What is PSD2: Everything you need to know to be compliant

The Payment Service Directive 2 (PSD2), also known as The Revised Payment Services Directive, is a European regulation that creates a more open, competitive, and secure payments landscape across Europe. The PSD2 provides requirements for Strong Customer Authentication (SCA).

Strong customer authentication (SCA) is a requirement of the PSD2. It's a combination of three elements businesses can use to authenticate a payment. These elements include something you know, own, and are — for example, a password, phone, or fingerprint.

3D Secure is one example of how SCA is used to authenticate payments.

The Payment Services Directive 1 (PSD1) was approved in 2007 to create a single market for payments in the EU. It simplified payment processing and created the rules and regulations for payment services in the EU. This opened up the gates for new payment service providers – one being Adyen. PSD provided legal foundations for Europe’s bank payments infrastructure (Single Euro Payments Area), powered by IBANs and Direct Debits.

Why was PSD introduced?

The PSD came into effect in 2009 and regulates electronic and non-cash payments across the European Economic Area. This area includes the European Union, Iceland, Norway, and Liechtenstein. The regulations were introduced with the goal of bringing benefits to the European economy. These include quicker payments throughout the EU, more transparency and information for consumers, strengthened refund rights, and more. The PSD provides the legal framework within which all payment service providers must operate.

Why did PSD1 become PSD2?

In 2013, the European Commission published a proposal for the revised version of the Payment Services Directive. It was updated to ensure consumer protection across all payment types and create a more open, competitive payments landscape across Europe. The PSD2 was approved in 2015, and the Member States had until January 13, 2018, to implement it into national law.

To improve competition in the payments landscape, the European Commission decided that the second Payment Services Directive (PSD2) should open the door for non-bank financial institutions to access banks’ data and bank accounts. The access request was based on the idea that shoppers own the data and accounts rather than the bank. 

Every regulated institution will have access to everyones’ bank account, provided that the owner (the consumer) of the bank account grants permission for the specific action to be performed. This could be an action such as retrieving bank statement information or performing a payment.

The result is an ecosystem of new and existing solution providers that can develop new payment methods like open banking, investment advice platforms, and money management products.

With opportunity comes responsibility. So, the tradeoff is strict guidelines on how new providers get permission from consumers to access their accounts. With all payment transactions across EU countries to be regulated through PSD2, all payment service providers must be ready to comply.

PSD2 law allows for the creation of Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). However, there are a few requirements they need to follow:

• PISPs can initiate SEPA Credit Transfers. But unlike Direct Debits, the transfers will be final. This means they can’t allow chargebacks, and transactions will be quicker.

• AISPs can use business bank account data to create value-adding services for verification purposes, investment and savings advice, and simple money management. 

• Companies such as event organizers and airlines aren’t allowed to charge an additional card fee on top of the transaction value.

• To better protect customers when paying online, PSD2 requires more security and mandates Strong Customer Authentication (SCA), also called two-factor authentication. This can be seen as a negative side-effect of security, as the break in the checkout process can lead to cart abandonment. However, there are ways to improve your SCA with 3D Secure without you having to lift a finger.

PSD1 treated platforms as a gray area, resulting in inconsistencies as different countries interpreted the PSD1 in different ways. Instead of being the party responsible for the purchase and sale, platforms were viewed as facilitators, ultimately being exempt from the regulation. 

PSD2 aimed to create more security and a better customer experience. This also meant clearing up the gray area for platforms, requiring them to have the same payments license as other businesses if they act on the buyer's and seller's behalf.

Since the UK has left the EU, they no longer have access to the payment market created by PSD2. As a result, business between the UK and EU is more challenging than before. It has led to increased costs and additional data requirements, resulting in slower transfers and difficulty paying international suppliers on time.

Member states had two years, ending in January 2018, to implement the changes in their national laws. In June 2017, the European Banking Authority responded to the European Commission with a final draft of the Regulatory Technical Standards (RTS) on Strong Customer Authentication and common and secure communication under PSD2.

A lot has changed since the introduction of PSD2, which called for an update on the regulations. On June 28, 2023, the European Commission proposed to amend and modernize PSD2, which will become PSD3, and introduce a Payment Services Regulation (PSR).

As a fully regulated PSD-compliant payment provider, we’re here to guide you through the changes and provide seamless services throughout the disruption.

Want to stay up to date with the latest changes to PSD? Check out our blog to discover more about the Payment Service Directive 3 (PSD3).