Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Removed CBPII from the context

...

Table of Content Zone
locationtop
PSD2

PSD2 is the revised Payment Service Directive legislation administered by the European Commission and mandated in 2009. PSD2 requires Europe’s banks to give regulated third-party providers (TPPs) access to customers’ account information and payment initiation with the customers’ permission and consent.

The Berlin Group

The Berlin Group consists of almost 40 banks, associations and Payment Service Providers from across the EU. They have defined a common API standard called NextGenPSD2 for the use cases specified in PSD2. 

NextGenPSD2

Based on the PSD2 and European Banking Authority - Regulatory Technical Standards (RTS) requirements, the Berlin Group has worked on a detailed Access to Account (XS2A) Framework named NextGenPSD2 with data models and associated messaging.

Open Banking

Open banking has been introduced to make banking a more competitive business. Its main goals are offering greater financial transparency, a shared chance of success for all financial service providers, and more innovative services to the consumers.

The current banking practice involves the customer or merchant to maintain separate relationships with different financial institutions to achieve their financial goals. Open banking introduces a more consolidated experience to the customer by allowing banks to expose their functionality via APIs.

Stakeholders

PSU

A PSU (Payment Service User) is a person who makes use of a payment service in the capacity of either a payer, payee, or both. 

PSP

A Payment Services Provider (PSP) is an entity which carries out regulated payment services, including AISPs, PISPs, CBPIIs and and ASPSPs.

ASPSP

An Account Servicing Payment Service Provider (ASPSP) is a PSP that provides and maintains a payment account for a payer. Examples of ASPSPs are banks and credit card issuers. The ASPSPs are obligated to grant access to the account and transaction data on their customers’ payment accounts through APIs. 

TPP

A Third-Party Provider (TPP) is an authorized third-party that allows merchants to accept a wide variety of payments through a single channel/third-party application, and manage the entire transaction process from start to finish. This means the TPP is responsible for the transaction flow starting from the moment a customer inputs the credit card details to the moment the funds appear in the merchant's bank account. In this process, the bank continues to be the gatekeeper of the customer's information and requires the third-party to produce a security token to access the customer's bank details.

A TPP can be categorized into the following types: AISPPISP, and PIISP. The customer's bank too can offer AISP and PISP services. 

AISP

An Account Information Service Provider (AISP) provides an aggregated view of all the accounts and past transactions that a customer has with different banks. To provide this view to the customer, the AISP should have authorization from the customer to view the corresponding transaction and balance information of all the payment accounts. The AISPs can also provide the facility to analyze the customer's spending patterns, expenses, and financial needs. Unlike a PISP, an AISP cannot transfer funds from a payment account. The following diagram depicts a generic AISP flow:

To view a live demo of the AISP flow of events, see AISP demo.

PISP

A Payment Initiation Service Provider (PISP) initiates credit transfers on behalf of a bank's customer.

The following diagram depicts a generic PISP flow:

To view a live demo of the PISP flow of events, see PISP demo

PIISP/CBPII

A Payment Instrument Issuing Service Provider (PIISP) is a PSP that verifies the coverage of a given payment amount of the PSU's account. Examples of PIISPs are the banks and credit card issuers that are obligated to verify whether the given payment amount can be covered by the PSU's account through APIs.

Card-Based Payment Instrument Issuer (CBPII) is a PSP (ASPSP/TPP) that issues payment instruments based on cards. Those cards can be used to initiate a payment transaction between an ASPSP and another PSP

.

Standards

GDPR

The General Data Protection Regulation (GDPR) is a new legal framework formalized in the European Union (EU) in 2016 and comes into effect from 28, May 2018. GDPR effectively replaces the previously used EU Data Protection Directive (DPD).

Regulatory Technical Standards (RTS)

The European Banking Authority (EBA) published Regulatory Technical Standards (RTS). PSD2 refers to RTS for technical guidance on authentication, authorisation, and other security aspects.

RTS also defines when and how to apply SCA considering the requirements of PSD2. 

FAPI

Financial-grade API (FAPI) is an industry-led specification of JSON data schemas, security and privacy protocols to support use cases in the financial industry and other industries that require higher security. FinTech developers can accelerate secure open banking with FAPI. It uses OAuth 2.0 and OpenID Connect (OIDC) as its base and defines additional technical requirements.

ISO/IEC 27001

ISO/IEC 27001 is the internationally recognised specification for an Information Security Management System (ISMS), and it is one of the most popular standards for information security.

...