What is the Payment Services Directive 2 (PSD2)?

What is PSD2?

What is the Payment Services Directive 2 (PSD2)?

The second version of the Payment Services Directive (PSD2) is a European Union framework for safer online payments. 

Introduced in 2016, the directive’s purpose is to help customers feel more secure when using online payment and open banking technology, and make the actions of payment service providers fairer, while also holding them accountable.

What is PSD2?

This is the second iteration of the payments services directive, which was introduced in January 2016. Its purpose is to make the open banking and payments industry better on behalf of the customer. This focus is on increased security, visibility and innovation. 

The first iteration of PSD was introduced in order to stimulate competition among European banking and payments providers, as well as to accelerate development. 

Now, the introduction of PSD2 has three new targets to better the payments services industry as it expands on previous legislation. These are: 

  • increasing the rights of customers 
  • reducing fraud through extra security measures
  • introduction of third party payment providers for better integration

Features of PSD2

Each of the features of this PSD2 regulation has a number of mechanisms driving its success. 

Customer rights

When looking at customer rights, the SCA looks specifically at how complaints are handled, or whether consumers are being treated fairly. For example, financial institutions have no longer got the ability to add surcharges to credit cards, debit and prepaid cards as this is unfair to the consumer. 

In this case, compliance with frameworks such as PSD2 are a huge advantage, since the financial institution is able to build more trust with its customers. 

Moreover, customers are able to make more informed decisions with features like the terms and conditions being clearly visible and the T&C approval as part of the process. PSD2 looks to increase transparency through complaints handling and reporting, with the publishing of a new framework and guidelines on how to report to the authorities. 

Funds for electronic payments are sometimes allowed to be earmarked, which means an estimated amount is taken from the account holder before the true amount is later charged. But this sometimes leaves customers without access to the money that they would eventually have. 

Therefore, while pre-authorisation is still allowed, financial institutions are required to adhere to strict deadlines in order to free up the earmarked money as soon as possible.

Increased security

A large part of the innovation factor around PSD2 is the two-factor authentication around payments. This requires two out of the following multi-factor authentication methods:

  1. Knowledge: such as a password, or account retrieval questions
  2. Possession: such as a passcode to your phone
  3. Inherence: something unique to the owner, such as a fingerprint

There are certain exemptions, such as face-to-face contactless card payments and transactions under €30, which are strong authentication on their own. However, the overall purpose of this extra account information feature is to reduce instances of fraud.

Third-party payment providers (TPPs)

Finally, there is a huge focus on integration with new technology as part of the third-party provider feature. This requires the nine biggest banks to create their own APIs so that independent providers can create and link their new services.

It may sound like the new financial service provider is essentially piggybacking off their customer base, but remember that the regulation also applies to them.

Therefore, any new services would be approved by the regulators, and in keeping with the theme of this regulation, would be created to benefit the payment service user and protect financial data. The aim is to increase customer visibility and control. 

Who must comply?

Financial institutions, specifically the payment service provider, are the primary focus of PSD2. The directive also sets out a legal framework on the consumer protection side, spanning across each of the nations that are inside of the European Economic Area. 

Fundamentally, PSD2 compliance means a focus on Strong Customer Authentication (SCA) requirements, which largely focus on the Know Your Customer framework and two-factor authentication (2FA). Moreover, tokenisation and the dynamic linking of payments have enabled further customer protection through the anonymisation of data.


In order to remain compliant with PSD2 and evolving regulations across the banking and payments industry, build your compliance from the ground up with CUBE


Related resources

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

What is Executive Order 14028 and who must comply with the US regulation? And will it affect the cyb...

What is the US’ Community Reinvestment Act?

What is the US’ Community Reinvestment Act?

Are you aware of the latest updates to the Community Reinvestment Act in the US? Learn more about fi...

What regulations are there for the payment services industry?

What regulations are there for the payment services industry?

Discover the regulations shaping payment services, from PSD2 to AMLD6. Stay compliant with CUBE's in...

What is the CISO (Chief Information Security Officer) responsible for?

What is the CISO (Chief Information Security Officer) responsible for?

CISO's face a number of challenges with regulations constantly changing. Learn more about some of th...

View More