What Is PSD2?

PSD2 (the Second Payment Services Directive) is a comprehensive piece of EU legislation that regulates payment services and payment service providers throughout the European Economic Area (EEA). Adopted in November 2015 and effective from January 2018 (with SCA enforcement phased in through 2021), PSD2 replaced the original Payment Services Directive (PSD1, 2007) and introduced two transformative changes: mandatory Strong Customer Authentication (SCA) for electronic payments and the legal framework for open banking.

## Strong Customer Authentication (SCA)

SCA is the most impactful PSD2 requirement for merchants and PSPs. It mandates that electronic payments within the EEA must be authenticated using at least two of three independent factors:

- **Knowledge**: Something the customer knows (password, PIN, security question). - **Possession**: Something the customer has (mobile phone, hardware token, smart card). - **Inherence**: Something the customer is (fingerprint, facial recognition, voice recognition).

For online card payments, 3D Secure 2 (3DS2) is the primary mechanism for meeting SCA requirements. When a consumer makes an online purchase, the transaction is routed through 3DS2, where the issuing bank decides whether to apply a frictionless flow (approving based on risk assessment and available data) or a challenge flow (requiring the consumer to authenticate with a second factor).

## SCA Exemptions

PSD2 recognizes that requiring SCA for every transaction would create excessive friction. Several exemptions exist:

**Low-value transactions**: Transactions under €30 are exempt (up to a cumulative limit of €100 or 5 consecutive exempt transactions).

**Trusted beneficiaries**: Consumers can whitelist trusted merchants with their bank, exempting future transactions with those merchants from SCA.

**Recurring payments**: After the initial SCA-authenticated transaction, subsequent merchant-initiated recurring charges (same amount, same merchant) are exempt.

**Transaction Risk Analysis (TRA)**: Acquirers and PSPs with low fraud rates can claim TRA exemptions for transactions below certain thresholds (€100 for acquirers with fraud rates below 0.13%, €250 for below 0.06%, €500 for below 0.01%). This is the most commonly used exemption for e-commerce.

**Mail Order / Telephone Order (MOTO)**: Transactions initiated by phone or mail are out of scope for SCA.

**One-leg transactions**: Transactions where either the issuer or the acquirer is outside the EEA are technically out of scope, though many non-EEA issuers still require 3DS.

## Open Banking Under PSD2

PSD2's second major innovation is requiring banks to open their infrastructure to licensed third-party providers through secure APIs. PSD2 created two new categories of regulated entities:

**Account Information Service Providers (AISPs)**: Licensed to access customer account data (with consent) for services like account aggregation, financial planning, and creditworthiness assessment.

**Payment Initiation Service Providers (PISPs)**: Licensed to initiate payments directly from a customer's bank account (with consent), enabling "pay by bank" solutions that bypass card networks.

Banks in the EEA are legally required to provide APIs that AISPs and PISPs can use to access account information and initiate payments. Banks cannot block or restrict access for licensed providers (though the quality and reliability of bank APIs has been a source of ongoing friction in the industry).

## Impact on Merchants

PSD2 has had significant implications for online merchants:

**Conversion impact**: SCA initially caused concern about increased checkout friction and decreased conversion. In practice, 3DS2's frictionless flow has mitigated most of the impact — data from major PSPs shows that 70-90% of transactions are authenticated frictionlessly, with minimal conversion impact. However, poorly implemented SCA can still cause drops of 5-15%.

**Implementation cost**: Merchants and PSPs invested significant resources in upgrading their payment flows to support 3DS2, implement exemption engines, and optimize for frictionless authentication.

**New payment options**: Open banking has enabled new payment methods (like Trustly, TrueLayer, and GoCardless's open banking products) that offer merchants lower fees and no chargebacks compared to card payments.

## PSD2 vs PSD3

The European Commission proposed PSD3 in June 2023, which would further refine the regulatory framework. Key proposed changes include: consolidating PSD2 and the Electronic Money Directive into a single directive, strengthening fraud prevention measures, improving open banking API performance requirements, and introducing new rules for "buy now, pay later" services. PSD3 is expected to be finalized and implemented in 2025-2026.

## PSD2 Enforcement

PSD2 is enforced at the national level by each EEA member state's financial regulator (e.g., BaFin in Germany, FCA in the UK before Brexit, Banque de France in France). Penalties for non-compliance vary by country but can include fines, license revocation, and enforcement actions. The UK retained PSD2 requirements in its domestic law after Brexit, with the Financial Conduct Authority as the regulator.