What is PSD2 (Payment Services Directive)?

What does PSD2 mean?

PSD2 stands for Payment Services Directive 2 and is a regulatory framework in the European Union (EU) that aims to enhance and modernize payment services. It came into effect on January 13, 2018, replacing the original Payment Services Directive (PSD) that was introduced in 2007.

PSD2 introduces several key changes and initiatives to promote innovation, competition, and security in the financial sector within the EU, with an emphasis on electronic payments.

Read up on what PSD2 means for the future of EU-based payments.

What are the biggest changes in PSD2 compared to PSD?

The main difference between these two directives is that PSD2 casts a wider net, roping in not just traditional payment players but also third-party providers.

Doing so calls for tighter data security measures. But the directive also places a strong emphasis on transparency, with improved disclosure requirements for payment service providers regarding transaction fees, exchange rates, and other relevant information.

What is the PSD2 EU regulation? 

The PSD2 EU directive mandates the implementation of Strong Customer Authentication (SCA), a two-factor authentication (2FA) process, to reduce the risk of fraud.

SCA typically involves verifying the customer’s identity using at least two of the following elements:

  • Something the customer knows (i.e. password)
  • Something the customer has (i.e. mobile device)
  • Something the customer is (i.e. biometric data)

Another crucial feature of PSD2 is the promotion of open banking. This means that banks are required to allow third-party providers (TPPs) access to customer account information, but only with the explicit consent of the account holder.

PSD2 also focuses on consumer protection, introducing rules to ensure transparency in payment services and establishing liability provisions to safeguard consumers in the event of unauthorized transactions.

Explore how this directive seeks to create a more dynamic and secure financial landscape in the EU.

Who is impacted by the PSD2, and why should you care?

The PSD2 directive mainly impacts banks, TPPs, merchants, and consumers in the following ways:

  • Banks should open access to customer information and payment services through APIs
  • TPPs can access this data and initiate payments (as long as they adhere to regulatory standards)
  • Merchants benefit from reduced transaction costs and competitive payment service provider options
  • Consumers, the ultimate end-users, gain more control over their financial data

PSD2 compliance

Staying PSD2 compliant is a must for businesses and service providers operating within the EU. Here’s a rundown of how you can ensure compliance.

  1. Enforce 2FA for digital transactions through a combination of passwords, mobile verification, and biometrics. 
  2. Remain transparent by informing your customers of terms of service and transaction guidelines, and establishing liability provisions as a safety net to protect consumers. 
  3. Consider granting authorized TPPs access to customer account information (with explicit consent).

PSD2 Fraud

PSD2 aims to make transactions safer, but it also introduces potential issues, especially with fraud.

The main concern has to do with letting other companies access our payment information, which could expose us to the risk of unauthorized transactions or unauthorized access to our accounts. This could happen if they get hold of our login details or trick us into giving them away.

Here are some real examples of hackers may commit PSD2 fraud:

  • Using stolen passwords to gain entry into someone’s account and make fraudulent payments
  • Tricking the system by falsifying their identity
  • Deceiving people into sharing their private information, passing it as a standard security measure

To prevent this, it’s crucial to stay vigilant and follow the guidelines—PSD2 stresses the importance of having strong methods of identity verification.

Moreover, financial institutions and businesses have a role to play in ensuring data security through the use of fraud detection tools, encryption systems, and continuous monitoring of transaction patterns.

Are there any PSD2 exemptions?

PSD2 does have some exceptions that add a bit of flexibility. One example is that of small transactions where the hassle of extra security might be more than it’s worth.

Returning customers may also be exempt from added measures. If your system recognizes someone who’s a recurrent buyer, it’ll likely cut them slack on the security checks after the first time.

The same thing applies to recurring payments, such as subscriptions or monthly bills, especially if the amounts are fixed or don’t fluctuate too much.

Future-proof your online transactions

Choose PayFasto as your online payment gateway to stay compliant and transparent in all your transactions.


How do I get a PSD2 license?

First things first, get acquainted with the regulations in the countries you operate in. While PSD2 is a European Union directive, each country might have its own unique nuances. Here’s a rough overview of the steps:
  1. Set up a merchant account that meets the requirements for a payment service provider – again, ensure it complies with local regulations. 
  2. When it comes to operations, implement robust security measures and nail down strong customer authentication (SCA). You want to assure both regulators and customers that their data is in safe hands. 
  3. Be ready to submit a comprehensive application, which outlines your business model, organizational structure, and financial projections. 
  4. You can expect a bit of scrutiny during due diligence. Regulators will thoroughly check your background and management team. Make sure to stay open to communication throughout this process, addressing any question as soon as possible. 
Of course, you can also expect to pay some regulatory fees when applying for your license. Keep in mind that these are all general expectations; specific application requirements and associated costs will vary depending on the European country where you submit your application.

What is considered a fraudulent payment under the PSD2?

Under PSD2, a payment is considered fraudulent when it involves unauthorized access to a customer’s account or unauthorized initiation of a payment. Such examples include:
  • Someone accesses a customer’s account through stolen credentials, hacking, or other illicit means.
  • A payment is initiated without authentication or explicit consent of the account holder. 
A breach in the security measures outlined in PSD2, such as failure to protect customer data, may also be categorized as fraudulent.
There are years of industry experience behind our high-risk merchant guides and tips...