PSD2 and the security requirements and goals to comply with its regulations.

What is PSD2, and How Does it Work?

On this page

PSD2 Explained

The Revised Payment Services Directive (PSD2), introduced by the European Commission in 2015, helped to modernize the financial ecosystem across the European Union and European Economic Area. The main goals of the directive are to improve customer protection during payment transactions, increase consumer choice and promote business innovation.

PSD2 provides great opportunities for merchants and fintechs to offer enhanced and convenient solutions for customers, but also has some strict security requirements that we will summarize here.

Open Payment Services in Europe

The biggest consequence of PSD2 is that banks must open up their payment services to other businesses:

  • Banks: act as 'Account Servicing Payment Service Providers' (ASPSPs) and host API endpoints
  • Merchants and Fintechs: act as 'Third Party Providers' (TPPs) by supplying apps that call the above APIs
  • Consumers: act as 'Payment Service Users' (PSUs) and use apps that access their bank accounts

Merchants act as Payment Initiation Service (PIS) providers, to initiate payments on behalf of users. Some Fintechs may act as Account Information Service (AIS) providers, to aggregate user financial data from multiple banks.

The PSD2 design empowers consumers to use merchant applications and integrate directly with consumer bank account(s) to initiate payments.

PSD2: Banks need to open up payment services to other Businesses

Strong Customer Authentication

To protect users and high worth payments data, PSD2 enforces Strong Customer Authentication (SCA), with multiple factors, to provide a high Level of Assurance (LoA) that the correct user is present, without the need to disclose credit card information. SCA helps to prevent fraud, ensure safe credit transfers, and build consumer trust.

These layered security measures help prevent fraud, ensure safe credit transfers, and build trust in online financial services.

User Consent and Transparency

User consent is mandatory in PSD2. When a merchant service initiates a payment transaction, the bank must ask the user to consent to the payment amount and the recipient. This consent must be digitally verifiable, to prevent tampering, and stored so that the transaction is non-repudiable after the event.

PSD2 and user consent

Trust and Regulatory Oversight

Merchants have to be approved before they are allowed to onboard and call bank APIs. In Europe this is managed by a central authority, eIDAS, whose role is to vet companies and assign or revoke trust.

Secure API Authentication

eIDAS issue companies with client certificates to be used as API credentials, and only these certificates will be trusted by bank APIs. This provides strong B2B security via a Mutual TLS channel, so that the overall security solution combines strong customer authentication with financial-grade API access.

PSD2 and secure API authentication

Zero Delay Onboarding

A key part of the PSD2 design is automated onboarding without manual steps. After approval by an authority like eIDAS, a merchant or fintech can immediately integrate with banks. PSD2 therefore provides a secure open ecosystem.

Conclusion

The PSD2 directive has had a significant impact on the digital payments environment in the EU and EEA. By enforcing openness, robust security, and transparency, it paves the way for a modern, competitive financial services landscape.

Solutions require financial-grade security however, and the Open Banking article provides further details on how to get started on a solution.

Photo of Gary Archer

Gary Archer

Product Marketing Engineer at Curity

Frequently Asked Questions

Newsletter

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Newsletter

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial

Was this helpful?