The Payment Services Directive 2 (or PSD2 for short) is a piece of European Union (EU) legislation that came into force from 14 September 2019.

The revised Payment Services Directive (PSD2) aims to further modernise Europe's payment services for the benefit of consumers and businesses. It promotes the development of innovative online and mobile payments, more secure payments and better consumer protection. At the same time, the directive aims to improve the level-playing field for payment service providers - including new players or FinTechs - and contribute to a more integrated and efficient European payments market. Overall, the updated rules will help to facilitate innovation, competition and efficiency in the EU online payments market. PSD2 also marks another step towards the completion of the digital single market in the EU and gives consumers more and better choices when it comes to retail payments

PSD2 brings several major consumer benefits, such as:

  • PSD2 tackles fraud in online payments: PSD2 introduces strong security requirements for electronic payments and for the protection of consumers' financial data to ensure their privacy is respected by all market operators. These rules should boost consumer confidence when buying online;
  • PSD2 opens the EU payment market to competition:  PSD2 sets the stage for the future. With online financial services constantly evolving, the new rules will apply equally to traditional banks and to innovative payment services and new providers, such as FinTechs. These players, also called third party payment service providers (TPPs), will now be regulated under EU rules. They will be able to bring a wealth of consumer benefits. For instance, they can initiate payments on behalf of customers. They give assurance to retailers that the money is on its way, or give an overview of available accounts and balances to their customers;
  • PSD2 increases consumers' rights in numerous areas. These include reducing consumers' liability for unauthorised payments and introducing an unconditional ("no questions asked") refund right for direct debits in euro (in application since January 2018);
  • PSD2 prohibits surcharging, which is additional charges for payments with consumer credit or debit cards, both in shops or online. These rules are applicable since January 2018;
  • PSD2 improves complaints procedure - PSD2 obliges Member States to designate competent authorities to handle complaints from payment service users and other interested parties, such as consumer associations, if they consider their rights established by the Directive have not been respected. Payment service providers should put in place a complaints procedure for consumers which can be used before seeking out-of-court redress or before launching court proceedings. Payment service providers are obliged to respond in written form to any complaint within 15 business days (since January 2018).


Fighting online fraud - What is strong customer authentication?

PSD2 introduces strict security requirements for the initiation and processing of electronic payments. PSD2 obliges payment service providers to apply so-called “strong customer authentication” (SCA) when a payer initiates an electronic payment transaction. Payment service providers include banks and other payment service providers.

SCA is an authentication process that validates the identity of the user of a payment service or of the payment transaction. More specifically, the SCA indicates whether the use of a payment instrument is authorised. 

The requirements of strong customer authentication across the EU will help reduce the risk of fraud for online payments and online banking, and protect the confidentiality of the user's financial data, including personal data. This means that European consumers will benefit from safer electronic payments. In terms of how it works in practice, customers will receive advice from their banks or payment providers. They will have to provide two or more of the following elements when making payments, which can be categorised as:

  • Knowledge: something only the user knows, e.g. a password or a PIN code
  • Possession: something only the user possesses, e.g. a mobile phone, and
  • Inherence: something the user is, e.g. the use of a fingerprint or voice recognition.

Banks and other payment service providers will have to put in place the necessary infrastructure for SCA. They will also have to improve fraud management. Merchants will have to be equipped to be able to operate in a SCA environment.

If it’s EU legislation, will it still apply after Brexit?

Yes, it will. PSD2 is a new law in the UK, so whatever future relationship the UK has with the EU, PSD2 will still be in force.