What is PSD2, and How Does it Work?
On this page
PSD2 Explained
The Revised Payment Services Directive (PSD2), introduced by the European Commission in 2015, helped to modernize the financial ecosystem across the European Union and European Economic Area. The main goals of the directive are to improve customer protection during payment transactions, increase consumer choice and promote business innovation.
PSD2 provides great opportunities for merchants and fintechs to offer enhanced and convenient solutions for customers, but also has some strict security requirements that we will summarize here.
Open Payment Services in Europe
The biggest consequence of PSD2 is that banks must open up their payment services to other businesses:
- Banks: act as 'Account Servicing Payment Service Providers' (ASPSPs) and host API endpoints
- Merchants and Fintechs: act as 'Third Party Providers' (TPPs) by supplying apps that call the above APIs
- Consumers: act as 'Payment Service Users' (PSUs) and use apps that access their bank accounts
Merchants act as Payment Initiation Service (PIS) providers, to initiate payments on behalf of users. Some Fintechs may act as Account Information Service (AIS) providers, to aggregate user financial data from multiple banks.
The PSD2 design empowers consumers to use merchant applications and integrate directly with consumer bank account(s) to initiate payments.
Strong Customer Authentication
To protect users and high worth payments data, PSD2 enforces Strong Customer Authentication (SCA), with multiple factors, to provide a high Level of Assurance (LoA) that the correct user is present, without the need to disclose credit card information. SCA helps to prevent fraud, ensure safe credit transfers, and build consumer trust.
These layered security measures help prevent fraud, ensure safe credit transfers, and build trust in online financial services.
User Consent and Transparency
User consent is mandatory in PSD2. When a merchant service initiates a payment transaction, the bank must ask the user to consent to the payment amount and the recipient. This consent must be digitally verifiable, to prevent tampering, and stored so that the transaction is non-repudiable after the event.
Trust and Regulatory Oversight
Merchants have to be approved before they are allowed to onboard and call bank APIs. In Europe this is managed by a central authority, eIDAS, whose role is to vet companies and assign or revoke trust.
Secure API Authentication
eIDAS issue companies with client certificates to be used as API credentials, and only these certificates will be trusted by bank APIs. This provides strong B2B security via a Mutual TLS channel, so that the overall security solution combines strong customer authentication with financial-grade API access.
Zero Delay Onboarding
A key part of the PSD2 design is automated onboarding without manual steps. After approval by an authority like eIDAS, a merchant or fintech can immediately integrate with banks. PSD2 therefore provides a secure open ecosystem.
Conclusion
The PSD2 directive has had a significant impact on the digital payments environment in the EU and EEA. By enforcing openness, robust security, and transparency, it paves the way for a modern, competitive financial services landscape.
Solutions require financial-grade security however, and the Open Banking article provides further details on how to get started on a solution.
Gary Archer
Product Marketing Engineer at Curity
Frequently Asked Questions
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
