What is PSD2? The revised Payment Services Directive explained

What’s the best way to win when playing the board game Monopoly? Google this and you’ll likely see similar words and phrases pop up: ‘buy aggressively’, ‘buy everything’, ‘power’. One Thrillist article even talks about ‘inflicting serious pain’. 

Of course, this is all generally fine in the context of a board game (though not always that fun, as many families would admit). But in business, a lack of competition and an aggressive attitude to dominating markets isn’t just unfair, it can also harm others.

Luckily, as technology and society progress, new laws and regulations are coming into effect to help ensure industries operate in a more fair and balanced way. They also help to protect people and businesses from harmful practices.

In Europe, one of the regulations doing this is the revised Payment Services Directive (PSD2), the primary regulation governing electronic payment services.

PSD2’s objectives include:

  • Making online payments more secure
  • Improving consumer protection
  • Creating a more level playing field for modern fintech firms, such as payment service providers (PSPs)

This article will explore PSD2 and how it affects your business, including its origins, compliance requirements, and when and where it applies.

What is PSD2?

PSD2 is an updated version of the original European Payment Services Directive (PSD).

The European Commission implemented the original PSD to create a single simplified market for payments in the European Union, improve efficiency, and promote innovation and competition in payments and payment services.

PSD2 is an updated version of the PSD. It further develops some of the core aims of the original directive, mainly in three areas. Those areas are:

  • Consumer rights: introducing more rules around complaints, surcharging, and currency conversion.
  • Enhanced security: through Strong Customer Authentication (SCA).
  • Better innovation: by allowing more efficient third-party access to bank account information.

When was PSD2 introduced?

To start, let’s go back to the early 2000s when payment services and companies weren’t strictly regulated. That changed with the introduction of the Lisbon strategy – a Europe-wide action and development plan – in 2000 and the Single Euro Payment Area (SEPA) launch later that decade. These helped create a more integrated payments infrastructure and vision in Europe.

Following these, in 2007 the original Payment Services Directive (PSD) was adopted. This brought in much more regulation and oversight for EU payments. One main change was the creation of new financial entities: electronic money institutions (EMIs) and payment institutions (PIs), which – when properly licensed – were granted the right to provide payment services to consumers.

In 2013, the European Commission proposed an amendment to PSD, which led to it becoming known as the revised Payment Services Directive.

PSD2 was meant to come into effect in September 2019, but this was pushed back to 31 December 2020. The delay was due to the challenges of implementing it across the EEA and other countries.

What has PSD2 changed?

Third-party payment services

One of the most significant changes that PSD2 introduced is rules around third-party access to bank account information. It specifies that consumers have the right to use any third-party provider for their online banking services.

Under PSD2 directives, banks now have to provide open APIs that give other fintechs access to their customers’ accounts and payment information – as long as they have the customer’s consent.

This allows third-party providers to initiate payments from a consumer’s bank account, helping to accelerate innovation in the payments industry and (usually) creating a faster and easier payment experience for consumers.

Strong Customer Authentication

Another key aspect of PSD2 is its improved security measures, most notably the Strong Customer Authentication (SCA) requirements for online payments.

SCA improves security by requiring customers to complete extra verification steps when paying online, minimising the risk of fraud.

All businesses processing online payments within Europe must comply with PSD2 and implement SCA measures.

PSD2 and SCA apply when both the business’s payment service provider and the customer’s bank or card provider are located within these countries and regions:

  • The UK
  • The European Economic Area (EEA)
  • Monaco

When one of these operates outside of Europe, the payment provider is advised to use their ‘best efforts’ to adhere to SCA regulations.

Read our comprehensive SCA guide to learn more about it and what it means for your business.

3D Secure and 3D Secure 2

The most common way of authenticating an online card payment and adhering to SCA guidelines is using 3D Secure and 3D Secure 2, which most European cards support.

3D Secure (3DS) is an additional step during the online payment process where a consumer provides further information to complete their transaction. This could mean entering a one-time code sent to their device or logging into their online banking environment to confirm payment.

3D Secure 2 is a newer version of 3DS, which provides a better user experience that helps improve fraud prevention and minimises friction during checkout.

Using 3DS provides your business with an extra layer of fraud protection – ensuring that you only accept card payments from legitimate customers. Authenticating a payment with 3D Secure also means your customer’s bank (rather than your business) will be liable for fraud-related chargebacks.

Does PSD2 apply to your business?

If your business accepts payments in certain European countries, you must comply with PSD2 regulations.

PSD2 countries include:

  • All of the European Economic Area (EEA)
  • Monaco
  • The UK

PSD2 compliance requirements

PSD2 applies mainly to banks, meaning that issuing banks – or the bank acting on behalf of a consumer in an online transaction – have to refuse non-compliant transactions to adhere to PSD2 directives.

To reduce the risk of issuing banks refusing your business’s transactions, you must comply with SCA regulations.

SCA applies to customer-initiated online and contactless offline payments, which means that most card payments and bank transfers require SCA to be PSD2 compliant. 

Recurring direct debits in which a consumer periodically pays a fixed amount are generally considered merchant-initiated payments and aren’t subject to SCA.

How to comply with PSD2

Many businesses work with a payment service provider to help them comply with PSD2 requirements and offer SCA, such as 3DS2.

A PSP should always help your business comply with all the applicable regulations. They should help you adhere to PSD2 and offer other security services like PCI-compliant card processing systems, hosted checkout pages, and secure data storage.

Here at Mollie, we offer an effortless payments solution that helps you accept multiple payment methods and offer customers a frictionless checkout experience that drives conversions. Our product comes with advanced security features to protect you and your customers. These features include: 

  • Dynamic 3D secure payments
  • PCI-DSS level 1 certified
  • Fraud monitoring

Find out more about payments with Mollie.

Get better payments now.