PSD2 Compliance

PSD2, or revised payment services directive, was meant to come into force between January 2018 and September 2019 with the objective of improving customer protection, boost competition, innovation, and increase security in the payments market.

After having its deadline extended, it’s currently fully enforced in Europe, except for the United Kingdom. That means every merchant or financial services provider must be PSD2 compliant and guarantee that strong customer authentication process (SCA) is applied in every transaction processed in Europe.

 

PSD2 compliance deadline

PSD2 was originally expected to go into effect in September 2019, but the deadline ended up being extended to December 31, 2020. The main provision of PSD2 is strong customer authentication (SCA), meaning that merchants who conduct business in the EU needed to ensure compliance with SCA by the end of 2020.

In the United Kingdom, the Financial Conduct Authority (FCA) decided to delay PSD2 enforcement to September 2021, giving merchants a larger timeframe to be PSD2 compliant.

 

PSD2 compliance requirements

One of the main goals of PSD2 is to guarantee that online (or remote) payments are more secure, both for customers and merchants. In a nutshell, to be PSD2 compliant means meeting SCA requirements.

 

What is strong customer authentication

Strong customer authentication is one of the main pillars of PSD2, being a European regulatory requirement to reduce fraud and make online payments more secure. Essentially presents itself as a two-factor authentication (2FA) solution, where customers need to provide two independent pieces of information to verify their identity.

Strong customer authentication requirements

To be able to comply with SCA, merchants need to be able to verify their customer identity through at least two independent pieces of information. To facilitate the process, this pieces of information were organised in three categories:

  • Something they own (e.g., smartphone)
  • Something they know (e.g., PIN code)
  • Something they are (e.g., fingerprint)

At least two conditions from different categories need to be fulfilled for a transaction to be confirmed and accepted. These requirements are applied exclusively to transactions in the European Economic Area (EEA).

Strong customer authentication exemptions

Even though SCA is a mandatory requirement for a merchant to be PSD2 compliant, there are a few use-cases were exemptions might be applied.

According to the regulation, specific types of low-risk payments can be exempted from SCA. These exemptions are requested by the payment provider, but the customer bank always makes the final decision.

Below you will find a list of the most common PSD2 SCA exemptions:

  • Low-risk transactions
  • Payments below €30
  • Fixed-amount subscriptions
  • Merchant-initiated transactions
  • Trusted beneficiaries
  • Phone sales
  • Corporate payments

 

PSD2 non-compliance fines

As it happens with most directives such as PSD2, there are detailed information in regard to liability for unauthorized transactions where SCA has not been applied. But when it comes to administrative penalties (a.k.a. fines), the specifications are to be decided by each country.

There are no specific penalty fee to be applied in situations where payment service providers (PSPs) do not comply with PSD2 by not applying SCA.

As an example, the German Federal Financial Supervisory Authority (BaFin) can issue an administrative order against a PSP to apply SCA. Although non-compliance with PSD2 doesn’t translate into fines, the breach of an administrative order does.

In Germany, a PSP that doesn’t have a full banking licence can receive a penalty fee of up to 100 thousand euros, and the penalty for a PSP with full banking licence can reach 5 million euros.

Who PSD2 compliance applies to?

PSD2 legislation specifies rights and responsibilities for third-party providers (TTP), payment initiation service providers (PISPs) and account information service providers (AISPs), being the ones that need to guarantee full compliance with PSD2 specifications.

FAQ

  • What is PSD2 compliance?

PSD2 compliance is mandatory for any third party provider who, in any way, provides services related with open banking. To be PSD2 compliant, these TTP need to make sure all regulatory requirements are followed and applied to every transaction processed online when European customers are involved.

 

  • What is PSD2?

PSD2 is the second revision of the Payment Services Directive, which regulates electronic payments throughout the EU. It was developed to even the playing filed and increase cooperation and collaboration between fintechs and traditional banks, allowing to initiate payments without the intervention of traditional card brand networks.

  • Why was PSD2 created?

PSD2 was created responding to the changes in consumer behaviour and the evolution in the ways they pay. With the surge of new technologies and an increasing adoption of online/remote payments, the need for extra security measures was obvious.

  • Where does PSD2 apply?

PSD2 is applicable to any payment that begins, ends or travels through the European Economic Area.

  • Who does PSD2 affect?

PSD2 affects literally anyone living or working in a European country. As long as a person is buying or selling anything in Europe, it is impacted by PSD2. The new directive specifies rights and responsibilities for groups including third party providers, payment initiation service providers and account information service providers, which results in impacts to consumers and financial institutions as well.

  • What does PSD2 mean for merchants?

For merchants, PSD2 means that the cost of payment acceptance will be lowered, the access to funds will be faster, and payment fraud will be minimized. The access to customer banking data will enable merchants to offer new payment options to reduce friction at checkout.

  • What does PSD2 mean for customers?

PSD2 offers customers more information and transparency about their payments, helping to manage their finances, as well as greater choice and lower costs in payment services. One of the main goals is to improve security of payments to reduce the chances of fraud.

Customers will also be able to gain more control over how their data will be shared and used.

  • Are there exceptions to PSD2 regulations?

PSD2 specifies some exemptions to the application of secure customer authentication (SCA) in certain situations:

  • Low-risk transactions
  • Payments below €30
  • Fixed-amount subscriptions
  • Merchant-initiated transactions
  • Trusted beneficiaries
  • Phone sales
  • Corporate payments
Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.