PSD2, or the Second Payment Services Directive, is a regulatory framework introduced by the European Union to govern payment services across the EU and EEA. Its primary aim is to improve payment security, increase competition, and strengthen consumer protection in the digital payments ecosystem.
Two core components define PSD2. Access to Account (XS2A) requires banks to allow authorised third-party providers to access customer account data with explicit consent, enabling new financial services. Strong Customer Authentication (SCA) introduces stricter identity verification requirements to reduce fraud in electronic payments.
For businesses, PSD2 is not optional. It directly affects how payments are processed, how customer data is accessed, and how security is enforced.
The key things businesses need to understand about PSD2 compliance
Scope of PSD2
PSD2 applies to organisations providing or facilitating payment services within the European Economic Area (EEA). This includes banks, payment service providers, fintechs, e-commerce platforms, and any business handling electronic payments.
Strong Customer Authentication (SCA)
SCA requires most electronic payments to be verified using at least two independent authentication factors:
- Something the customer knows (e.g. password or PIN)
- Something they have (e.g. mobile device)
- Something they are (e.g. biometric data such as fingerprint or facial recognition)
This is a direct response to rising fraud in digital payments. If SCA is not correctly applied where required, transactions can be declined.
Exemptions from SCA
Not every transaction requires SCA. Common exemptions include:
- Low-value payments (typically under £30)
- Recurring payments with fixed amounts
- Trusted beneficiaries (whitelisted merchants)
However, these exemptions rely on risk-based decisions and can still be challenged by issuing banks.
Access to Account (XS2A)
Banks must provide secure API access to customer account data for authorised third-party providers. This has driven the rise of open banking and new services such as account aggregation and payment initiation.
For businesses, this increases both opportunity and exposure. Data access must be tightly controlled and properly consented.
Consent and data privacy
Explicit customer consent is mandatory before accessing account data. PSD2 works alongside GDPR, meaning businesses must ensure data is handled securely, used appropriately, and stored in compliance with privacy regulations.
Liability and fraud risk
PSD2 shifts more liability onto payment service providers for unauthorised transactions. If SCA is not correctly applied, businesses may be responsible for losses. This makes implementation accuracy critical.
Incident reporting
Significant operational or security incidents must be reported to regulators. This includes data breaches, fraud spikes, or system failures affecting payment services.
Regulatory reporting
Firms must maintain clear records and demonstrate compliance when required. This includes audit trails for authentication, consent, and transaction processing.
Customer experience impact
SCA introduces additional friction into payments. If poorly implemented, it increases abandonment rates. Businesses need to balance compliance with usability, particularly in e-commerce environments.
Penalties for non-compliance
Failure to comply with PSD2 can result in regulatory fines, transaction failures, and reputational damage. Enforcement varies by jurisdiction but is consistently strict.
Ongoing change
PSD2 is not static. Regulatory technical standards evolve, and interpretations change. Businesses need to continuously monitor updates and adjust systems accordingly.
International implications
PSD2 can affect businesses outside the EU if they serve EU customers or process EU-based payments. Cross-border businesses cannot ignore it.
Bottom line: PSD2 forces businesses to rethink how they handle payments, authentication, and customer data. It raises the baseline for security while opening the market to new competitors. Compliance is not just legal – it directly affects conversion rates, fraud exposure, and customer trust.
