PSD2 explained: Everything you need to know about PSD2 authentication

The Revised Payment Services Directive (PSD2) is a European directive that will change banking and payments as we know it. All businesses dealing with payments in Europe need to be aware of PSD2 regulation.

This article will walk you through the essentials of PSD2, its origins and how it will change the payment landscape, and give you insights into this much talked about topic. So let’s get the basics down first.

PSD2, also known as The Revised Payment Services Directive, or Payment Services Directive 2, is a European regulation that creates a more open, competitive, and secure payments landscape across Europe. SCA requirements are part of PSD2 regulation.

SCA, or Strong Customer Authentication is a requirement of PSD2. It's a combination of three elements to authenticate a payment, something you know, own, and are. For example: a password, your phone, your fingerprint.

In 2007, the Payment Services Directive (PSD) was approved, with the goal to create a single market for payments in the EU. It simplified payment processing, and created the rules and regulations for payment services in the EU. This opened up the gates for new payment service providers to arrive – one being Adyen. PSD provided legal foundations for Europe’s bank payments infrastructure (Single Euro Payments Area), powered by IBANs and Direct Debits.

The PSD came into effect in 2009 and continues to regulate electronic and non-cash payments across the European Economic Area. This area includes the European Union, Iceland, Norway, and Liechtenstein. The regulations bring great benefits to the European economy. This includes quicker payments throughout the EU, more transparency and information for consumers, strengthened refund rights, and more. The PSD provides the legal framework within which all payment service providers must operate.

In 2013, the European Commission published a proposal for the revised version of the Payment Services Directive, known as PSD2. Its goal is to ensure consumer protection across all payment types and create a more open, competitive payments landscape across Europe. The second PSD was approved in 2015 and Member States had until January 13th 2018 to implement into national law.

Merchants, Payment Service Providers, and nonbank payment institutions longed for access to the most precious asset that banks have: the bank account. The request for access came on the grounds that data and accounts are owned by the shopper, rather than the bank. The European Commission decided that the second payment services directive (PSD2) should open the door for non-bank financial institutions to access banks’ data and bank accounts.

Essentially, every regulated institution will have access to everyone else’s bank account; provided that the owner (the consumer) of the bank account grants permission for the specific action to be performed. This could be an action such as retrieving bank statement information or performing a payment.

The result is an ecosystem of new and existing solution providers. New payment methods such as open banking, investment advice platforms, and money management products may be developed within this ecosystem.

With opportunity comes responsibility. So the tradeoff will be strict guidelines on how new providers get permission from consumers to access their accounts. With all payment transactions across EU countries to be regulated through PSD2, all payment service providers must be ready to comply.

PSD2 law allows for the creation of Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). PISPs will be able to initiate SEPA Credit Transfers. Unlike Direct Debits, the transfers will be final, they won’t allow chargebacks and transactions will be quicker.

AISPs will be able to create many types of value-adding services for merchants, leveraging the data in their many banks accounts. This could be anything from verification purposes, investment and savings advice, to simple money management. Requirements around surcharging will change too. For example, companies such as event organizers and airlines will not be allowed to charge an additional card fee on top of the transaction value.

To better protect customers when paying online, PSD2 requires more security and mandates Strong Customer Authentication (SCA), also called two-factor authentication.

This can be seen as a negative side-effect of security as the break in the checkout process can lead to cart abandonment. However there are ways to improve your SCA with 3D Secure 2, without you having to lift a finger.

Member states had two years, ending in January 2018, to implement the changes into their national laws. In June 2017, the European Banking Authority responded to the European Commission with a final draft of the Regulatory Technical Standards (RTS) on Strong Customer Authentication and common and secure communication under PSD2.

In November 2017 the European Banking Authority and the European Commission published the final draft of the RTS. With all the information available, it looks like the RTS will be officially published by late February 2018. And will come into effect August/September 2019.

As a fully regulated PSD2 compliant payment provider, we’re here to guide you through the changes, and provide seamless services throughout the disruption.

We hope you enjoyed reading and gained more information about the essential PSD2 changes. To learn more, check out our related stories below.