Online payments: How 3D-S & PSD2 impact your company credit card

There are big changes coming to the way credit cards work online. Positive plans are in place to reduce fraudulent and make online shopping safer for everyone - both in our private and professional lives.

The European Union has set out clear regulations for online payments, which are beginning to kick in. And these are designed to ensure that the person making a payment is actually the credit card holder.

Which is good news for businesses. You can be more confident that your company card won’t be used for dodgy stuff.

But it also means that some habits are going to have to change. For companies with more fluid (read: risky) spending habits, these changes may soon become annoying.

This article breaks it all down for you, and explains what you should do if you’re still relying on a few company credit cards.

What is PSD2?

PSD2 is the second version of the what was originally PSD - the Payment Services Directive. Passed in 2007, this regulation created a single scheme for payments processing within the EU and European Economic Area (EEA).

In short, the goal was to have one set of rules that govern banks and credit card companies, alongside more modern payment methods that emerged in the past decade-plus. PSD lets these new providers compete on the same level as more established, traditional companies.

PSD vs PSD2

PSD2 is an update to the original Payment Services Directive which replaced PSD in 2015. The principles and objectives remain the same, but the regulations bring an increased focus on consumer security, reducing fraud, and empowering open banking.

What are the key changes?

For the most part, PSD2 (and the original PSD) impacts payment service providers. It sets out rules determining that kinds of companies that can provide these services, the nature of the services they can provide, and other technical details.

But it also sets out “business conduct rules” which govern how these providers deliver these services. And these have a direct impact on consumers, including other businesses.

Because many of these have been in place since the original PSD, we won’t explain all of them here. They’ll already be second nature to most readers.

But there’s one key change you may have noticed, that can have a big impact on your online payments.

Strong customer authentication (SCA)

The updates under PSD2 require payment service providers to ensure that transactions are made with multi-factor authentication. This is a particular issue for online transactions, where it’s harder to verify the buyer’s identity.

So as you may already have noticed, most online payments now require a second step before processing the purchase. This is usually a four- or six-digit code sent by SMS (or occasionally email), to confirm payment.

This protocol - known as 3D-Secure (3D-S) - ensures that the transaction is made by the person registered for that credit card, and not a thief or hacker.

What about physical cards? In most cases, physical credit cards already have two-factor authentication: chip and PIN. And since most contactless transactions have to be under a certain amount, the harm is mitigated.

Fun fact: it doesn’t have to be an SMS

Most service providers and banks have opted for 3D-S because it’s industry standard and relatively easy to administer. But while Article 4(30) of PSD2 defines "strong customer authentication," it doesn’t actually mandate a specific method for payment service providers:

an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

Who is responsible for making the switch?

Interestingly, it’s the payment service provider that needs to stay compliant. Which is not the same as your bank or credit card company.

For example, if you shop on Amazon (more like when you shop on Amazon), you may be asked to confirm your identity at checkout. But it’s not your bank that enforces this - it’s Amazon. Otherwise, it may choose not to accept your card.

Which means that credit card companies (including issuing banks) need to put the technology in place if they want customers to be able to spend. And therefore, you’ve likely had to register a phone number with your bank, and it’s the bank that sends the code by SMS.

But it’s the merchant (and their payment service provider) that enforces this. That’s why on some websites you’ll be asked for proof of identity, and on others you won’t. Not every merchant is compliant with the regulations.

When do these changes take effect?

In fact, PSD2 has already kicked in. It was passed in 2015, but with the understanding that it would take a few years for countries and companies to get up to speed. It took force for real at the beginning of 2018. But even then, there was a grace period included.

So here’s the most important date for spenders: As of 14 September 2019, every company doing business in the EU should be PSD2 compliant. You’ll likely already have noticed the need to prove your identity.

So is PSD2 already in full effect?

Not exactly. To give businesses time to catch up, most of the countries concerned (including the U.K., France, and Germany) have set a grace period of 18 months. So while the regulations are live, financial regulators (like the FCA in Britain) won’t actually enforce them.

So it’s completely up to payment service providers whether they require SCA or not. And since many believed that 14 September 2019 would be the deadline, they’ve already made this switch.

In other words, some merchants require it, and some don’t. But soon enough they will all have to, which means you might as well prepare for this now.

The impact of PSD2 on your company credit card

Now for the most important part: what this actually means for you. As a business leader, you constantly need to pay for things online. And if you share one or two credit cards around the office - or even write the details on a Post-It note for team members - you’re going to have problems.

That’s because every credit card will need to have a phone number associated with it - to let you, the purchaser identify yourself.

So what are your options?

Stick with the card(s) you have

Of course, you can choose to put up with the system you currently use. If someone in the office needs to buy something online, they ask the office manager or CEO directly, borrow the card, and then get the code from the same person to complete payment.

If you’re a small team, it’s not that bad. But what happens if that person is out-of-office on the day in question? Even if you have the card details, you won’t be able to complete the payment.

With this option, you either need to have enough corporate cards that someone responsible will always be available, or you may need to wait a few days to purchase something.

Pros: Payments are controlled by cardholders

Cons: Highly inefficient; lots of failed payments

Give corporate credit cards to more staff

This can scare some businesses. The corporate credit card often has no limit. Meaning that you have very little control - other than clear guidelines - over what employees purchase.

Again, if the company is small enough, you can probably trust the people around you. But it’s certainly risky. And it places extra burden on your finance team to reconcile all of these credit card payments every month.

Pros: Staff have access to funds

Cons: Lack of control; more work for finance and accounting

Try a spend management system

The third (and best) option gives your team members access to company money in a controlled and efficient manner. A spend management platform lets every employee make online payments using a unique virtual credit card (VCC). They can do this from their own computer - anywhere in the world - and managers and finance teams will still have visibility over payments, and the ability to say “no.”

Here’s how this works in a nutshell:

1. Every employee has a login and profile on the platform. They’re part of an assigned team, with a budget manager and set limits to work within.

2. As part of their profile, they register their phone number on the system.

3. When they make a payment, they request approval from their manager through the platform. Nobody needs to leave the comfort of their own desk.

4. Once approved, they’re shown unique virtual credit card details. These exist only for this payment (or for recurring payments for subscriptions), so the risk of fraud is essentially nil.

5. At checkout, they receive a secret PIN code on their mobile phone.

6. They complete payment.

7. The payment details and approval are automatically sent to the finance team, who can immediately push it to their accounting tool.

That’s the process. There’s no need for a physical card at any point, and this can be done instantly from anywhere.

Another good reason to move on from the company card

Even if you’re relatively happy with the credit cards you have, you may not be for long. Sharing a company card (or a handful) is soon going to be more trouble than it’s worth.

Instead, you’re better to choose a spend management system that gives your whole team access to funds in a safe, controlled environment.

Platforms like Spendesk also come with:

• Physical expense cards to use in-store and on the road

• Invoice management tools that let anyone submit invoices flawlessly in seconds

• Expense report automation for those employees caught without their card

• Approval workflows so managers can keep a close eye on budgets

• Accounting integrations that save hours at the end of every month

See if Spendesk is the right option for your business:

More company credit card resources

• The modern approach to the corporate credit card

• Why the company credit card is broken, and how to fix it

• How to choose a virtual credit card for your business