What is Payment Services Directive 2 (PSD2)?

PSD2, or the Revised Payment Services Directive, is a European policy with objectives related to online payment security and competition within the financial industry.  It is an update to the original 2007 directive. 

The rule mandates more stringent client authentication measures for online purchases.  A significant shift is that it requires banks to share their payment services and consumer data with regulated third-party providers (TPPs), but only with customer consent.  

The ‘open banking’ technique relates to endeavors focused on innovation and the creation of new financial products.  It applies to transactions involving EU/EEA currencies and affects payment providers both within and outside of the EU/EEA.

The primary goals of PSD2 are to: 

• Connect and evolve the European payments market. 
• Aim for comparable operating conditions across payment service providers. 
• Focus on payment security and consumer protection. 

It functions by granting access to bank accounts for authorized third-party providers, potentially influencing innovation and competition.  It also relates to transaction security via Strong Customer Authentication (SCA) and data protection measures.  

While these measures enhance security, consumers should always remain vigilant against phishing attempts. 

PSD2 introduces regulations intended to affect consumer protection and market competition. 

• Third-Party Access: Regulated third parties can access payment accounts with customer consent. 
• Strong Customer Authentication (SCA): SCA is required for most online transactions to enhance security. 
• Transparency: Involves establishing guidelines for fee structures and refund processes. 
• Fee Prohibition: Unjustified fees are prohibited. 
• Complaint Procedure: Payment service providers must have a straightforward complaint process. 
• Exemptions: Low-Value Payment (LVP) transactions are sometimes exempt from extra authentication to balance security with convenience. 

Strong Customer Authentication (SCA) is a security requirement from PSD2 that adds an extra layer of verification to make online payments more secure. 

It enhances security by requiring at least two out of three different authentication elements: 

• Knowledge: Something only the user knows (e.g., a password or PIN). 
• Possession: Something only the user possesses (e.g., their smartphone). 
• Inherence: Something the user is (e.g., a fingerprint or face scan). 

SCA also employs dynamic linking, which connects the authentication directly to the specific transaction amount and payee.  This can deter unauthorized modifications to the transaction details following approval.  While SCA boosts consumer trust, merchants and payment providers face the challenge of implementing it without disrupting the customer experience. 

PSD2 improves online payment security primarily by requiring Strong Customer Authentication (SCA) and dynamic linking. 

It also establishes specific security criteria for payment service providers, which may affect fraud risks and the privacy of financial information.  PSD2 includes provisions for cost transparency and defines duties within payment transactions, potentially influencing customer trust. 

Employing security measures like 3D Secure, as outlined in PSD2, can affect the security protocols of online card payments.

PSD2 presents both significant opportunities and notable challenges for businesses. 

Opportunities  

• Innovation: New players entering the market may present competition to traditional banks offering financial services. 
• Better Transactions: Increased competition and new technology can lead to quicker, cheaper, and more secure transactions. 
• More Payment Methods: An increase in available payment methods enhances customer convenience and can expand a business’s market reach. 

Challenges  

• Compliance Costs: Businesses face costs to upgrade their systems and processes to meet PSD2 standards. 
• Security Risks: There are increased security risks, especially concerning data in transit, which requires very robust security measures. 
• Licensing: Businesses that act on behalf of both the buyer and seller may need to get a payments license, which adds operational complexity.

PSD2 has implications for customers regarding the safeguarding of financial transactions and shifts in their market alternatives. 

It requires Strong Customer Authentication (SCA) for most electronic payments and offers customers immediate access to their payment transaction data.  The rule also aims to facilitate consumer refunds for transactions identified as unlawful.  

PSD2’s granting of access to account information (with consent) for approved third-party providers has a relationship with company innovation and consumer options.  Although security measures are increased, it remains important for consumers to protect their login passwords.