PSD2 Compliance: What Is It & How It Impacts Your Business

The EU framework known as PSD2 came into effect in late 2020.

Aiming to streamline collaboration and participation in the payments industry, it is still somewhat confusing and often misunderstood – as are the compliance mandates it has introduced.

Here’s everything you need to know.

What Is PSD2?

Short for Payment Services Directive 2, PSD2 is a framework designed by the European Commission to regulate electronic payments and the European banking ecosystem, in order to allow for better consumer protection, boost competition and innovation, and cover all legal bases when it comes to payments within the European Union.

It replaced the previous Payment Services Directive, which went into force on the 25th of December 2007. 

The second directive came into full effect on September 14, 2019, although some deadlines were extended until the end of 2020 to implement SCA (Strong Customer Authentication).

Coming up after PSD2 is PSD3, the updated version of the Payment Services Directive. Although PSD3 has not been fully defined or implemented yet, consultations have started. It is set to update the requirements for electronic payments further, with the aim of streamlining processes and keeping customers and organizations safe.

Why Does a Business Need to Be PSD2 Compliant?

According to the EU, PSD2 is needed for various reasons:

• To harmonize EU banks’ legal framework: By standardizing compliance across borders, PSD2 aims to simplify regulations and reduce costs.
  
• To increase banking transparency and security: A unified banking market is also supposed to have consumer benefits. Financial institutions must increase their transparency which will help consumers gain better market information.
  
• To level the playing field for payment service providers: By creating a foundation for payment service providers, the EU aims to boost innovation and competition, and create equal opportunities for PSPs.
  

Who Is Impacted by the PSD2 Regulation?

While PSD2 is mainly designed with consumers in mind, various players are impacted by the directive.

Banks Operating in the EU

Banks operating in the EU are forced to open their bank payment services to third parties. This is part of the open banking strategy designed to foster competition, remove monopolies, and allow more transparency between banks and their customers.

Under the PSD2, financial institutions must share information related to balances, accounts, and movements of funds with companies to which the consumer has granted access. They also have to allow payments made by third-party service providers. To that end, banks must deploy Payment Initiation Services (PIS) to bridge payments between merchants and customer accounts.

Payment Service Providers

PSD2 introduces security requirements designed to reduce fraud and criminal activity related to payments. PSPs are required to apply SCA, or Strong Customer Authentication, when a payer initiates an electronic transaction. 

SCA is a form of MFA, or multi-factor authentication designed to link a payment to a user. Online payments also require a dynamic link to the amount of the transaction and the payee’s account. 

Note that certain kinds of payments are exempt, such as low-value payments, or for companies who can prove that they have other forms of authentication in place, such as a fraud detection system.

Brokerages

Under PSD2, banks and brokerages need to increase transparency in how they calculate exchange rates. They are also banned from charging certain exchange fees.

Consumers

PSD2 opens the door to Payment Initiation Services Providers (PISPs) and Account Information Services Providers (AISPs). Both types of services help customers make payments directly to merchants from their bank accounts, and are essentially alternatives to credit card payments. 

The idea behind these services is to reduce the complexity of online payments in order to make them safer and more secure. 

When it comes to financial services, PSD2 is also designed to help consumers. The idea of open banking is to foster competition between third-party services that can offer financial products independently of the customers’ banks. 

Since its introduction, PSD2 and open banking have helped customers access more services from neobanks and challenger banks, as well as mortgage applications, money management, and other financial products.  

Which Regions Are Impacted by PSD2?

PSD2 is a European directive. It only affects countries in the European Union. Since Brexit, for instance, the UK is not bound by the PSD2. 

However, global companies may need to meet PSD2 compliance when dealing with European users.

PSD2 Compliance Requirements and Controls

Here is a list of requirements and controls your business should follow to meet PSD2 requirements. 

Open APIs for Third-Party Access

Open banking is built on open APIs – specifically, APIs allowing third-party providers to access customer account information. Once the customer grants access, account information service providers (AISPs) should be able to grab the right data via API calls.

Strong Customer Authentication

A key part of PSD2 compliance is meeting requirements for Strong Customer Authentication (SCA). This is a form of MFA that aims to link every transaction to:

• Something the customer owns: device, card details
• Something the customer knows: password, PIN, passphrase
• Something the customer is: biometrics such as fingerprint, face ID, voice pattern

Better Transparency

Under PSD2, companies need to provide as much transparency as possible when it comes to terms and conditions, currency conversion rates, and what financial products do. 

Faster Complaint Resolution

Payment service providers are required to resolve complaints in a timely manner. Incidents must also be reported to EU regulatory bodies – for instance, in the event of a data breach or a GDPR issue.

Removing Credit Card Surcharges

B2C and B2B companies in ticketing, food, and travel or deliveries aren’t allowed to add extra charges for processing credit card payments. 

Security Issues With PSD2

PSD2 simplifies the complex banking and payment ecosystem, but it is not without its challenges. Accounts become more valuable when linked to banking APIs, which is an incentive for fraudsters. 

Security problems may also arise when all the payment data is shared by multiple parties. AML compliance is also harder to track when all the information is passed around. You can read more about the risks of open banking in our in-depth article.

PSD2 Compliance: How SEON Can Help

SEON is a powerful fraud detection solution that monitors customers from the moment they land on your site to the moment they initiate online transactions. 

You can use SEON to extract user data in order to verify their IDs and ensure they are the legitimate cardholder and that they are properly authenticated when logging in.

In short, SEON allows you to reduce fraud rates, improve ID proofing compliance, and meet SCA exemption requirements to make business in the EU faster and more profitable.

FAQ