What does the Payment Services Directive (PSD2) mean for you?

Contents

To protect consumers from dealing with unreliable companies, the European Commission adopted a revised version of the Payment Services Directive in 2015. What is PSD2, exactly? While it primarily applies within the EU, U.S. companies offering payment services to European customers must also comply with its requirements.

What is the PSD2 regulation?

PSD2 is a revised version of the Payment Services Directive (PSD) initially introduced in 2007. It was adopted by the Council of the European Union on November 16, 2015, and implemented into national laws at the beginning of 2018. PSD2 regulates payment transactions across Europe conducted by companies that are not classified as traditional banks. Its purpose is to enable these non-bank companies to offer payment services over the internet, thereby stimulating and regulating competition within this sector of the financial industry

Payment Services Directive 1 & 2 therefore serve different purposes:

Open competition in payment services
Reduce costs for consumers
Regulate and support startups in the financial technology sector (Fintech)
Increase security for online payments

The graphic summarizes the key points of PSD2.

Payment Services Directive 2 in detail

The second version of the Payment Services Directive was implemented in multiple stages across the EU. One of its most important innovations is that banks must provide other companies with access to their customers’ information—but only if the customer has given consent.

Banks are required to offer an interface to authorized providers, allowing them to initiate transfers directly and access information about account balances and other financial details. Particularly in the fintech sector, many companies offer innovative software to help users manage their finances. Apps for saving, insurance, or stock trading rely on bank data. Since PSD2 came into effect, banks have been obligated to provide certified companies with an interface through which these service providers can retrieve necessary information and carry out payments or transfers.

Note

Even with PSD2, companies cannot arbitrarily access your sensitive financial data. In addition to regulatory approval, service providers specifically need your explicit consent to obtain data from your bank.

How does PSD2 work?

Service providers have accessed bank account information before, but there was no standardized method. Internationally, companies often relied on a technique called web scraping, where the service provider extracts information directly from the online banking website. This method is inefficient and prone to errors. PSD2 requires banks to establish an Access to Account (XS2A) interface that allows authorized service providers to securely access customer account data.

PSD2 also offers measures to ensure the secure transmission of sensitive data via interfaces, protecting consumers from potential risks. The data security is ensured through two main mechanisms:

QWAC: This certificate allows providers and banks to mutually authenticate each other. It also encrypts the data transmission.
QSeal: This seal is attached to the data and links it to a specific company. It allows tracking of which companies have accessed the bank account and transmitted data through the interface. Additionally, the seal ensures that the data remains unaltered and any changes are detectable.

To obtain these licenses or seals, providers must receive approval from a national supervisory authority. PSD2 distinguishes between two types of authorizations:

Account Information Service Provider (AISP): Providers in this category access information from the customer’s bank account for processing purposes. Only registration is required, not a full license.
Payment Initiation Service Provider (PISP): Companies with this license can initiate payments or transfers on behalf of the customer.

What does the directive mean for customers and online store owners?

The Payment Services Directive largely concerns banks and other financial service providers. Users won’t notice a lot of the changes going on in the background. And even for online retailers, there haven’t been many changes so far.

PSD2 from the user’s point of view

The revised PSD has enhanced payment security. The issuance of licenses for technical solutions, as well as oversight by regulatory authorities, has ensured more reliable protection of sensitive data since its implementation. In particular, mandatory two-factor authentication — for example, via an SMS with a one-time password (OTP) — plays a crucial role in this.

Fact

With the introduction of two-factor authentication, the now outdated iTAN lists (security method used mainly by some European banks for online banking) are gradually being phased out. Banks are increasingly relying on SMS, apps, or dedicated authentication devices for transaction verification.

What online retailers need to pay attention to regarding PSD2

If you are a US online store owner selling products or services to customers in the European Union, and you process payments through EU banks or payment providers, PSD2 applies to your business. This means you must comply with the regulation’s security requirements when handling payments from EU customers.

Strong Customer Authentication requires that customers verify payments using at least two of the following: something they know (like a password or PIN), something they have (such as a card or smartphone), or something they are (biometric data like fingerprints or facial recognition). SCA is mandatory for payments over €30 (approximately $34), or if multiple transactions within one day total more than €100 (about $113).

To comply with PSD2, you should work with payment providers that support PSD2 protocols, such as Stripe, PayPal, or Adyen, which have implemented security features like 3D Secure 2.0. It’s important to properly integrate these payment solutions into your checkout process to ensure EU customers can complete transactions smoothly. Testing your checkout flow to confirm that the authentication steps work correctly for European payment methods is also highly recommended.

Certain payment types, such as direct debit (pull payments), are exempt from SCA under PSD2. Additionally, payments below the specified thresholds may not require the additional authentication steps.

Note

Since September 14, 2019, most electronic payments within the EU must comply with SCA, which enforces multi-factor authentication In the United States, two-factor authentication has become a widely recommended security measure for online stores, with increasing adoption encouraged by industry standards and regulations such as PCI DSS. While there is no federal law mandating two-factor authentication for eCommerce platforms as of now, many payment processors and state regulations strongly advise or require its implementation to enhance security and protect customer data.

The surcharge is no longer permitted thanks to PSD2. Before the directive was enforced, it was common for merchants to charge an additional fee for payments made by credit card to avoid bearing the extra costs themselves.

History of payment service directives from PSD1 to PSD2

With the first version of the Payment Services Directive, the European Commission made a significant move to regulate international payment transactions. In the interest of harmonizing European payments (keyword SEPA), PSD established the legal framework for service providers in this area. This explicitly applied then, as it does now, to providers outside the traditional banking sector. Thus, PSD effectively broke the monopoly that credit institutions held over payment services.

However, not every company can operate as a so-called payment institution. The Payment Services Directive set binding criteria that such providers must meet. Yet despite many clear rules, some uncertainties and leeway remained — some of these issues were even created by the directive itself. PSD2 closed these gaps and additionally provided increased security for consumers.

This is achieved, for example, through the issuance of binding certificates and seals that can only be obtained from recognized organizations. Additionally, companies require approval from the national financial supervisory authority.

Please refer to the legal notice regarding this article.

10 Years Digital Guide: A Success Story

3D Secure: Mastercard and VISA are becoming more secure

These days, credit card fraud primarily takes place on the internet. Criminals use hacked information to take advantage of customers, retailers, and banks. In order to make internet purchases more secure, credit card companies like VISA and Mastercard have released a new version…

Online Store
E-Commerce
Encryption

Zapp2PhotoShutterstock

Mobile payment

Mobile payment is on the advance worldwide. The leading providers of mobile payment alternatives have also gained a foothold in the United States. However, many Americans are still not convinced by the new technology. We give you an overview of the most frequently used mobile…

E-Commerce

E-business

The term e-business, or electronic business, has been on the tip of everyone’s tongues for some time in online spheres. But what exactly does it mean? It is all too often used interchangeably with “e-commerce,” but this is just one part of e-business. In fact, the term…

E-Commerce