What is PSD2? EU Payment Services Directive | Paytia

What Is PSD2?

PSD2 stands for the Payment Services Directive 2. It is a piece of European Union legislation that came into effect in January 2018, replacing the original Payment Services Directive from 2007. In the UK, PSD2 was transposed into domestic law before Brexit, and its core principles continue to apply under the Payment Services Regulations 2017 and related Financial Conduct Authority (FCA) guidance.

At its heart, PSD2 exists to do three things: make payments safer, encourage competition in financial services, and give consumers more control over their financial data. It does this by introducing strict authentication requirements, opening up access to payment account data, and setting clear rules for how payment service providers must operate.

If you accept card payments -- whether online, in person, or over the telephone -- PSD2 affects how those payments are authenticated and processed. Understanding it is not optional; it is a regulatory requirement that carries real consequences for businesses that fail to comply.

The Problem PSD2 Was Designed to Solve

Before PSD2, the European payments landscape was fragmented. Each country had its own rules, and there was no consistent standard for how online payments should be secured. Fraud rates for card-not-present transactions were climbing year on year, and consumers had limited ability to share their financial data with services that might offer them better deals or more convenient ways to manage their money.

The original PSD1 had opened up the market to some extent, but it was written before smartphones, mobile banking apps, and fintech companies had transformed the industry. PSD2 was the EU's answer to a payments world that had changed beyond recognition since 2007.

Strong Customer Authentication (SCA)

The single most important change PSD2 introduced is Strong Customer Authentication, commonly referred to as SCA. This is the requirement that electronic payments must be verified using at least two of the following three factors:

• Something the customer knows -- a password, PIN, or security question answer
• Something the customer has -- a mobile phone, hardware token, or smart card
• Something the customer is -- a fingerprint, facial recognition, or other biometric

This is often described as two-factor authentication, and you will have encountered it if you have ever been asked to approve a payment through your banking app after entering your card details on a website. The idea is straightforward: even if a fraudster has your card number, they cannot complete a transaction without also having access to your phone or biometric data.

SCA applies to customer-initiated electronic payments within the European Economic Area and the UK. It affects online card payments, bank transfers, and certain contactless transactions. There are exemptions -- for low-value transactions, recurring payments, trusted beneficiaries, and transactions that the merchant's payment provider assesses as low risk -- but the default position is that SCA is required.

Open Banking and Third-Party Access

PSD2 also introduced the concept of open banking, which requires banks to share customer account data (with the customer's explicit consent) with authorised third-party providers. This created two new types of regulated entity:

• Account Information Service Providers (AISPs) -- companies that can access and aggregate a customer's bank account information, for example to show all their accounts from different banks in a single app
• Payment Initiation Service Providers (PISPs) -- companies that can initiate payments directly from a customer's bank account, bypassing the card networks entirely

This part of PSD2 is less directly relevant to businesses taking telephone payments, but it is worth understanding because it reflects the broader direction of travel in payments regulation: more transparency, more competition, and more consumer choice.

How PSD2 Affects Telephone Payments

Telephone payments occupy an interesting position under PSD2. When a customer calls a business and gives their card details over the phone, this is classified as a mail order/telephone order (MOTO) transaction. Under the current rules, MOTO transactions are exempt from the SCA requirement because they are not considered "electronic" payments in the way that PSD2 defines the term.

This means that businesses taking payments over the phone do not need to implement 3D Secure or other SCA mechanisms for those specific transactions. However, this exemption does not reduce the need for security. If anything, it increases the importance of other protective measures because MOTO transactions lack the built-in authentication layer that SCA provides for online payments.

Businesses that rely on telephone payments should be aware that the MOTO exemption from SCA does not exempt them from PCI DSS compliance, from protecting cardholder data, or from implementing fraud prevention measures. The exemption simply means that the specific two-factor authentication step is not required at the point of payment.

Consumer Protections Under PSD2

PSD2 also strengthened consumer rights in several important ways. Liability for unauthorised transactions shifted more firmly onto payment service providers. The maximum amount a consumer can lose from an unauthorised payment before the provider steps in was reduced. Surcharging -- where merchants add a fee for paying by card -- was banned for consumer debit and credit cards in the EU and UK.

For businesses, this means that the cost of fraudulent transactions increasingly falls on you or your payment provider rather than on the consumer. This makes fraud prevention not just a compliance matter but a direct financial concern.

Practical Considerations for Businesses

If your business takes card payments, here is what PSD2 means in practical terms:

• Online payments will usually require SCA, which means implementing 3D Secure 2 (3DS2) through your payment gateway. Your payment provider should handle most of the technical complexity, but you need to ensure your checkout flow accommodates the additional authentication step.
• Telephone payments are exempt from SCA but still require full PCI DSS compliance. Using a solution that removes card data from your environment -- such as DTMF masking -- is one of the most straightforward ways to manage this.
• Recurring payments require SCA for the first transaction but can use exemptions for subsequent payments, provided the amount does not change and the customer has given consent.
• Refunds and chargebacks are subject to tighter timelines and consumer-friendly rules, so your processes need to be robust.

PSD2 and PCI DSS -- How They Relate

PSD2 and PCI DSS are separate frameworks, but they complement each other. PSD2 is a legal regulation governing how payments must be authenticated. PCI DSS is an industry standard governing how card data must be protected. A business that is PCI DSS compliant is not automatically PSD2 compliant, and vice versa. Both need to be addressed, and both are designed to reduce fraud and protect consumers.

Think of PSD2 as the rules about proving who you are before a payment goes through, and PCI DSS as the rules about keeping your card details safe once the payment is being processed. Together, they form two pillars of modern payment security.

What Happens If You Do Not Comply

Non-compliance with PSD2 can result in payment transactions being declined by card issuers, regulatory action from the FCA or equivalent national authority, and financial penalties. More practically, if your online payment flow does not support SCA when it should, a growing proportion of your transactions will simply fail because the issuing bank will reject them. This directly impacts your revenue and customer experience.

For telephone payments, while SCA does not apply, failing to secure cardholder data properly can lead to PCI DSS non-compliance penalties, which include fines, increased transaction fees, and potential loss of your ability to accept card payments altogether.