PSD2 Compliance

So in a few months the PSD2 deadline will be here. I haven’t heard much talk here or elsewhere about PSD2, which considering we are literally months away I found strange, its one of the biggest changes to payments that we will see for a long time.

Basically the new rules state that all payments have to meet 2 of 3 elements.

1 Something you know (for example a password)
2 Something you have (for example your phone)
3 Something you are (for example your fingerprint)

Mastercard already have the technology in testing called Mastercard Identity Check basically 3DS covers this but Identity check is just a standalone version in testing to ensure compliance.

Barclays have a system in place already, its PINsentry system fulfills the requirements.

VPay from Visa is also compliant.

There are exceptions, for example Amazon will allow you to whitelist them with your bank, which means you won’t need any additional security to use Amazon.

Low value transactions won’t be covered either.

The only way to make it work is if people are used to 3DS or Vpay now before the deadline, otherwise people are just going to not bother with the extra hassle of buying things, and with this Mastercard have been slow.

Who’s going to want to shop with Argos and then have to log into online banking, to generate a code, people just won’t do it.

Worldpay for example have its 3DS Flex product, which is basically 3D secure for Worldpay merchants.

Barclays have a combined Visa and Mastercard product, but a lot of the other processors are still not ready for the changes.

Banking wise, even Starling doesn’t have a compliant product.


Yeah, I’m not looking forward to this. Online shopping is gonna be such a hassle.

I also don’t really see why? The customer isn’t on the hook for fraud so he has nothing to gain. The banks won’t be too keen on it, as they want to make it easy to use their card. The merchant wants to make shopping easy. Who is actually profiting from this? I really can’t see any positive in it…


I understand the reasoning why, and it’s purely because of the laziness of banks and card companies.

Fraud is horrendously high with online transactions, and despite having the facility to lower the rate of fraud, they didn’t bother doing it.

Fraud losses on UK issued cards totalled £618.0 million in 2016, a 9% increase from £567.5 million in 2015; the fifth consecutive year of increase and higher than the peak of £609.9 million seen in 2008. At the same time, total spending on all debit and credit cards reached £904 billion in 2016, with 19.1 billion transactions made during the year.

We, the customer, pays for that fraud. When new banks launch and don’t even see security as a priority, that shows what the problem is. Take both Starling and Monzo.

So regulation was the only way to force action. We know the likes of Visa and Mastercard won’t act until forced to. Banks don’t like change, so won’t change unless they have to.



Isn’t texting a code all that’s needed? I do wonder about recurring payments charged to your card like netflix.

1 Like

Yes providing you are not using your phone to order. A text code doesn’t come under the something you have, it comes under something you know, but there is a part that states something about you can’t use something for two things…

Netflix shouldn’t have an issue, its low value. Recurring payments are not currently covered in September 2019 deadline.

That could be tricky to work out…

1 Like

I’m sure banks will find a way round that. Technically though using a text on your phone, defeats the object of the system, so isn’t allowed under the regulations if you are using your phone to order.

1 Like

I don’t disagree - but the cynic (realist?) in me suspects the banks will pocket any gains from reduced fraud, rather than passing the savings on to us :man_shrugging:t2::disappointed:

Also, interesting info in that post - thanks :slight_smile:

HSBC have announced that customers will shortly have to use their Secure Key’s to login into internet or mobile banking as they will be removing the option of using just a password.

They are blaming PSD2 for this change

I imagine First Direct won’t be far behind - and I wonder about other banks?

What a pain :disappointed:

The password only login was pretty much view only, it was pretty much pointless to be honest

On top of reading transactions and statements, you could do some more active tasks like transfers to previously-created payees and (I think) use secure messaging. I appreciated not having to use a secure key for these activities.

Yes, the password option allows/allowed me to do what I needed to do normally - all without having to use the SecureKey on the website - as such I doubt I have used it for several years.

They are also making it compulsory for their mobile app :unamused:

It’s great, I use FaceID to get access quickly and can transfer money out of my account.
Annoyingly, I have an HSBC bank account only so I can have a user ID to let me see my mortgage! I have to transfer part of my salary in and out each month. This may be the final nail in the coffin.

Looks like nationwide are also going to be more painful:

we’ll also ask you to enter your date of birth alongside your customer number when you log into the Internet Bank – this extra step is there every time you log in.

How ridiculous

I actually think Nationwide’s changes are an improvement overall. Previously you couldn’t get round needing the the card reader to authenticate things like setting up a new payee. It looks like it’s going to be possible to authenticate through the banking app in the future. I’ll take that, even if it comes with an increase in the number of tasks authentication is needed for.

I don’t know: I log into online banking once a month, but only need the card reader to approve a new payee every once in a blue moon. So, for me personally making login harder has a stronger impact than no longer requiring the card reader.

(Nor do I see how entering my customer number and DOB increases security in the slightest!)

How this is going to work if the mobile app is itself the digital secure key (which looks like it will remain an option for HSBC and is going to become an option for Nationwide)?

Perhaps they are referring to logging into instances of the mobile app that are not designated as a secure key (e.g. logging into an iPad app if your phone app is the designated secure key, or logging into your phone app if you are still using a physical secure key) ???