;

What Is PSD2?

Short for Payment Services Directive 2, PSD2 is a framework designed by the European Commission to regulate electronic payments and the European banking ecosystem, in order to allow for better consumer protection, boost competition and innovation, and cover all legal bases when it comes to payments within the European Union.

It replaced the previous Payment Services Directive, which went into force on the 25th of December 2007. 

The second directive came into full effect on September 14, 2019, although some deadlines were extended up until the end of 2020 to implement SCA (Strong Customer Authentication).

Why Does a Business Need to Be PSD2 Compliant?

According to the EU, PSD2 is needed for various reasons:

  • To harmonize EU bank’s legal framework: By standardizing compliance across borders, PSD2 aims to simplify regulations and reduce costs.
  • To increase banking transparency and security: A unified banking market is also supposed to have consumer benefits. Financial institutions must increase their transparency which will help consumers gain better market information.
  • To level the playing field for payment service providers: By creating a foundation for payment service providers, the EU aims to boost innovation and competition, and create equal opportunities for PSPs.

Who Is Impacted by the PSD2 Regulation?

While PSD2 is mainly designed with consumers in mind, various players are impacted by the directive.

Banks Operating in the EU

Banks operating in the EU are forced to open their bank payment services to third parties. This is part of the open banking strategy designed to foster competition, remove monopolies, and allow more transparency between banks and their customers.

Under the PSD2, financial institutions must share information related to balances, accounts, and movements of funds with companies to which the consumer has granted access. They also have to allow payments made by third-party service providers. To that end, banks must deploy Payment Initiation Services (PIS) to bridge payments between merchants and customer accounts.

Payment Service Providers

PSD2 introduces security requirements designed to reduce fraud and criminal activity related to payments. PSPs are required to apply SCA, or Strong Customer Authentication, when a payer initiates an electronic transaction. 

SCA is a form of MFA, or multi-factor authentication designed to link a payment to a user. Online payments also require a dynamic link to the amount of the transaction and the payee’s account. 

Note that certain kinds of payments are exempt, such as low-value payments, or for companies who can prove that they have other forms of authentication in place, such as a fraud detection system.

Brokerages

Under PSD2, banks and brokerages need to increase transparency in how they calculate exchange rates. They are also banned from charging certain exchange fees.

Consumers

PSD2 opens the door to Payment Initiation Services Providers and Account Information Services Providers. Both types of services help customers make payments directly to merchants from their bank accounts, and are essentially alternatives to credit card payments. 

The idea behind these services is to reduce the complexity of online payments in order to make them safer and more secure. 

When it comes to financial services, PSD2 is also designed to help consumers. The idea of open banking is to foster competition between third-party services that can offer financial products independently of the customers’ banks. 

Since its introduction, PSD2 and open banking have helped customers access more services from neobanks and challenger banks, as well as mortgage applications, money management, and other financial products.  

Which Regions Are Impacted by PSD2?

PSD2 is a European directive. It only affects countries in the European Union. Since Brexit, for instance, the UK is not bound by the PSD2. 

However, global companies may need to meet PSD2 compliance when dealing with European users.

regions impacted by PSD2 Compliance excluding UK
Countries bound by PSD2

PSD2 Compliance Requirements and Controls

Here is a list of requirements and controls your business should follow to meet PSD2 requirements. 

Open APIs for Third-Party Access

Open banking is built on open APIs – specifically, APIs allowing third-party providers to access customer account information. Once the customer grants access, account information service providers (AISPs) should be able to grab the right data via API calls.

Strong Customer Authentication

A key part of PSD2 compliance is meeting requirements for Strong Customer Authentication (SCA). This is a form of MFA that aims to link every transaction to:

  • Something the customer owns: device, card details
  • Something the customer knows: password, PIN, passphrase
  • Something the customer is: biometrics such as fingerprint, face ID, voice pattern
2FA example - something the user knows, is, owns

Better Transparency

Under PSD2, companies need to provide as much transparency as possible when it comes to terms and conditions, currency conversion rates, and what financial products do. 

Faster Complaint Resolution

Payment service providers are required to resolve complaints in a timely manner. Incidents must also be reported to EU regulatory bodies – for instance, in the event of a data breach or a GDPR issue.

Removing Credit Card Surcharges

B2C and B2B companies in ticketing, food, and travel or deliveries aren’t allowed to add extra charges for processing credit card payments. 

Security Issues With PSD2

PSD2 simplifies the complex banking and payment ecosystem, but it is not without its challenges. Accounts become more valuable when linked to banking APIs, which is an incentive for fraudsters. 

Security problems may also arise when all the payment data is shared by multiple parties. AML compliance is also harder to track when all the information is passed around. You can read more about the risks of open banking in our in-depth article.

PSD2 Compliance: How SEON Can Help

SEON is a powerful fraud detection solution that monitors customers from the moment they land on your site to the moment they initiate online transactions. 

You can use SEON to extract user data in order to verify their IDs and ensure they are the legitimate cardholder and that they are properly authenticated when logging in.

In short, SEON allows you to reduce fraud rates, improve ID proofing compliance, and meet SCA exemption requirements to make business in the EU faster and more profitable.

Try a Fraud Product Demo

PSD2 Compliance FAQ

What is PSD2 in simple terms?

PSD2, or the Payment Services Directive 2, is an EU regulation designed to improve security, transparency, and competitiveness in the world of European payments and banking.

What are the PSD2 requirements?

Under PSD2, financial institutions must allow customers to grant trusted third parties access to their account data for payments and accessing financial products and services. Payment providers must ensure that cardholders are who they say they are. Brokerages must be transparent about exchange rates. Finally, businesses must remove credit card charges. 

Who must comply with PSD2?

Any company doing business in EU countries or with European customers must adhere to the PSD2 regulations and controls. 

Share article

See a live demo of our product

Click here

Author avatar
Bence Jendruszak
COO

Bence is the co-founder and COO of SEON whose vision is to create a safer online environment for merchants in high risk verticals.


Get our latest newsletter

Join over 6000 companies in getting the latest fraud-fighting tips