What Is PSD2? Here’s What Businesses Need to Know

PSD2, or the Second Payment Services Directive, is a European regulation that aims to make electronic payments more secure, competitive, and innovative. It sets strict standards for authentication, opens up banking data to third-party providers (with user consent), and pushes businesses to modernize their payment infrastructure.

Whether you’re an e-commerce store, fintech startup or an international brand accepting European payments, understanding PSD2 compliance is essential. This guide breaks down what PSD2 covers, how it works, who it affects, and what you should be doing to comply.

Understanding PSD2 and Its Origins

What is PSD2 really? Introduced by the European Commission and came into force in 2018, PSD2 replaced the original Payment Services Directive (PSD1) from 2007. The upgrade was necessary: the digital economy had evolved dramatically, and regulators needed to catch up.

The goal is to create a more integrated European payment market, strengthen consumer protections, and lay the groundwork for open banking. With PSD2, the EU aimed to remove barriers to innovation, level the playing field for new entrants, and crack down on fraud.

Though it’s an EU regulation, the ripple effects of PSD2 are global. If you’re based outside the EU but sell to EU customers, PSD2 compliance may still apply.

Key Objectives and Scope of PSD2

PSD2 focuses on three major goals.

Boosting Competition

PSD2 allows third-party providers (TPPs) to access bank account information (with customer permission), which encourages innovation from fintechs and startups.

Improving Security

Strong Customer Authentication (SCA) is now a requirement for many online transactions, making fraud more difficult and payments more secure.

Increasing Transparency

Businesses must clearly disclose fees, charges, and exchange rates – no more hidden surprises.

This regulation applies to any organization offering payment services in the EU or handling EU customer data, which includes global platforms, marketplaces, and even app-based fintech companies.

Core Requirements of PSD2 Compliance

So, what is PSD2 compliance in practice? Here are the core elements your business must consider:

Strong Customer Authentication (SCA)

SCA requires multi-factor authentication (at least two of the following: something the customer knows, has, or is). This applies to most online card payments unless they fall under certain exemptions (e.g., low-value or recurring transactions).

Access to Account (XS2A)

Banks must open up their systems to licensed TPPs, allowing these providers to retrieve account data or initiate payments on behalf of customers with explicit consent.

TPP Licensing and Regulation

Businesses acting as AISPs (Account Information Service Providers) or PISPs (Payment Initiation Service Providers) must be licensed and follow strict data and security protocols.

Meeting PSD2 compliance involves technical integrations (like API access), reworking user flows (to accommodate SCA), and staying up to date with regulatory changes.

How PSD2 Impacts Businesses

PSD2 affects industries differently, but the impact is widespread:

• E-commerce stores must adjust checkout processes to include authentication prompts, which can lead to cart abandonment if not implemented smoothly.
• Fintech firms have new opportunities to innovate, accessing bank data for budgeting apps, credit scoring, or payment initiation services.
• Traditional banks face more competition from tech-savvy TPPs, forcing them to rethink customer experience and speed of service.
• Marketplaces must ensure their payment flow structures comply with SCA and data-sharing requirements.

For global businesses, PSD2 compliance adds complexity. You’ll need to support authentication standards in EU markets while managing different rules elsewhere.

Benefits of PSD2 for Consumers and Businesses

While PSD2 may seem like a headache at first, it brings several long-term benefits:

• Consumers enjoy more security, transparency, and flexibility in choosing how they pay and who they share data with.
• Businesses gain access to more customer insights, driving personalized experiences, especially when integrated with tools like conversational AI for finance.
• Open banking APIs make it easier to partner with fintechs or offer new financial products.
• Enforced authentication reduces fraud, which saves merchants money and strengthens customer trust.

Technology and Third-Party Providers under PSD2

PSD2 created an entirely new category of financial service providers:

• AISPs aggregate financial data to offer tools like spending dashboards or credit analysis.
• PISPs initiate payments directly from the customer’s bank, offering an alternative to card payments.

These TPPs must be licensed and regulated by national financial authorities in the EU. Banks are required to provide secure, standardized APIs to connect with them.

For businesses, the bridge between traditional banks and TPPs is often built by payment processing providers. These partners help ensure that transactions, data, and security requirements are managed according to PSD2 standards.

Common Misunderstandings About PSD2

Let’s clear up a few common myths about PSD2.

“PSD2 is only for European companies.”

Not true; if you serve customers in the EU, PSD2 applies.

“It’s only about fraud prevention.”

Fraud prevention is key, but PSD2 is also about enabling a more open and competitive market.

“My checkout already has 3D Secure, so I’m compliant.”

Not necessarily. PSD2 requires full SCA across different payment types and flows, not just credit card layers.

“SCA is optional for my business.”

Unless your transactions qualify for exemptions, SCA is a mandatory part of compliance.

SD2 represents a major shift in how payments work across Europe and beyond. It’s a call for more transparency, tighter security, and broader access to financial systems. As the landscape continues to evolve with real-time payments, PSD2 compliance evolving across borders, and even conversational AI for finance, it’s important to stay agile and informed.

Frequently Asked Questions (FAQs)

Who needs to comply with PSD2?

Any business that processes payments for EU customers is potentially subject to PSD2 compliance.

What is the deadline for PSD2 compliance?

The main PSD2 rules took effect in 2019, with phased extensions for Strong Customer Authentication (SCA) into 2020–2021.

Does PSD2 apply outside the EU?

Yes, international businesses serving EU-based customers must comply with PSD2 requirements.

How does PSD2 affect payment service providers?

They are required to provide open APIs for third-party access and enforce strong customer authentication protocols.

What are the penalties for non-compliance with PSD2?

Non-compliance can lead to regulatory fines, service restrictions, and potential disruption of payment operations.

References 

European Commission. (2015). Directive (EU) 2015/2366 on payment services in the internal market (PSD2). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366

European Banking Authority. (2020). Final Report on Draft Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication under PSD2. https://www.eba.europa.eu/eba-publishes-final-report-on-draft-rts-on-strong-customer-authenticationDeloitte. (2019). PSD2: Opening the door to innovation in payments. https://www2.deloitte.com/uk/en/pages/financial-services/articles/psd2.html