The advent of payment initiation services has made bank transfers simpler, faster, safer and more cost-effective, making them a viable payment method. The rapid adoption of the PSD2 regulation that governs this innovative method of executing online payments is already attracting new players and technologies, ranging from GAFAs to FinTech startups.
Growing competition within the payment services industry has lead to the availability of more technologically advanced alternatives to executing payment orders from business accounts. The immediate result of this is that we no longer have to rely only on traditional credit card schemes, PayPal payments or similar services.
Given the importance of this new payment service, it’s time to take a deeper dive into what it is, how it works and what it ultimately means for businesses.
Below is a list of some of the most common questions and topics concerning payment initiation today.
What is payment initiation?
Put simply, a payment initiation is conducted when a customer allows a licensed third-party provider (TPP) to execute a payment via direct bank transfer from their bank account. To use this type of payment, the customer must give the TPP consent to use their bank details.
This new method of payment revolutionizes the standard e-banking system. When making an online payment, the user is no longer redirected to an e-payment interface, such as a credit card payment gateway and/or acquiring bank login.
Instead, thanks to payment initiation services, the login is not performed directly. By interfacing directly with the bank, Payment Initiation Service Providers (PISPs) can execute direct payments as a trusted holder of login and transfer credentials that have been authorized on the user’s behalf.
As the name suggests, PISPs are organizations that provide such payment initiation services, such as Unnax’s Payments API. The entire new payment delivery method that PISPs provide is made possible by banks opening access to their customer data through dedicated open APIs. This has recently been mandated by the EU through PSD2, the regulatory framework underpinning Open Banking.
What are the main advantages of payment initiation?
With payment initiation, online payment flows are made faster and more transparent. And because the old multi-layered e-banking system of payment gateways and bank interfaces becomes obsolete, those related additional banks fees are now a thing of the past.
In effect, payment initiation removes the gateway’s middle-man charges.
This competitive pricing is an important factor in adoption, but the technological infrastructure that makes payment initiation possible brings with it numerous other innovative advantages as well.
For example, since payment initiation means communications around payments occur programmatically between APIs instead of human users, it’s then possible to make payment flows more intelligent than ever.
Payment credentials are encrypted as part of the new infrastructure, which adds improved security layers to combat fraud and other malicious cyber threats. Moreover, these encrypted layers can also be tokenized.
When tokenization is engineered into the payment flow, the payee is able to reuse their encrypted credentials to programmatically execute new payment operations. These can then be triggered when certain predefined conditions are met, all without human supervision (although the payment will need to be signed by the user).
In another improvement to old banking norms, payment initiation also allows for real-time direct bank transfers, whereas historically bank transfers could take up to 24 hours to clear. This is because the PISP’s API that interfaces with the bank can route the transfer to an account at the same bank where possible, making it go through in real time.
How does payment initiation technically work?
Open banking does not imply that all your private data is open. In fact, it’s the opposite – no PISP can execute their services without the customer’s consent, following the EU’s PSD2 regulation and a GDPR-compliant notification.
After a customer agrees to allow a TPP to access his/her banking data, a payment interface owned by the PISP will prompt the user. The user then selects their corresponding bank. After that, a login interface for the user’s bank is generated, and the user inputs their online banking credentials as required.
The user’s bank then validates the credentials and authorizes the request of the payment transaction. A digital signature request is then prompted, which is usually collected via a banking interface or mobile application form. In this collection process, Strong Customer Authentication (SCA) is enforced, meaning typically only a single-use code is required from the user to authorize the transaction. Finally, the transaction is executed.
The entire payment initiation script doesn’t require a large volume of technical data to be transmitted. Most services will require, as a bare minimum, the user’s banking credentials, destination account and transaction amount, and little else. This streamlined technical process affords users and PISPs with more fluid payment transaction services.
All banking data is transmitted via encrypted code, typically through JSON arrays (coding used to relay a collection of related items), which are used for both input and output. A user consents to this encrypted transmission when inputting their credentials into the login interface.
Below is a sample of a request used to initiate a payment.
The called script of the request provides the user and credentials.
When the bank validates that the credentials are correct, it then authorizes the request, returning the order status back to the PISP.
Generally, the bank response does not output much data. Because no specific information is being requested, the resulting output is usually a one-line script that reports the status of the transfer: OK or NOT OK.
However, these scripts will be communicated in code, and the receiving PISPs will be responsible for the formatting and integration process for their business customers.
Unlike AISPs, in which the organization is actually requesting information from the bank, PISPs are only calling scripts for a specific function of a direct bank transfer, made between one account and another.
What are some common applications for payment initiation?
The most typical application for payment initiation is a direct bank transfer made when executing online trading with merchants, including payments for utilities or goods and services that are purchased online.
However, payment initiation is bound to extend to other sectors and many more applications as the open banking movement progresses, more advanced functionalities are developed, and the practice of implementing open APIs becomes more ubiquitous.
Some of the applications for payment initiation technology include:
- Peer-to-peer (P2P) money transfers: P2P transfers allow merchants to mediate between different parties and move money between non-owned bank accounts. The merchant can set the source account and destination account themselves, or collect the needed data from the users.
- Use case: direct payments between users on sharing economy and social platforms.
- Instant payments: A function that allows for real-time payments by leveraging a payments API’s intelligence. Instead of using a single, default bank account, the payment can be between accounts at the same bank so it goes through in real time.
- Use case: Delivering loan pay-outs instantaneously from lenders and microlenders.
- Auto payments: Money movements can be automated by programmatic scheduling or condition-based triggers, which communicate with APIs to generate payments once the criteria — such as amounts or transfer dates — are met.
- Use case: Auto-funding bank accounts when they are below a specific threshold.
PSD2 impact on the security of payment initiation services
The PSD2 regulation makes payment initiation services possible by forcing banks to open up their clients’ data upon request. This does not, however, mean that user data can be easily released all over the internet.
In fact, security measures such as Strong Customer Authentication (SCA) are embedded into PSD2, and thus become a mandatory part of PISP technological infrastructure. Under EU law, the PISP is prohibited from accessing any information other than the required data needed to execute the specified service. All PISPs are licensed, and made known by banks when they request this private data.
Furthermore, the interoperability provided by API interfaces allows for PISPs and banks to work together programmatically. This means the payment service is not conducted by a human, but rather a programmed code, which allows oversight by supervisory authorities to ensure no excess data is collected. Licensed PISPs are also legally required to immediately log out after they conduct the banking account login, form the payment order and complete the transaction execution.
PSD2 and the Open Banking movement are set to democratize the financial services industry. Payment initiation is a service that will broaden in its functionality and application reach – meaning what we see today might be just the tip of the iceberg.
Now is the time for FinTech growth, given the knowledge that momentous changes lay on the horizon for the payments industry. The winners in this new landscape will be those that invest in the new transformative technologies and opportunities opened by payment initiation.