What is PSD2?

The Payment Services Directive (PSD), originally adopted in 2007, is the legal foundation for the Single Euro Payments Area (SEPA). PSD2 is the Revised Payment Services Directive. The ‘2’ refers to the revised directive, as it replaced the original Payment Services Directive (PSD). Regulations outlined within the PSD2 are meant to protect consumers and their data, and includes safer and more secure payment options, faster payment turnaround, and defines refund rights.

PSD was designed to enable easier payments between the 74 members of the European Payments Council as well as improve consumer protections for citizens of the EU member states. The overarching goal of PSD was to increase participation and competition in the European payments industry by bringing payment service providers together under one set of regulations and standards. It applies to banks, financial institutions, as well as non-finance firms.

There are exemptions to the PSD2 directive, which apply mainly to small transactions or those deemed to be of low risk. This includes small contactless payments, payments made by ‘whitelisted’ businesses, transactions set up on a recurring basis, and other transactions that are considered ‘low risk’ opportunities for fraud.

The directive intended to introduce fair practices and rules to the European payments industry, which was accomplished primarily through the concept of “maximum harmonization.” Maximum harmonization is meant to consider the rights and obligations of payment service providers while also taking into account the need for consumer protections. The intent was to strike a balance between the two through regulations that would increase competition, protect users, accelerate the payments process, and clearly define rights and appropriate procedures for all involved.

The elements of PSD2

The directive consists of two primary components: business conduct rules and market rules. The business conduct rules establish what information payment service providers are required to provide when a data request is made. They also detail the additional rights and obligations of payment service providers and clients, including guidelines for authorizing and carrying out transactions and outlines the responsibilities and processes to follow when issuing refunds or revocations. Additionally, the directive establishes a “competent authority” for each participating member to supervise all payment service providing institutions within its country.

The market rules introduced the phrase “payment institutions” within the Single Euro Payments Area (SEPA). These rules outline which institutions are eligible to administer payment services and provide guidance for those institutions to apply to be authorized payment institutions.

PSD2 revisions have since been made in order to address several issues that had been previously overlooked. For example, the directive was originally quite limited in its reach; only transactions occurring between nations in the European Economic Area were covered initially.

The technology required for PSD2

PSD2 encourages participation and competition by empowering consumers and institutions alike to use third-party payment service providers to make transactions and manage their finances. Third-party providers include financial firms, fintechs that provide services via digital apps, or separate standalone payment providers.

The directive requires the payment service providers to expose open APIs that enable consumers to securely access their own bank accounts and information through third-party providers. These payment service providers fall into three main categories:

  • Account information service providers (AISPs) can access sensitive data in order to analyze spending patterns to gain increased business intelligence.
  • Payment initiation service providers (PISPs) are the service providers that initiate transactions for both the consumers and the organizations.
  • Account servicing payment service providers (ASPSP) are the financial institutions that offer payment accounts with online access, including banks, building societies, wealth management companies, and investment firms.

These institutions handle sensitive personal data of both individual consumers and organizations, including card data, bank account information, full names, government-issued identification numbers and more. Because of this, institutions adhering to PSD2 must also adhere to GDPR compliance regulations as well.

Given the sensitive nature of the customer information accessed through open APIs, PSD2 stipulates tough rules for secure data protection, including verifying user identities through strong customer authentication and allowing customers to grant consent and specify data use preferences. The directive requires strong customer authentication on electronic payments. It also stipulates firms must adhere to common and secure communication practices. By adopting these practices, data can be shared faster and more securely between payment service providers and their consumers.

PSD2’s impact on digital business

PSD2 is helping to move the European financial industry in the right direction by integrating the payment market across Europe. The driving motivation behind the amendments made was the ability to enact open banking standards within the European Economic Area. Open banking is founded on the idea of modernizing banking by combining traditional banking, fintech startups, and other new technologies.

Open banking makes use of APIs to enable integration with third-party applications and servers. It also forces institutions to embrace open-source technology, which means adopting the latest standards for data privacy. Whether your institution is based in the European Economic Area or accepts electronic payments from organizations within the European Union, you are subject to PSD2 regulations.

Security and privacy revisions

The revised directive better protected consumers by enforcing more rigid security regulations and modernizing the payment process. With the innovations of online and mobile payments and the development of open banking, international transactions required a more secure process in order to protect consumer information.

Additional revisions include implementing ‘strong customer authentication’ as ‘common and secure communication’ standards. Both measures are vital to preventing transaction fraud and ensuring cardholder data security.

Strong consumer authentication standards stipulate how payment service providers must verify the legitimacy of its electronic transactions. These standards must be applied to every single payment that occurs as well as each time a consumer accesses his or her payment account.

A key rule of the strong consumer authentication standards is that at least two security measures must be utilized for verification. This can include a password, a PIN, fingerprint scan, card authentication, or a uniquely-generated authentication code. One of the most commonly used security protocols to satisfy the secure and common communication standards is 3DS2, or 3-D Secure.

The common and secure communication standards enforce the authentication of all communication between the parties involved in the transaction process. The standards require institutions to establish secure channels by which they can communicate with third party providers in order to provide secure access to sensitive consumer and payment data. A third-party provider is any organization that leverages open banking APIs to offer an innovative service, payment option, tool, or insight to financial consumers.

Adhering to PSD2

PSD2 compliance is satisfied by adhering to all obligations outlined in the directive specific to each participant in the transaction process. Common and secure communication standards require certification in order to be compliant, but the strong consumer authentication standards are met simply by utilizing a legitimate method of authentication.

PSD2 diagram