What is PSD2 and why does it exist?
PSD2 refers to Directive (EU) 2015/2366 of the European Parliament and of the Council, which regulates payment services across the European Union. It replaced the former Directive 2007/64/EC.
The purpose of PSD2 is to support the development of a single European market for secure electronic payments while opening the market to innovation and competition.
PSD2 was introduced to:
Integrate retail payments across EU Member States
Close regulatory gaps between existing and new payment models
Improve transparency and consumer choice
Ensure fair competition between traditional banks and new providers
Strengthen security for electronic payments
Increase consumer protection
If you provide or rely on payment services in the EU, PSD2 directly affects your processes, your systems, and your customer experience.
When is Strong Customer Authentication (SCA) required?
Strong Customer Authentication (SCA) is a mandatory security mechanism designed to protect users against fraud and unauthorized access.
SCA requires at least two independent authentication elements from the following categories:
Knowledge (something only the user knows)
Possession (something only the user has)
Inherence (something the user is, such as biometrics)
Payment Service Providers must apply SCA when a user:
Logs in to an online payment account
Initiates an electronic payment transaction
Performs a remote action that may present fraud risk
For remote payments, SCA must dynamically link the transaction to a specific amount and specific payee to prevent tampering.
How must banks and third-party providers communicate securely?
Account Servicing Payment Service Providers (ASPSPs) must provide at least one technical interface that allows secure access for authorized third-party providers (TPPs), including Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
Communication must:
Use secure and open technical standards
Ensure interoperability between systems
Allow third parties to rely on bank authentication mechanisms
Apply strong encryption across data sessions
Protect both confidentiality and integrity of information
These requirements ensure that open banking is both interoperable and secure.
Who is liable for unauthorized payment transactions?
If an unauthorized payment occurs, the user’s PSP must refund the amount immediately and no later than the next business day. The account must be restored as if the transaction never happened.
Users may be liable for losses up to EUR 50 if their payment instrument was lost or stolen, unless fraud, negligence, or intent is proven.
If a Payment Initiation Service Provider (PISP) is involved:
The ASPSP refunds the user
The PISP reimburses the ASPSP if responsibility lies with the PISP
The burden of proof lies with the PISP to show proper authentication and recording
What are the authorization and capital requirements for payment institutions?
Any organization intending to provide payment services must obtain authorization as a Payment Institution (PI) from its national regulator.
Capital requirements depend on activity:
EUR 20,000 for money remittance
EUR 50,000 for payment initiation services
EUR 125,000 for executing payment transactions
Payment institutions must also maintain own funds continuously, using calculation Method A, B or C as defined in PSD2.
Client funds must be safeguarded by:
These measures ensure client funds are protected in case of insolvency.
When does SCA not apply?
PSD2 allows limited exemptions if overall fraud risk remains low.
SCA may be waived in cases such as:
For account access:
For low-value payments:
Other exemptions include:
Transport and parking terminals
Trusted beneficiaries
Recurring transactions after initial authentication
Low-risk transactions under Transaction Risk Analysis (TRA)
Fraud rate thresholds and Exemption Threshold Values (ETV) are defined in regulatory annexes for card payments and credit transfers.
