Frequently Asked Questions
What is PSD2?
The European Union’s (EU’s) second revision of the Payment Services Directive (PSD2) is a set of changes that regulates electronic payments throughout the EU.
The legislation’s key innovation is establishing a framework to make consumer banking data available—with consumer permission—to third parties such as retailers and financial technology companies. PSD2 allows non-banks (like retail merchants) to initiate payments without the intervention of traditional card brand networks.
In short, PSD2 creates a legislative framework that allows more ways to easily exchange payments more securely than ever before.
Why was PSD2 created?
PSD2 was established by the European Commission (EC) to stimulate competition, facilitate innovation, increase efficiency, enhance security and reduce fraud in the retail payment market. In essence PSD2 was created to help level the playing field and reduce the overall costs of payments to merchants and consumers.
The development of the original Payment Services Directive couldn’t possibly envision the revolutionary changes in payment technology in the decade since its enactment. PSD2 represents a coordinated response to a myriad of factors including:
- an explosive growth of financial technology companies
- dramatic global shifts by consumers toward eWallets
- the rise of alternative payment methods such as bank transfers
- elevated expectations for consumer privacy
Where does PSD2 apply?
PSD2 applies to any payment that begins, ends or even travels through the European Economic Area.
If you do business in Europe, PSD2 is relevant to your interests. If your business takes payments in person in the European Economic Area, PSD2 applies to you. If your business takes payments online from customers in the European Economic Area, PSD2 applies to you.
In the UK, the Financial Conduct Authority has proposed that both Secure Customer Authentication (SCA) and common and secure open standards of communication take effect on the same timeline as the EU even in the case of a no-deal Brexit.
Does PSD2 impose reporting or legal requirements?
PSD2 stipulates that payment service providers have transaction monitoring mechanisms in place to ensure compliance with the regulation’s core security requirement. Transaction monitoring requirements includes required parameters that were determined to be risk factors for fraud.
PSD2’s Article 3 creates a review mechanism for payment service providers. PSD2 indicates that all payment service providers “shall be documented, periodically tested, evaluated … by auditors with expertise in IT security and payments and operationally independent within or from the payment service provider.”
Who does PSD2 affect?
PSD2 impacts virtually everyone living or working in EU countries. If you are involved in the buying and selling of goods and services in the EU, P2D2 affects you. If you make a payment, receive payment, or are in any way involved in retail payments, P2D2 aims to make those processes transparent and safe.
Consumers, financial institutions, and the payments industry that binds them are all affected by PSD2. PSD2 legislation specifies rights and responsibilities for groups including third party payment service providers (TPPs), payment initiation service providers (PISPs), and aggregators and account information service providers (AISPs).
What does PSD2 mean for merchants?
PSD2 means a windfall of short and long-term benefits to merchants including a lower cost of payment acceptance, fast and direct access to funds, and an ecosystem where fraud is minimized.
PSD2 will benefit merchants by allowing them access to customer data previously only privy to financial institutions. Payment data offers insights into your shoppers’ transaction data. PSD2 will open doors to insights that allow merchants to craft simple payment experiences to reduce friction at checkout.
What does PSD2 mean for consumers?
In the short term PSD2 will offer consumers more information and transparency about their payments, making it easier to manage their finances. PSD2 will offer consumers greater choice and lower costs in payment services, including the elimination of payment surcharges.
PSD2 seeks to enhance the security of payments making consumers less vulnerable to fraud. Consumers will also enjoy enhanced security and more control over how—and with whom—their data will be shared. PSD2 also stipulates enhanced consumer protections on refunds and redress of grievances with merchants.
What does PSD2 mean for financial institutions?
PSD2 means that financial institutions will no longer enjoy a monopoly on payment transaction data. PSD2 is meant to stimulate competition and provide a level playing field to financial technology companies. Though financial institutions will face a wider array of competitors, PSD2 opens doors for financial institutions to innovate themselves.
Practically, issuing financial institutions will need to shift their orientation how transaction data is managed and shared—directly through APIs, managed via third-party services or some other platform solution. Financial institutions will need to create transparency for transaction data and take other steps to ensure adherence to other regulatory implications of the legislation.
What about PSD1?
The first Payment Services Directive (PSD1) set forth rights and obligations and established a common framework for payment services. The original directive replaced national payment rules for individual EU countries. PSD1 came into force in December 2007 and was in full effect from November 2009 to January 2018, when it was repealed and replaced in its entirety by PSD2.
When does PSD2 come into force?
Key events in the PSD2 timeline have recently past, while one remains on the horizon:
- 13 January 2018: The majority of PSD2 regulations took effect
- 13 March 2018: The Commission published PSD2 new security standards: the Final Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) and Common and Secure Open Standards of Communication
- 14 September 2019: The newly published RTS and SCA regulations come into effect. (UPDATE: National Authorities may “provide limited additional time” for issuers, acquirers and merchants to get SCA ready, provided PSPs have an agreed migration plan.)
Are there exceptions to PSD2 regulations?
PSD2 stipulates exemptions to the Secure Customer Authentication (SCA) requirement for merchants in cases of:
- Trusted beneficiaries: merchants that are whitelisted by consumers
- Recurring transactions: regular payments to the same business, like subscriptions
- Low-value transactions of less than €30
- Low-risk transactions: payments that have been assessed as low-risk in real-time
Worldpay’s Exemption Engine for Strong Customer Authentication (SCA) helps merchants get an edge on PSD2 by reducing friction at checkout.
How can I best prepare my business for PSD2?
The best way to prepare your business for the implications of PSD2 is to consult with your trusted payment partner.
PSD2 poses tremendous opportunities for merchants. Becoming compliant is an important baseline— your payments partner can help. Beyond the requirements, PSD2 embodies changes in payment technology that open new doors for businesses to delight their customers.
Merchants are able to make better decisions driven by data insights and offer seamlessly elegant user experiences, all while reducing costs. To learn more about how your business can master PSD2. explore the additional resources below, and reach out to one of Worldpay’s payments experts.