What Is PSD2 Compliance? How Does It Affect Your Business?

Javed Shah

The Second Payment Services Directive (PSD2) is an EU law regulating electronic payment services within EU states and the European Economic Area (EEA).

As economic ties between the EU member states become more binding, it is important that citizens and businesses in these regions have laws to help streamline banking, eCommerce, and security.

The Evolution of PSD2 and Financial Security Regulations in the EU

Developed in 2018, this regulation was intended to streamline payment security and tech development throughout the regulated area.

PSD2 compliance follows its predecessor, the First Payment Services Directive (PSD1). PSD1, adopted in 2007, established modern rules applicable to all payment services in the EU. The goal was to make cross-border payments standardized and simplified without sacrificing security.

PSD1 was a step in the right direction but had several limitations. It did not cover all payment services or implement effective customer authentication or identity verification methods. The development of PSD2 introduced new consumer protections and promoted innovation in security and the open banking movement.

Some of the key parts of PSD2 compliance include:

  • Open Banking: Under PSD2, banks must provide access to open APIs so that third-party banking providers (TPPs) can build additional financial services on top of that infrastructure.
  • Third-Party Providers (TPPs): Speaking of TPPs, PSD2 introduces new types of regulated service providers that can manage payments or mediate interactions between cardholders and payment processors.
  • Strong Customer Authentication (SCA): PSD2 also introduces more rigorous requirements for customer authentication during electronic transactions. This process is known as Strong Customer Authentication, which generally requires at least two independent authentication elements from the customer.
  • Increased Consumer Rights: PSD2 also enhances consumer rights in several areas, including reducing liability for non-authorized payments, introducing an unconditional refund right for direct debits in euros, and banning card surcharges.

Who Has to Follow PSD2?

PSD2 compliance applies to various organizations, including traditional banks, credit institutions, electronic money institutions, payment institutions, and certain fintech companies. The directive introduces rigorous requirements for these organizations, such as enhanced customer authentication measures and the need to open access to customer account data for third-party providers (with the customer’s consent).

Some of these organizations include:

  • Banks and Credit Institutions: Traditional banks and credit institutions must comply with PSD2 regulations. This includes providing access to account information and payment initiation services to third-party providers (TPPs) where the customer has given explicit consent.
  • Payment Institutions: This refers to institutions that have been granted permission to provide payment services but which are not necessarily banks. These institutions might offer services such as money remittance, execution of payment transactions, and issuing/acquiring payment instruments. These include TPPS, Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
  • Card Issuing and Acquiring Institutions: Organizations that issue debit or credit cards to consumers or process payments for merchants must also comply with the PSD2 regulations.
  • Other Financial Institutions: Other institutions involved in the processing or receipt of payments, including money transfer operators and certain types of mobile network operators, may also have to comply with the directive.

What Can Happen When You Don’t Comply with PSD2?

PSD2 compliance is mandatory for all applicable entities operating within the EEA, marked into law by the EU and participating countries. Organizations that fail to comply with the PSD2 risk financial penalties of up to 4% of annual returns.

Note that PSD2 applies to transactions where both the payer’s and payee’s service providers are located within the EEA using EU currency.

How Can Organizations Meet PSD2 Requirements?

Meeting PSD2 requirements often involves significant changes to an organization’s operations, technology, and business model if they still need to be prepared to implement secure payment technologies.

There are a few key areas where organizations can focus their efforts to maintain PSD2 compliance:

  • Strong Customer Authentication (SCA): SCA requires that authentication use two independent factors related to MFA verification: something the customer knows, something the user has, and something the user is.
  • Open APIs: Banks and other financial institutions must provide access to their customer’s accounts via open APIs (Application Programming Interfaces) to allow third-party providers (TPPs) to develop new services. These APIs must enable TPPs to retrieve account information (if the customer consents) and initiate payments directly from the customer’s account.
  • Transparency and Communication: Organizations need to provide clear information about all transactions, ensuring complete transparency with the customer about any applicable fees, charges, and the timeframe for transactions. This includes information related to incidents of fraud.
  • Data Security and Privacy: Organizations must protect data confidentiality and integrity, including implementing rigorous data security measures and ensuring PSD2 compliance with other applicable laws and regulations, such as GDPR.
  • Registration and Licensing: Certain organizations, such as PISPs and AISPs, must register with their national financial regulator and may need a license to operate.
  • Fraud Monitoring and Reporting: PSD2 requires service providers to establish a framework for the monitoring and reporting fraudulent transactions.

It’s also worth noting that EU member states may have slightly different laws, requiring different applications based on the jurisdiction.

Meet Authentication Requirements for PSD2 with 1Kosmos

One of the fundamental requirements of PSD2 is SCA compliance, a form of multi-factor authentication requiring multiple identity verification factors. This is a critical component of both compliant eCommerce organizations and providers relying on Open Banking standards.

With 1Kosmos, you get this level of security in a package that includes intuitive user onboarding, FIDO2-compliant authentication, and decentralized identity management.
With 1Kosmos BlockID, you get the following features:

  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • 1Kosmos BlockID Customer offers banks, financial institutions, payment service providers and others a FIDO2 and NIST 800-63-3 certified platform. Our solution automatically delivers identity assurance level 2 (IAL2) identity proofing and authentication assurance level 2 (AAL2) user authentication. Learn how 1Kosmos can help your business with PSD2 Compliance and Strong Customer Authentication.

    Overcoming Resistance to Change on the Journey to Passwordless MFA
    Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.