What does the Payment Services Directive (PSD2) mean for you?
To protect consumers from dealing with unreliable companies, the European Commission adopted a revised version of the Payment Services Directive in 2015. What is PSD2, exactly? Until January 1, 2021, PSD2 applied fully in the UK as part of EU legislation. However, following Brexit, it no longer applies domestically. Instead, it only affects UK companies that offer payment services to customers within the EU.
What is the PSD2 regulation?
PSD2 is a revised version of the Payment Services Directive (PSD) initially introduced in 2007. It was adopted by the Council of the European Union on November 16, 2015, and implemented into national laws at the beginning of 2018. PSD2 regulates payment transactions across Europe conducted by companies that are not classified as traditional banks. Its purpose is to enable these non-bank companies to offer payment services over the internet, thereby stimulating and regulating competition within this sector of the financial industry
Payment Services Directive 1 & 2 therefore serve different purposes:
- Open competition in payment services
- Reduce costs for consumers
- Regulate and support startups in the financial technology sector (Fintech)
- Increase security for online payments
Payment Services Directive 2 in detail
The second version of the Payment Services Directive was implemented in multiple stages across the EU. One of its most important innovations is that banks must provide other companies with access to their customers’ information—but only if the customer has given consent.
Banks are required to offer an interface to authorised providers, allowing them to initiate transfers directly and access information about account balances and other financial details. Particularly in the fintech sector, many companies offer innovative software to help users manage their finances. Apps for saving, insurance, or stock trading rely on bank data. Since PSD2 came into effect, banks have been obligated to provide certified companies with an interface through which these service providers can retrieve necessary information and carry out payments or transfers.
Even with PSD2, companies cannot arbitrarily access your sensitive financial data. In addition to regulatory approval, service providers specifically need your explicit consent to obtain data from your bank.
How does PSD2 work?
Service providers have accessed bank account information before, but there was no standardised method. Internationally, companies often relied on a technique called web scraping, where the service provider extracts information directly from the online banking website. This method is inefficient and prone to errors. PSD2 requires banks to establish an Access to Account (XS2A) interface that allows authorised service providers to securely access customer account data.
PSD2 also offers measures to ensure the secure transmission of sensitive data via interfaces, protecting consumers from potential risks. The data security is ensured through two main mechanisms:
- QWAC: This certificate allows providers and banks to mutually authenticate each other. It also encrypts the data transmission.
- QSeal: This seal is attached to the data and links it to a specific company. It allows tracking of which companies have accessed the bank account and transmitted data through the interface. Additionally, the seal ensures that the data remains unaltered and any changes are detectable.
To obtain these licences or seals, providers must receive approval from a national supervisory authority. PSD2 distinguishes between two types of authorisations:
- Account Information Service Provider (AISP): Providers in this category access information from the customer’s bank account for processing purposes. Only registration is required, not a full licence.
- Payment Initiation Service Provider (PISP): Companies with this licence can initiate payments or transfers on behalf of the customer.
What does the directive mean for customers and online shop owners?
The Payment Services Directive largely concerns banks and other financial service providers. Users won’t notice a lot of the changes going on in the background. And even for online retailers, there haven’t been many changes so far.
PSD2 from the user’s point of view
The revised PSD has enhanced payment security. The issuance of licences for technical solutions, as well as oversight by regulatory authorities, has ensured more reliable protection of sensitive data since its implementation. In particular, mandatory two-factor authentication — for example, via an SMS with a one-time password (OTP) — plays a crucial role in this.
With the introduction of two-factor authentication, the now outdated iTAN lists (security method used mainly by some European banks for online banking) are gradually being phased out. Banks are increasingly relying on SMS, apps, or dedicated authentication devices for transaction verification.
What online retailers need to pay attention to regarding PSD2
If you are a UK online store owner selling products or services to customers in the European Union, and you process payments through EU banks or payment providers, PSD2 applies to your business. This means you must comply with the regulation’s security requirements when handling payments from EU customers.
Strong Customer Authentication (SCA) requires customers to verify payments using at least two of the following:
- something they know (such as a password or PIN),
- something they have (like a card or smartphone),
- or something they are (biometric data such as fingerprints or facial recognition).
SCA is mandatory for payments over €30 (approximately £26), or if multiple transactions within one day total more than €100 (about £86). To comply with PSD2, you should work with payment providers that support PSD2 protocols, such as Stripe, PayPal, or Adyen, which have implemented security features like 3D Secure 2.0. It’s important to integrate these solutions properly into your checkout process to ensure EU customers can complete transactions without issues. Testing your checkout flow to confirm that authentication works with European payment methods is also highly recommended.
Certain payment types, such as direct debits (pull payments), are exempt from SCA under PSD2. In addition, payments below the specified thresholds may not require additional authentication steps.
Even though PSD2 no longer applies within the UK due to Brexit, the principles of SCA have been retained under UK law via the UK Payment Services Regulations. As a result, UK businesses must still apply SCA domestically, but under separate national rules. When selling to EU customers, however, UK retailers must also comply with EU PSD2 requirements.
History of payment service directives from PSD1 to PSD2
With the first version of the Payment Services Directive, the European Commission made a significant move to regulate international payment transactions. In the interest of harmonising European payments (keyword SEPA), PSD established the legal framework for service providers in this area. This explicitly applied then, as it does now, to providers outside the traditional banking sector. Thus, PSD effectively broke the monopoly that credit institutions held over payment services.
However, not every company can operate as a so-called payment institution. The Payment Services Directive set binding criteria that such providers must meet. Yet despite many clear rules, some uncertainties and leeway remained — some of these issues were even created by the directive itself. PSD2 closed these gaps and additionally provided increased security for consumers.
This is achieved, for example, through the issuance of binding certificates and seals that can only be obtained from recognised organisations. Additionally, companies require approval from the national financial supervisory authority.
Please refer to the legal notice regarding this article.