Payment Services Directive 2 (PSD2)

PSD2 is a revised version of the EU's Payment Services Directive, and the version currently in force.

When it took effect in 2009, the original Payment Services Directive (PSD1) made it possible for non-bank institutions to offer payment services. In doing so, it paved the way for the European fintech industry.

PSD2, which came into force in 2018, builds on PSD1 with the aim of:

• Increasing competition and innovation
• Strengthening consumer protection

To this end, PSD2 introduced three key changes: strong customer authentication, enhanced data security requirements, and enhanced consumer rights.

It also broadened the rules so that more firms fall within its scope. And, most significantly, it introduced the concept of open banking, which laid the groundwork for account-to-account payments and embedded finance technology.

1. Open banking

Arguably the most far-reaching PSD2 measure, open banking rules obliged banks to create and maintain APIs that grant regulated third-parties access to customer accounts and associated data, subject to the customer's consent.

When open banking rules first kicked in, their primary use case was as a more secure alternative to scraping.

Scraping allowed personal finance management apps to log onto a user's bank account using the user's credentials.

With open banking, by contrast, the user doesn't share credentials. The third party connects to the bank directly via API. This means there's no risk of the user's credentials falling in the wrong hands. The user also has more control over what information they share.

Over time, open banking technology evolved to the point where users can now pre-authorize payments directly from their bank accounts.

Crucially, open banking's API-driven environment allows non-financial companies to integrate banking and payment functions directly into their services: a capability we now know as embedded finance technology.

2. Strong Customer Authentication

PSD2 introduced a three-factor approach to authenticating payments, to make it harder for fraudsters to bypass security.

For a payment to be approved, merchants must verify the customer using at least two out of three methods:

• Something the customer owns, such as a card or mobile device
• Something the customer knows, for example a password or PIN
• Something the customer is, that is, Face ID, fingerprints, or other biometric authentication methods

3. Creation of new regulated entities

PSD2 includes two new types of entity within its remit: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).

PISPs are firms that initiate payments from a user's bank account, with the user's consent.

PISPs don't hold funds. They're an authorized intermediary that routes payments through an open banking API. Think of them as a courier. Their job is to relay your payment instructions to the recipient, without ever knowing the detail of those instructions or handling the money.

AISPs are financial dashboards. They gather the financial data a consumer has given them access to via API and present it in ways that make it easier for the consumer to budget, save, and manage their money.

4. Enhanced consumer rights

PSD2 strengthened consumer protection in four key ways:

• The right to no-questions-asked refund, up to 8 weeks after a direct debit payment
• Price transparency: payment services providers must give consumers a breakdown of all their fees and charges
• A ban on credit card and debit card surcharges, online and in store
• If there's an unauthorized payment, the consumer can only be out of pocket up to €50, unless the bank can prove they acted fraudulently or with gross negligence

If consumers are resident in the EU, these rules apply even where the firm is based outside the EU.

5. Enhanced data security

PSD2 tightened data handling and sharing rules significantly.

In particular, firms can only access, use, or share the data a customer has explicitly given them permission to access, use, or share, and only for the specific purposes the consumer has consented to.

Firms must also collect the minimum necessary for them to provide the service.

There are also strict rules around encryption and authentication, including minimum technical standards for APIs.

Again, these rules apply even when only one party (consumer or service provider) is in the EU.

Interesting facts

• PSD2's two flagship measures — strong customer authentication and open banking — both proved controversial.

  Concerns about strong customer authentication revolved mainly around increased friction at the checkout and its potential impact on cart abandonment.

  In Germany, strong customer authentication slashed conversions by half when it was first introduced, but it also cut fraud dramatically. A joint report by the European Central Bank and the European Banking Authority found that, in 2023, only 0.015% of card payments were fraudulent.

  Open banking, meanwhile, was famously called a failure by then Starling Bank CEO Anne Boden. It's now one of the fastest-growing fintech sectors, with open banking payments expected to account for 10% of all payments across the EU by the end of 2025.

• Despite coming into force in 2018, PSD2 still hasn't been implemented uniformly across the EU, mainly because of its technical complexity, industry readiness, and the Covid-19 pandemic.

  As of 2025, the quality of APIs and open banking technology remains variable, with some countries lagging significantly behind. The major sticking point is fallback mechanisms: the process by which third-parties can access consumer data if APIs go down or fail.

• Because of the persistent technical difficulties and variable service quality, the EU is working on a revised directive — PSD3 — and a regulation. Unlike Directives, which EU member states must incorporate into local law, regulations have direct effect. That is, they apply automatically as soon as they enter into force. PSD3 is expected to take effect in late 2025 or 2026.

Further reading

• Like PSD2, PSD3 aims to increase innovation and competition while strengthening consumer protection. Here's a concise, easy-to-digest overview of the key proposals.
• Embedded finance is, by far, one of the most exciting developments to come out of PSD2, because it makes it possible for any business to offer financial services. Here's a rundown of the key trends which we believe will shape embedded finance in 2025 and beyond.