Introduction
Governments around the world are constantly trying to make life easier for their citizens and protect them from harm. Formulating rules and regulations and implementing them across different sectors is just one way to achieve this.
When the EU implemented the Payment Services Directive, it had not anticipated just how vastly the payment landscape would be changed by fintechs, and thus did not bring them into its regulatory framework. This created a gap in consumer data protection.
So what did the EU do? It decided to review its regulations and introduced PSD2, which not only made payments safer and more secure for consumers but also levelled the playing field for payment service providers.
In this guide, you'll learn what PSD2 is, why it was introduced, and the key benefits for consumers and the payment industry. You'll also discover the core requirements (SCA, TPP API access, surcharge ban), exemptions, the impact on fintechs and traditional banks, and the evolving regulatory landscape — including the upcoming PSD3 framework.
Key Takeaways
- Understanding PSD2 helps Indian exporters and businesses serving EU customers anticipate friction in their checkout flows, particularly the Strong Customer Authentication (SCA) requirements that affect ~95% of EU card payments.
- PSD2 (Payment Services Directive 2) is an EU law in effect since January 2018, enforcing Strong Customer Authentication (SCA) since September 2019 (with phased rollout completed in 2021).
- Two new types of regulated entities under PSD2: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) - the foundation of EU "Open Banking."
- Key requirements: SCA (2 of 3 factors - knowledge, possession, inherence), bank API access for TPPs, surcharge ban for EEA card payments, and refund rights for unauthorised debits.
- PSD3 is in the legislative pipeline (proposed June 2023), with adoption expected in 2026-2027, bringing tighter consumer protections and clearer rules for fraud liability.
What is PSD2?
The Payment Services Directive is a European Union law that was adopted in 2007. It establishes common rules governing electronic payments, such as card payments, direct debits, credit transfers and online and mobile payments. It aims to create safer and more innovative payment services across the EU.
PSD2 is the revised version of the Payment Services Directive, which was introduced in 2018. It has widened the scope of PSD1 by regulating newer payment service providers and introducing enhanced security in online payments to protect customers' financial data.
Why was PSD2 introduced?
The European Commission proposed the PSD2 for the following reasons
1. It recognised newer and innovative payment services, such as payment initiation service providing cheaper alternatives for internet payments, but they were unregulated across the EU.
2. Member states have applied exemption rules for payment-related services in different ways, creating a regulatory gap and legal uncertainty. This compromised customer protection and created a limited market entry for new payment services.
What are the key benefits of PSD2?
The modernisation of the Payment Services Directive has brought the following benefits:
1. Regulates new payment services
The new PSD2 rules provide a legal structure for non-bank financial service providers to enter and continue in the electronic payments market, regulating them at the EU level. This gives consumers options to choose from multiple payment service providers.
2. Opens the payment service market
PSD2 improves competition in the electronic payments market by obliging banks to grant third-party providers (TPPs) access to bank account data, provided that the consumer consents. This allows consumers to make payments from their bank accounts using a third-party provider.
3. Enhances consumer protection
Strong customer authentication (SCA) was introduced under PSD2, requiring multifactor authentication for every electronic payment. This ensures customer protection against payment fraud.
4. Bans surcharge
Whether online or in-store, merchants will no longer be allowed to surcharge customers for making card payments. This applies to both domestic and cross-border payments and covers 95% of card payments across the EU.
5. Protects customer rights
PSD2 protects consumer rights in the event of unauthorised debits by allowing consumers to request a refund within 8 weeks of the debit. It also protects them when the transaction amount is unknown, such as with car rentals and hotel bookings. The funds will only be transferred from the payee’s account to the retailers once the exact amount is known to the consumer’s bank and the consumer authorises the payment.
What are the requirements of PSD2?
PSD2 aims to boost transparency, innovation, and security in all payment services across the European Union. It achieves this by ensuring that the following requirements are met.
1. Authorisation of payment service providers
All new and old payment service providers need to get authorised by a competent authority in the member state to be recognised as a payment institution. Their application should be accompanied by a security policy document, a description of the security incident management procedure, and a contingency procedure to showcase their payment security.
2. Obligation for providing payment account details
All member states must ensure that banks do not prevent payment service providers from accessing customer account data, provided that customers have consented. This data must be shared via secure APIs.
3. No surcharge policy
PSD2 bans merchants from surcharging customers for card payments, provided that the merchant's payment service provider and the customer's card issuer are both located in the European Economic Area (EEA).
4. Customer authentication procedure
All payment service providers, whether banks or third-party providers, must ensure strong customer authentication for processing electronic payments. They must implement two of the following three factors for customer authentication:
a. Something the customer knows, such as a PIN or password
b. Something the customer possesses, such as a card or a security token
c. Something the customer is, such as a face ID or fingerprint
Who is exempted from PSD2?
While all requirements apply to payment service providers, certain transactions are exempt from the Strong Customer Authentication (SCA) requirement. These are
1. Transaction below 30 euros
2. Real-time transactions with low risk
3. Payments made to merchants pre-approved by customers
What is the impact of PSD2 on the payment industry?
The widened scope and newer rules implemented under PSD2 have significantly impacted the EU payment industry through
1. Emergence of fintechs
With the reduction in barriers to accessing customers' bank data, PSD2 created a level playing field in electronic payment markets, allowing fintech companies to take over services previously exclusive to traditional banks.
2. Strategic shifts
To stay relevant, banks are developing their payment services or collaborating with third-party providers to offer their customers enhanced financial services.
3. Security upgrades
The SCA requirements have forced all payment service providers to upgrade their IT infrastructure and build strong customer authentication procedures.
4. Empowered consumers
PSD2 has enabled consumers to choose from multiple payment solutions for their financial transactions, reducing their reliance on traditional banking systems. To retain customers, all payment service providers must develop strategies to enhance the user experience on their platforms.
Conclusion
Since their implementation, payment service directives have helped establish safe and innovative payment solutions across the EU. It has led to the emergence of many third-party payment service providers that allow customers to initiate instant payments directly from their bank account, but the scope of PSD2 is limited to the European Economic Area.
For exporters wanting to do business in the EU, they would still need to rely on traditional payment methods. This can cause friction for customers, leading them to turn away from your goods or services. This is why it is important to use a reliable payment solution like Xflow that enables customers to pay via their preferred channel.
Additionally, Xflow benefits you as an exporter by providing mid-market FX rates and transparent pricing. You can collect payments in your bank account within 24 hours of receiving payments and stay compliant by generating eFIRA from our portal.
Sign up with Xflow today to give your customers a safe and frictionless payment experience!
Frequently asked questions
The reason for introducing PSD2 was the emergence of unregulated third-party payment service providers across Europe. Moreover, customer protection was compromised by the regulatory gap and legal uncertainty caused by member states applying exemption rules for many payment-related services.
PSD2 has benefited customers by giving them the opportunity to choose from multiple payment service providers, banning merchants from surcharging them, enforcing strong customer authentication for initiating payments and allowing refunds for unauthorised debits.
The payment industry has seen the emergence of fintech with PSD2 provision to give them access to bank account data, creating strategic shifts by forcing banks to provide fintech services to their customers and encouraging change in the security procedures of payment service providers.
