What is Payment Services Directive?

What Is the Payment Services Directive?

The Payment Services Directive, commonly known as PSD, is a piece of European Union legislation that sets out the rules for how payment services operate across Europe. The original directive (PSD1) was introduced in 2007, and it was significantly updated in 2018 with PSD2, which is the version most people refer to today. In the UK, although the country has left the EU, the core principles of PSD2 were retained in domestic law through the Payment Services Regulations 2017 and subsequent amendments.

Think of it as the rulebook for the payments industry. It covers everything from who is allowed to provide payment services, to how those providers must protect their customers, to what rights consumers have when something goes wrong with a payment. If you run a business that takes payments in any form -- card payments, bank transfers, direct debits, or phone payments -- the Payment Services Directive shapes the regulatory environment you operate in.

Why Was It Created?

Before PSD1, payment services across Europe were regulated differently in every country. A payment provider authorised in Germany might operate under completely different rules than one in France. This made it difficult for businesses to offer payment services across borders and created inconsistencies in consumer protection.

The original directive harmonised these rules, creating a single legal framework. PSD2 went further by addressing new challenges that had emerged since 2007 -- particularly the rise of online payments, the growth of fintech companies, and the need for stronger security measures to combat fraud.

What PSD2 Covers

PSD2 is a thorough piece of legislation, but its key provisions fall into several main areas:

Authorisation and Licensing

Any organisation that wants to provide payment services must be authorised by the relevant national regulator. In the UK, that is the Financial Conduct Authority (FCA). This applies to banks, electronic money institutions, payment institutions, and newer types of providers like account information service providers (AISPs) and payment initiation service providers (PISPs). The authorisation process ensures that providers meet minimum standards for capital, governance, and operational resilience.

Strong Customer Authentication (SCA)

One of the most significant changes PSD2 introduced was the requirement for Strong Customer Authentication. SCA requires that electronic payments are authenticated using at least two of three factors: something the customer knows (like a password or PIN), something the customer has (like a phone or card reader), and something the customer is (like a fingerprint or face scan). This has had a major impact on online payments, where customers now routinely encounter two-factor authentication prompts when making purchases.

Consumer Protection

PSD2 strengthened consumer rights in several ways. It limits the liability of consumers for unauthorised payments to a maximum of 50 euros (or the sterling equivalent in the UK). It requires payment providers to process refund requests promptly. And it gives consumers the right to complain to the regulator or an ombudsman if they are not satisfied with how a payment provider handles a dispute.

Open Banking

PSD2 introduced the concept of open banking, which requires banks to share customer account data (with the customer's consent) with authorised third-party providers. This has enabled a wave of new financial services, from budgeting apps that aggregate data from multiple bank accounts to payment initiation services that let customers pay directly from their bank account without using a card.

Transparency and Fees

The directive requires payment providers to be transparent about their fees and charges. Customers must be clearly informed about any costs before they authorise a payment. It also restricts surcharging -- businesses in the European Economic Area are generally prohibited from charging extra for payments made by consumer debit or credit cards.

How It Works in Practice

For most businesses, PSD2 shows up in everyday operations in a few key ways. When a customer makes an online card payment and is asked to approve the transaction through their banking app, that is SCA in action. When a business signs up with a payment processor, that processor needs to be authorised under PSD2 (or the UK equivalent). When a customer disputes a transaction and the payment provider processes the refund within a set timeframe, that is PSD2's consumer protection rules at work.

The directive also affects how businesses choose and work with their payment partners. Because PSD2 sets minimum standards for security, governance, and consumer protection, businesses can have a reasonable level of confidence that any authorised payment provider meets those standards. But it also means businesses need to ensure their own processes -- from how they capture payment data to how they handle disputes -- align with the regulatory framework.

Relevance to Telephone and Phone Payments

Phone payments occupy a unique position under PSD2. The Strong Customer Authentication requirements were primarily designed with online and electronic payments in mind, and certain exemptions apply to phone payments. Mail Order / Telephone Order (MOTO) transactions -- where a customer provides their card details over the phone to an agent -- are generally exempt from SCA because the transaction is initiated by the cardholder through a voice channel rather than an electronic one.

However, this exemption does not mean phone payments are unregulated. The broader consumer protection and transparency requirements of PSD2 still apply. Customers who pay by phone have the same rights regarding unauthorised transactions, refunds, and complaints as those who pay online. And the security of phone payment data is still governed by PCI DSS, even if SCA is not required.

This creates an interesting dynamic. On one hand, phone payments can offer a smoother customer experience because there is no SCA friction. On the other hand, businesses need to ensure they are not creating security gaps by relying on a channel that lacks the additional authentication layer. Using secure phone payment technology -- where card data is captured via the customer's keypad rather than spoken aloud to an agent -- helps address this by keeping sensitive data out of the voice channel entirely.

PSD2 and the UK Post-Brexit

Since Brexit, the UK has retained PSD2's core provisions but is free to diverge from future EU updates. The FCA has signalled its intention to review and potentially reform UK payment services regulation, possibly consolidating PSD2 with other related rules into a more simplified framework. For now, UK businesses should continue to operate on the basis that PSD2's requirements apply, while keeping an eye on any forthcoming regulatory changes.

Practical Considerations for Businesses

• Ensure your payment provider is properly authorised by the FCA or the relevant European regulator
• Understand how SCA applies to your payment channels -- and where exemptions like MOTO apply
• Review your consumer-facing communications to ensure they comply with PSD2's transparency requirements
• Have clear processes in place for handling payment disputes and refund requests within the required timeframes
• If you use third-party payment services, confirm they are PSD2-compliant and understand how liability is shared
• Stay informed about upcoming changes to UK payment services regulation, as the landscape is likely to evolve in the coming years

The Payment Services Directive may sound like dry regulation, but it has fundamentally shaped how payments work across the UK and Europe. Whether you are taking payments online, in store, or over the phone, understanding PSD2 helps you make better decisions about your payment infrastructure, protect your customers, and stay on the right side of the regulator.