirect consequences that this regulation can cause in its day-to-day online operations, and especially the eventual negative impact on sales conversion rates: Customers facing significant friction into the purchasing journey (too long or too complicated steps…) might abandon the website. Due to this fact, e-commerce merchants shall explore the possibility of applying exemptions where possible, and work with frictionless-flow payment service providers (3D Secure 2.0) which guarantee a full integration (seamless customer experience) into the merchant’s website to mitigate the impact of additional security procedures in the online payments. It is worth mentioning that false positives might occur when applying the SCA by the payment service providers, which could turn out to be a damage for the customer satisfaction and the brand, aside from the loss of revenue.

From the commercial scope, we recommend, to provide an outstanding customer service, guarantee a 100% safe and secure purchasing process, and full compliance with the GDPR requirements, so the customers might designate the e-commerce merchant as a trusted beneficiary (SCA exemption). However, the decision will ultimately be at the bank’s (issuer) discretion and will depend on the level of fraud exposure. Worth mentioning when acquiring a payment service provider to be compliant with the  PCI Security Standards, protocol which was founded in 2006 by the main credit card brands, and it is a set of 12 security standards designed to ensure that all the card payments online are being processed safely, that all sensitive data is safeguarded and that the customers are protected from fraudulent use.

To sum up, e-commerce merchants shall effectively take a balanced approach between security and sales conversion, when choosing a payment service provider.

Allocation of Liability between the Payment Service Providers for unauthorized payments

Specifically, the allocation of liability between the payment service provider servicing the account (issuer) and the payment initiation service provider (acquirer) involved in the transaction should compel them to take responsibility for the respective parts of the transaction that are under their control, in other words, liability for any fraud depends on how the transaction was authenticated. For these reasons, the payment service providers shall perform thorough risk analysis and implement reinforced technical measures, before establishing an exemption in order not to be liable for the unauthorized or fraudulent payment.

E-commerce merchants shall read carefully the terms and conditions subscribed with the payment service provider, especially regarding an eventual allocation of liability on the e-commerce, and also about the technical and security measures (3D Secure and PCI DSS Protocols) implemented during the purchase process in order to be compliant with the GDPR and the PSD2. 

Future challenges

The main purpose of this new regulation is to safe and secure payment services for consumers and retailers and guarantee new innovative, and digital payment solutions. After the new PSD2 regulation enters fully into force, in the long run, it is clear that for e-commerce merchants to obtain the status of “safe commerce” and also to be GDPR and PSD2 compliant, will generate them a strong competitive advantage among the competition, circumstances which in the end will make it easier for them to be included by the customer in his list of trusted beneficiaries, and apply for an SCA exemption when they are purchasing online. It is also going to be worthwhile seeing how the low-level risk transaction exemption is applied, or how the payment service provider and the e-commerce merchant contractually allocate the liability for fraud transactions. 

Tell us your goal and we build a plan!

You are welcome to contact us with any questions about company formation or other legal procedures. Advice from corporate lawyers in the early stages will keep you from problems later on. Get free advice now!