What is PSD2? EU Payment Services Directive | Paytia

What Is PSD2?

PSD2 is the Payment Services Directive 2. It's EU legislation that came into force in January 2018, replacing the original Payment Services Directive from 2007. In the UK, PSD2 was written into domestic law before Brexit, and its core rules still apply under the Payment Services Regulations 2017 and related FCA guidance.

At heart, PSD2 does three things: it makes payments safer, it forces more competition into financial services, and it gives consumers more control over their financial data. It does that by introducing strict authentication requirements, opening up access to payment account data, and setting clear rules for how payment service providers operate.

If you accept card payments — online, in person, or on the phone — PSD2 affects how those payments are authenticated and processed. It's not optional. It's a regulatory requirement with real consequences if you ignore it.

The Problem PSD2 Was Designed to Solve

Before PSD2, European payments were a patchwork. Every country had its own rules, and there was no consistent standard for online payment security. Card-not-present fraud was climbing year on year, and consumers had limited rights to share their financial data with services that might give them a better deal or a more convenient way to manage money.

PSD1 had opened up the market to some extent, but it was written before smartphones, banking apps, and the fintech wave. PSD2 was the EU's answer to a payments landscape that had changed beyond recognition since 2007.

Strong Customer Authentication (SCA)

The biggest single change PSD2 brought in is Strong Customer Authentication — SCA. Electronic payments now have to be verified using at least two of the following three factors:

• Something the customer knows — a password, PIN, or security answer
• Something the customer has — a mobile, hardware token, or smart card
• Something the customer is — a fingerprint, face scan, or other biometric

This is two-factor authentication, and you've used it any time you've been asked to approve a payment in your banking app after entering your card details on a website. The logic is straightforward: even if a fraudster has your card number, they can't complete a transaction without also having your phone or your fingerprint.

SCA applies to customer-initiated electronic payments inside the European Economic Area and the UK. It covers online card payments, bank transfers, and certain contactless transactions. There are exemptions — small-value transactions, recurring payments, trusted beneficiaries, transactions the payment provider's risk engine flags as low-risk — but the default position is that SCA is required.

Open Banking and Third-Party Access

PSD2 also brought in open banking. Banks now have to share customer account data (with the customer's explicit consent) with authorised third-party providers. That created two new types of regulated entity:

• Account Information Service Providers (AISPs) — companies that can read and aggregate a customer's bank account data, so an app can show all your accounts from different banks in one place
• Payment Initiation Service Providers (PISPs) — companies that can initiate payments directly from a customer's bank account, skipping the card networks entirely

This part of PSD2 is less directly relevant to taking phone payments, but it's worth understanding because it shows where payments regulation is heading: more transparency, more competition, more consumer choice.

How PSD2 Affects Telephone Payments

Phone payments sit in an interesting place under PSD2. When a customer rings up and gives card details on a call, that's a mail order/telephone order (MOTO) transaction. Under the current rules, MOTO transactions are exempt from SCA because they're not "electronic" payments as PSD2 defines them.

That means you don't have to implement 3D Secure or other SCA mechanisms for phone-paid transactions. But the exemption doesn't reduce the need for security. If anything, it raises the bar on every other control, because MOTO transactions don't have the built-in authentication layer that SCA gives online payments.

Crucially, the MOTO exemption from SCA doesn't exempt you from PCI DSS, from protecting card data, or from fraud-prevention obligations. It just means the two-factor authentication step isn't required at the point of payment.

Consumer Protections Under PSD2

PSD2 strengthened consumer rights in several ways. Liability for unauthorised transactions sits more squarely on payment service providers. The maximum amount a consumer can lose from an unauthorised payment before the provider has to step in was cut. Surcharging — adding a fee for paying by card — was banned for consumer debit and credit cards in the EU and UK.

For businesses, the upshot is that the cost of fraudulent transactions increasingly falls on you or your payment provider rather than on the consumer. That makes fraud prevention not just a compliance question but a direct financial one.

Practical Considerations for Businesses

If your business takes card payments, here's what PSD2 means in practice:

• Online payments will usually need SCA, which means implementing 3D Secure 2 (3DS2) through your payment gateway. Your gateway should handle most of the technical work, but you need a checkout flow that can accommodate the extra authentication step
• Phone payments are exempt from SCA but still need full PCI DSS compliance. Using a solution that keeps card data out of your environment — like DTMF masking — is the cleanest way to manage that
• Recurring payments need SCA on the first transaction but can use exemptions for subsequent ones, as long as the amount doesn't change and the customer has given consent
• Refunds and chargebacks have tighter timelines and more consumer-friendly rules, so your processes need to be solid

PSD2 and PCI DSS — How They Relate

PSD2 and PCI DSS are separate frameworks, but they work together. PSD2 is a legal regulation about how payments must be authenticated. PCI DSS is an industry standard about how card data must be protected. Being PCI DSS compliant doesn't make you PSD2 compliant, and vice versa. You need to address both. Both are designed to cut fraud and protect consumers.

Think of PSD2 as the rules about proving who you are before a payment goes through, and PCI DSS as the rules about keeping card details safe while the payment is being processed. Two pillars of modern payment security.

What Happens If You Don't Comply

Non-compliance with PSD2 can mean payments getting declined by card issuers, regulatory action from the FCA or the equivalent national authority, and financial penalties. The more practical risk: if your online checkout doesn't support SCA when it should, more and more of your transactions will simply fail because the issuing bank rejects them. That's a direct revenue hit.

For phone payments, SCA doesn't apply, but failing to secure card data properly will land you in PCI DSS trouble, which means fines, higher transaction fees, and in serious cases losing your ability to accept cards at all.