What is PSD2?


The second Payment Services Directive, also known as PSD2, is a framework of laws and regulations for payment services and payment service providers throughout the European Union and European Economic Area, also known as EEA. PSD2 that applies since January 2018 includes requirements for account-holding financial institutions to share their data with new independent service providers boosting innovation and competition in the EU payment market and providing consumers with more and better choices. Also, PSD2 increases consumer protection by introducing higher security standards for electronic payments known as Strong Customer Authentication, more commonly known as SCA.


What is PCI DSS?


The Payment Card Industry Data Security Standard, known as PCI DSS, is a set of security requirements to financial institutions that process credit or debit card transactions. PCI DSS aims to ensure consumers' protection against data theft and fraud internationally. This set of security requirements was launched in September 2006 by Discover Financial Services, JCB International, Visa, MasterCard, and American Express. These payment brands also established the PCI Security Standards Council, also known as PCI SSC, to administer and govern the PCI DSS. However, card issuing or acquiring financial institutions are responsible for enforcing compliance with these security requirements rather than the PCI SSC.




The PCI DSS globally applies to all financial institutions that process, store, or transmit credit card data. Compared to PCI DSS, PSD2 only applies to payments made and received within the EEA or payment service provider located in the EEA, which comprises 27 countries of the European Union, including Norway, Iceland, and Liechtenstein. However, in some cases, PSD2 also applies to payments made or payment service providers located outside the EEA (for instance, in Switzerland, the United Kingdom, or the United States). While the PCI DSS security requirements are suited only for those financial institutions that process credit or debit card transactions, PSD2 applies to payment service providers offering various internet financial services, including credit transfers and direct debit, and more. Also, unlike PCI DSS that provides only security standards, PSD2 additionally includes regulations regarding roles and statutes available for payment service providers and more. However, both PCI DSS and PSD2 require multi-factor authentication that ensures a more secure environment for consumers.


PSD2 PCI compliance


For compliance with PCI, businesses must meet all of the 12 main requirements set by the PCI Data Security Standards, including the 78 base requirements and 400 test procedures. PSD2 fully complies with PCI DSS requirement to multi-factor authentication. Similar to PCI DSS, PSD2 through SCA requires to verify consumers identity with at least two independent elements that include:

  • something only the consumer knows, for instance, a password, a passphrase, PIN, etc.;
  • something only the consumer has, such as a physical or logical security token, a one-time password token, a key fob, a smartphone, etc.;
  • Something the consumer is, in other words, a biometric measure, such as retina or iris recognition, fingerprints, facial recognition, voice recognition, etc.  

This method allows authenticating the consumers' identity during transactions and other banking activities to reduce the cost of processing fraudulent transactions, minimize risk for online fraud, and boost consumers' confidence in using online services. PSD2 with SCA allows payment service providers located in the EEA to comply with international regulations, such as PCI DSS, and achieve interoperability for safer online transactions.


Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.