PSD2 and the security requirements and goals to comply with its regulations.

What is PSD2?

On this page

PSD2 Explained

PSD2 refers to the second European Payment Services Directive which was published in 2015. Its main goals are to improve customer protection during payment transactions and to promote business innovation.

This provides great opportunities for merchants and fintechs to offer enhanced and convenient solutions for customers, but also has some strict security requirements that we will summarize here.

Banks Provide Open Payment Services

For banks, the biggest consequence of PSD2 is that they must open up their payment services to other businesses:

  • Banks: act as 'Account Servicing Payment Service Providers' (ASPSPs) and host API endpoints
  • Merchants and Fintechs: act as 'Third Party Providers' (TPPs) by supplying apps that call the above APIs
  • Consumers: act as 'Payment Service Users' (PSUs) and use apps that access their bank accounts
PSD2: Banks need to open up payment services to other Businesses

Strong Customer Authentication

When logging onto apps that make payment transactions, Strong Customer Authentication (SCA) must be used, in order to prevent an attacker from stealing the identity of a genuine user.

Data involving payments is usually very high worth, so the SCA requirement is usually met by authenticating with multiple factors (MFA), to provide a high Level of Assurance (LoA).

User Consent

When making a payment, PSD2 requires the user to be informed of the amount and the recipient. This is usually managed by showing a consent screen to the user, then recording the agreement in a non reputable and digitally verifiable manner:

PSD2 and user consent

Centralized Trust

Merchants have to be approved before they are allowed to onboard and call bank APIs. In Europe this is managed by a central authority, eIDAS, whose role is to vet companies and assign or revoke trust.

Secure API Authentication

eIDAS issue companies with client certificates to be used as API credentials, and only these certificates will be trusted by bank APIs. This provides strong B2B security via a Mutual TLS channel, so that the overall authentication solution looks like this:

PSD2 and secure API authentication

Enabling Business Innovation

A key PSD2 requirement is that once approval from eIDAS is granted and the technical implementation is completed, business can get connected immediately. This requires a secure automated enrollment process, without manual human actions.


The PSD2 directive opens up great possibilities for both banks and software producing companies, and this behavior will expand to a global scale over time.

Solutions require financial grade security however, and the Open Banking article provides further details on how to get started on a solution.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial