PSD2 Compliance: Requirements, Scope and Implementation Guide

We see that advancements in payments technology have been going through the roof in the past few years. And this also raises security concerns, such as online fraud and data breaches. Considering this, multiple countries around the world have come up with foundational guidelines to ensure proper regulation of technology in finance. One such directive is PSD2, which provides a legal foundation for payments in the EEA.

In this article, you’ll get to know what PSD2 is, its key objectives, requirements and challenges to help you understand how to navigate payments with clients from EU countries. 

Payment Services Directive 2 (PSD2) is an EU regulation from 2015 that updates payment rules to support secure, innovative services such as fintechs. It mandates PSD2 compliance by requiring banks to share customer data securely via APIs with licensed third-party providers (TPPs). And this is performed with user consent.  

This directive promotes the concept of ‘open banking’, where fintechs offer services like account aggregation or instant payments with user consent. Some of its key requirements include no surcharges, transparent fees and faster refunds within eight weeks. PSD2 applies mainly to electronic payments from the EEA and the UK.

Why did the EU introduce PSD2?

In the year 2015, the EU introduced PSD2 to counter the rise in online fraud and to revamp a stagnant payments market. Regulators saw that PSD1’s basic safeguard mechanisms were not enough to contain cybercrime, one of the serious security concerns that costs billions annually. 

That’s where PSD2 steps up with a very interesting workflow, you know as ‘Strong Customer Authentication’ (SCA). It is used to verify users via two-factor authentication, such as biometrics and passwords, to prevent unauthorized transactions.

How does PSD2 build on PSD1?

PSD2 continues to function on the foundation laid by PSD1 in 2009, it just built on it to strengthen the directive for today’s digital world. PSD2 swaps the basic payment rules with robust security and innovation tools.

PSD1 standardized cross-border euro payments and also set consumer protections like refunds. On the other hand, PSD2 brings forth Strong Customer Authentication (SCA) to cut fraud and introduces regulated Third-Party Providers (TPPs).  

If your organization achieves PSD2 compliance, it means that you’re very well following the EU’s strict rules under the PSD2 and contribute to secure and transparent electronic payments across Europe. 

It covers essentials like the implementation of SCA by verifying users through two-factor combinations of biometrics or a one-time code along with your password. PSD2 compliance also opens up secure APIs for third-party providers to access the account data with the user's consent.

As a business, you need to register with regulators, perform fraud monitoring, maintain detailed records for all transactions processed and align with GDPR for data protection to achieve PSD2 compliance.

Who must comply?

All the payment service providers (PSPs), merchants, banks and fintechs that handle electronic payments in the EEA region must comply with PSD2 compliance standards. 

If you are a payment institution or an e-money issuer, you need national licenses, while the third-party providers like Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) require strict authorization to access accounts or start transactions via APIs.

Geographic scope of PSD2

As we know, PSD2 applies to electronic payment services within the European Economic Area (EEA), that’s the 27 EU countries along with Iceland, the UK, Liechtenstein, and Norway. PSD2 targets "two-legged" transactions where both the payer's and payee's payment service providers (PSPs) are based in these regions,and by using any local currency.  

PSD2 works towards building a secure and competitive payments market in Europe. You will notice a strong emphasis on open banking, fraud reduction, and consumer rights through PSD2 compliance. Here are some of its key objectives:

• To promote innovation and competition: It opens bank data via APIs to licensed TPPs like fintechs, which leads to new services such as payment initiation and account aggregation.​
• Reduce frauds: PSD2 introduces SCA that demands payment authentication by picking two factors from biometrics, passwords or device possession.
• Protect consumers: It bans payment surcharges, ensures refunds within eight weeks, and mandates clear consent for data sharing. All this is performed under GDPR standards.
• Integrate markets: PSD2 standardizes rules to establish effortless and unified cross-border electronic payments for all EEA currencies.

The PSD2 compliance requirements focus on securing the payment process with these core implementations:

• Strong Customer Authentication (SCA)
• Open APIs for third-party access
• Robust fraud prevention to meet EU standards
• Ban on surcharges
• Customer transparency

Some other requirements also include licensing for TPPs and securing data sharing with consent of the users, performing transaction monitoring and also implementing GDPR-aligned privacy measures.

You can think of Strong Customer Authentication (SCA) as the signature tool to fight off fraud in transactions. To verify users during secure online payments and for data access, it mandates the use of two out of the following three factors:

• Knowledge: This includes information the user knows or can remember, such as pins and passwords.
• Possession: This is something that the user owns - token or a mobile phone.
• Inherence: Finally, inherence is something the user is, such as your biometrics and voice scans.

It is often supported by the 3D Secure 2.0 protocol that dynamically links to the transaction details.

PSD2 SCA exemptions are helpful for small fintechs or PSPs as they allow certain low-risk transactions to skip SCA. This helps to balance security with a smooth user experience under PSD2 compliance. Some common exemptions include:

• Low-value payments: All transactions that are under €30 are considered low-value payments or even cumulative low-risk payments up to €100 with less than five attempts.
• Transaction Risk Analysis (TRA): Proper data analysis can help merchants or PSPs demonstrate a low fraud probability approved by regulators.
• Recurring payments: These payments include merchant-initiated subscriptions like memberships after your customers' first SCA-verified payment.
• Corporate payments: Most B2B transactions that use secure, dedicated interfaces or cards named under an entity rather than an individual are entirely out of scope for PSD2.

PSD2 compliance comes through Strong Customer Authentication (SCA). And this can reduce checkout abandonment while simultaneously boosting long-term security and trust. So merchants should partner with ‘SCA-ready’ platforms to avoid any transaction declines. Here are some important ways in which PSD2 affects merchants:

• Higher security standards: You get top-notch security at the cost of additional steps unless exemptions are applied.
• The inevitable shift to compliance gateways: If you are a non-EU merchant with EEA customers, then you need to adopt PSD2-compliant processors for 3D Secure 2.0 support and open banking options.
• Compliance costs: A major drop in frauds, improved chargeback rates, and customer retention come at the cost of a rise in expenses for integration and monitoring tools.

There are three main reasons behind fintechs and PSPs achieving PSD2 compliance. These involve the most critical tasks in the workflow, such as securing licenses, implementing Strong Customer Authentication (SCA), and building secure APIs for open banking access. Here are some ways in which you can achieve PSD2 compliance:

• Get the authorization: You should apply for AISP or PISP licenses from the national regulators. This helps you prove state-of-the-art security, capital reserves and governance to handle your customer data legally.
• Implement the SCA: You also need to deploy two-factor authentication using biometrics, one-time codes or device binding for online payments. This should be integrated with 3D Secure 2.0 protocols.
• Develop secure APIs: For TPP access to accounts, create a GDPR-compliant interface that supports consent management, encryption, and real-time fraud monitoring.​
• Make processors your partners: Opt for compliant platforms for seamless SCA exemptions, transaction risk analysis and also PCI PSD2 alignment to minimize friction.
• Perform timely monitoring and submit a report: Healthy habits like maintaining detailed transaction logs, conducting regular audits and reporting suspicious activity help you cut fraud while staying audit-ready for regulators.

PSD2 has built on PSD1’s basic framework for secure transactions across the EU nations. It adds on to the earlier directive by mandating SCA, open banking APIs and stricter fraud rules. Here’s a table that will help you compare these two directives on various aspects:

The majority of the PSD2 compliance challenges stem from complex technical upgrades and the varying national rules. Also, maintaining the balance between security and ease in user experience is a dynamic challenge in today’s payments landscape. Here are some common challenges you can watch out for on your journey to becoming PSD2 compliant:

• High implementation costs: Building SCA systems with secure APIs and fraud monitoring tools requires a significant investment in technology, staff training and third-party audits.
• Friction during integration with your system: We also see that legacy bank systems can clash with the new open banking APIs. This can account for extended delays and compatibility issues for TPPs and merchants during rollout.
• Trade-offs in customer experience: SCA adds authentication steps to your checkout process, and this pushes customers to abandon the purchase even if exemptions like low-value transactions are offered.
• Regulatory inconsistencies: Different national authorities have their unique style of interpreting PSD2. This creates a patchwork of deadlines and requirements across EEA countries.
• Burden of monitoring: Under GDPR, continuous fraud detection, data breach reporting and even license renewals are performed. This can strain your resources if you’re a small fintech or a PSP.

PSD2 aims to re-paint the entire portrait of Europe’s payments market with features that benefit everyone, right from merchants to fintechs. If you are a business with customers in the EEA, you must comply with PSD2 to avoid hefty fines and, at the same time, tap into innovative opportunities for faster transactions and stronger customer trust.

To streamline your PSD2 compliance for receiving international payments, check out Xflow’s tailored solutions for fintechs and businesses. Sign up with Xflow today!