PSD2 Requirements

The 2nd Payment Services Directive or PSD2, for short, is the most important document (probably in the world), regarding payment security and payment authorization. It impacts financial transactions all over the EEA and around the world, as well. In order to be a part of the financial sector today, your tool, software and/or business model has to be PSD2 compliant. In order to operate in this environment and to be compliant, your business model has to meet PSD2 requirements which are strict and very specific. Let’s look at the main PSD2 compliance requirements including SCA and many others.

PSD2 SCA Requirements

The SCA is one of the most important acronyms within the realm of the 2nd Payment Services Directive. SCA stands for Strong Customer Authentication and it is the backbone of what makes the system work. SCA is essentially MFA or 2FA. It demands that before the payment is confirmed, the user is authenticated via two out of three available provisions.

These provisions are separated into three categories – Possessions, Knowledge and Inheritance. Knowledge is things that the holder of the account knows. It can be a PIN code, a password, a special cryptic code, combination, etc.

The Possession is something that the user has. It is usually a device (smartphone) but it can also be a special code generator or other devices that are still in use today.

And finally, you have inheritance, or information and data that belongs to a person. Legislators and experts of SCA like to label inheritance information like something that the end user is. In the context of payment processing, inheritance is usually biometric data, so fingerprints, voice matching, face ID, etc.

Users by now are aware of the fact that before any payment is processed and finalized, they need to be authorized using two data sets.

It’s worth noting that a memorized swipe path or a 3DS2 protocol are not SCA compliant.

The 97th article of the PSD2 states that the SCA needs to be used when

·        A user is trying to access their online payment accounts

·        A user is trying to initiate a digital payment transaction

·        A user tries to carry out any kind of financial action from a remote channel with an implied risk of fraud or other abuse

The elements of authentication (Inherence, knowledge, possession) are unique and very versatile in the sense that they’re independent and the breach of one of them does not compromise the trustworthiness of others. This means that PSD2 technical requirements, at least from the standpoint of SCA, focus on the security and transparency of all financial transactions.

How to meet the PSD2 Requirements?

In order to meet PSD2 requirements, you have to be fully aware of the regulations and laws that surround this directive.

When you’re trying to develop a product or a service in the financial market, you need to be fully aware of the technical regulations and the legal requirements in place. Not only SCA is important in the 2nd directive for payment services which means that you need to have a legal team (or consultants) as well as skilled developers to work in between the parameters of these regulations.

Your requirements are visible in your local laws, where the PSD2 regulations are translated into your language or adapted for your domestic market. Everyone can find different ways to work within the same rules, hence, you need to adapt the existing regulations to the best of your abilities.

Payment service providers or banks will not be able to legally operate if they don’t comply with PSD2. It’s just technically impossible to be a fully functioning financial service provider without meeting PSD2 compliance requirements. Your local financial regulator will issue the licenses or appropriate accreditation once your business model meets the demands for safe, open, and fully transparent financial services.

PSD2 Requirements – an Opportunity or an Obstacle?

In the very early stages of implementation or just before the second directive came into power, there were a lot of skeptics. Right now, businesses and developers have gotten used to and accustomed to this directive. However, it remains to be seen whether it’s a document that provides opportunities for customers to get better service or is it just an unnecessary obstacle for new financial startups making it more difficult to come into this sector?

Well, to find out we have to analyze not only PSD2 open banking requirements but the overall mood of the market, so to speak.

Right now, the process for becoming a payment service provider or a financial institution is very centralized but very clear. By meeting the PSD2 SCA requirements anyone can obtain the necessary license from the corresponding local institution and become a service provider. The directive dictates that every single ASPSP (Account Servicing Payment Service Provider) must create APIs for at least three different services. These APIs have to be made for PISP, AISP services and to check on whether the funds in the account are sufficient (hence, for account information).

The main obstacle or threat that big banks and old-school financial service providers tend to notice is the fact that they need to give up their grasp on the informational monopoly. Under the current market conditions, anyone will be able to have easier access to a wider array of financial services. Due to quicker information movement and faster data exchange, AI tools and other modern software will be able to make personalized recommendations and provide verification as well as process requests in much less time. This means that smaller, but more innovation-oriented financing businesses can lure away customers from these big banks. On the other hand, if embracing these principles and opportunities of open banking, banks themselves can just increase their share of the market.

Future of PSD2 Requirements

If you think about it, you probably shouldn’t be surprised by the fact that the Second directive (PSD2) will, sometime in the future, be greatly revised or even replaced by a 3rd version of the document. However, in order for some major changes to happen, there has to either be a major technological improvement throughout the world or a huge shift in the world of finance.

As trends show, none of these two should happen in the foreseeable future. Even the pandemic didn’t shake the public and legislative confidence in open banking. On the contrary, it might’ve even improved the public perception as well as given more businesses to find opportunities to benefit from it.

Some More Thoughts About PSD2 Requirements

PSD2 Requirements have opened up the term of payment services and the whole market. With new market participants emerging left and right, everyone is expecting rapid developments in the field with a more competitive market resulting in better services and better conditions for the customers.

Most banks, however, have been welcoming developers and looking to involve more TPPs in order to be the first with their hands on new technology and new developments. A lot of financial giants have implemented dedicated sandboxes or test environments where developers can try out various tools and see how their implementation would work with a large clientele of a big bank. For developers, this means good exposure and solid integration with a very prominent client, whilst for the bank, it means quicker implementation of innovative technology.

One of the biggest challenges in meeting PSD2 requirements is to also be compliant with the GDPR which has a lot of interlinked areas with the aforementioned document. This is probably the largest area of concern, requiring the most time and effort in order to cover. Besides all that, developers have to retain user-friendly software that is easy and convenient to use.

The Second Payment Services Directive affects all-digital money transactions. It ultimately should lead to a more secure and more transparent payment environment. Open banking is following the requirements and rules of this directive in order to not only drive innovation but to also protect arguably the most valuable asset of modern times – personal data. We need to expect that these requirements really will meet the demands of present-day and future consumers as well as allow developers to maximize the potential of technology.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.