PSD2From Conversion to Compliance & Beyond

Mark Watson
Mark Watson | September 6, 2024 | 16 min read

Revised Payment Services Directive PSD2

In a Nutshell

This article covers the Revised Payment Services Directive (PSD2), a regulation designed to improve the payments landscape within the EU by introducing several key changes and enhancements. We’ll offer an overview of what the law is, who is impacted, what were the ramifications after implementation, and what will come next from regulators.

How PSD2 Affects Your Business & What Will Come Next

For regulators in the EU and UK, the goal is always to create a more standardized, universal set of rules for payments. One banking standard “to rule them all,” if you will.

The revised Payment Service Directive, or PSD2, was an attempt at that.

PSD2 should have opened a world of new opportunities for consumers and businesses. But, like any significant policy change, regulators left a fair amount to be desired.

In this article, we’ll go over what PSD2 is, who it pertains to, and the effects it’s had on commerce since implementation. We’ll also consider where regulators might go from here, and how businesses should respond.

What is PSD2?

Revised Payment Services Directive (PSD2)

[noun]/rǝ • vīzd • pā • muhnt sur • vis • es • dǝ • rek • tiv/

The Revised Payment Services Directive (PSD2) is a ruleset administered by the European Commission. Its purpose is to regulate payment services and payment service providers throughout the European Union and European Economic Area, allowing new entities to operate as financial institutions with proper oversight.

The original Payment Service Directive was put in place in 2007 to facilitate pan-European competition, increase consumer protections, and standardize the rights and obligations of payment providers and users. The PSD worked to some extent, but a number of issues remained. For instance, entities that could operate as financial institutions in one country might not be able to do so in another, or the standards for best practices might differ across borders.

Enter PSD2.

Building on the original directive, PSD2 goes even further in creating a more integrated and competitive market. It breaks down barriers to entry for new payment services. Thus, PSD2 should benefit consumers by creating a more competitive market (in theory).

PSD2 also focuses on greater data security standards. It mandates Strong Customer Authentication standards and expands overall consumer rights. The directive limits costs associated with card payments and mandates better fraud protection for consumers.

What Changes Did PSD2 Make? How Does It Differ From PSD1?

The original Payment Services Directive laid the legal groundwork for a EU single market for payments. The directive’s goal was to make cross-border payments between EU member states as seamless, easy, and secure as national payments within a member state.

PSD2 builds upon PSD1’s legal foundations. It further integrates the EU single market for payments, introduces stricter security standards for payment providers, protects consumers, and levels the playing field for third-party payment service providers (TPPs).

Third-Party Payment Service Providers

Change #1  |  Third-Party Payment Service Providers

The inclusion of TPPs within the scope of PSD2 is a key way in which the revised directive differs from PSD1. Under PSD2, third parties known as “account information service providers” (or “AISPs”) and “payment initiation service providers” (or “PISPs”) can enter the EU market. To do so, they must comply with the revised directive’s transaction security and customer data protection mandates.

Strong Customer Authentication Requirements

Change #2  |  Strong Customer Authentication Requirements

The introduction of Strong Customer Authentication (SCA) standards mean that both banks and non-bank TPPs must secure customer accounts using multi-factor authentication security measures. SCA requirements promulgated under PSD2 help keep sensitive customer information secure and reduce fraudulent transaction risks.

Greater Data Sharing

Change #3  |  Greater Data Sharing

The introduction of TPPs into the EU payments market means that sensitive customer information will be shared more frequently between bank and non-bank providers. Banks can’t withhold financial information from TPPs. This data sharing is done with the customer’s consent, of course.

Unified Specifications For APIs

Change #4  |  Unified Specifications For APIs

Data is most vulnerable while in transit, so PSD2 introduced unified technical specifications for application programming interfaces, or APIs—tools that allow bank and TPP software to “talk” to each other. Under PSD2, payment service providers will need to regularly report on API security measures, changes, and performance. The hope is that these stricter API standards will lead to safer and more secure communications between bank and non-bank TPPs.

What are AISPs and PISPs?

Perhaps the biggest change resulting from PSD2 concerns account information service providers and payment initiation service providers.

PSD2 allows for more open banking. This means, for example, that sites like Facebook and Google can now offer their users a host of new financial services. Options range from checking balances and information on multiple accounts to making online payments via direct transfer of funds instead of using a credit or debit card.

These services can be specific, or can be provided all within the same platform by an AISP or a PISP. Under PSD2 regulations, both consumers and businesses operating in the EU are free to use these third parties to fill roles previously restricted only to banks.

Account Information Service Providers (AISP)

AISPs are service providers who — at the bank customer’s request — can gain access to that customer’s account data. That access could be used to analyze a specific user’s spending patterns, either for a single bank or collectively across the customer’s accounts in multiple banks.

Payment Initiation Service Providers (PISP)

PISPs can provide transfer services without the bank’s direct involvement. Common examples include peer-to-peer transfers or centralized bill payment services. Again, the customer would be able to access any bank accounts from the same platform.

How are AISPs and PISPs Beneficial?

TL;DR

Third-party payment providers can “piggyback” on existing banking infrastructure. This lets them offer services faster and more easily than many traditional financial institutions.

The introduction of AISPs and PISPs allows non-bank third-party payment service providers to offer new and improved financial services to merchants and consumers.

This is possible because TPPs have a unique advantage. Using open application program interfaces, (or “APIs”), third parties can “piggyback” on a bank’s existing infrastructure. This lets them offer credit, investing products, depository accounts, cross-border transfers, and other solutions faster and more easily.

This does not mean, of course, that banks are out of the picture. Banks are obligated to provide third-party players with access to customers’ accounts, assuming the account holder grants permission. But, AISPs and PISPs are still not banks; there are services they will be legally prohibited from offering.

New payments technologies. New threats. Prevent fraud and recover revenue with just a few simple clicks.REQUEST A DEMO

There are other concerns to keep in mind, too. For instance, having third-party platforms provide services through banks means adding another entry point to a given transaction chain. Every entry point has the potential of being a weak link in that chain… a fact fraudsters are sure to exploit.

That said, PSD2 does address this issue. As mentioned before, the directive unifies technical standards surrounding APIs and requires banks and TPPs to regularly report on their APIs’ security measures. Although this requirement will not deter all instances of fraud, it may lower its prevalence.

Who Must Comply With PSD2?

TL;DR

All financial institutions and TPPs doing business in the European Economic Area (EEA) must comply with PSD2. This includes all 27 European Union (EU) member states plus Iceland, Lichtenstein, and Norway. PSD2 is also enforced by the Financial Conduct Authority in the UK, despite the fact that they are not UR or EEA members.

The directive impacts eCommerce merchants, too. In fact, it impacts any business or service that accepts payments from consumers, uses payment or customer data, or otherwise assists in the electronic payment process.

PSD2 was first introduced on January 12, 2016, and EU member states were given two years to transpose it into national law. Enforcement of the directive began on September 14, 2019, though not without delays.

For instance, the European Banking Authority extended the deadline for Strong Customer Authentication compliance to December 31, 2020, and in the UK, PSD2 the deadline was further extended to March 14, 2022.

As of August 2024, PSD2 is in full effect within all EEA countries and the UK. This means, among other things, that all customer-initiated electronic payment transactions must go through strong customer authentication protocols unless they qualify for a very specific exclusion or exemption.

SCA Exemptions Allowed Under PSD2

Essentially, everyone who takes or manages payments in the EU or UK must be PDS2 compliant for most transactions. There are, however, a few exceptions to the rule that may apply in specific circumstances.

Possible SCA exemptions include:

PSD2

Low-Risk Payments

Payments below €30

PSD2

Fixed-Amount Subscriptions

SCA only applies to the first transaction.

PSD2

Trusted Beneficiaries

In effect, businesses that are considered a ‘trusted source’, like a utility provider, etc. The customer’s bank maintains the list.

PSD2

Corporate Payments

Charges made on behalf of a more central agency, such as corporate travel, meals, hotels, etc.

PSD2

Payments Made With Saved Cards

The customer will always need to authenticate, and the bank still reserves the right to decline

Other exemptions may apply in the future, as PSD2 regulations are relatively new. While this might offer a bit of a break from these behemoth changes to well-established payment routines, merchants are less enthusiastic about the changes.

Merchant Issues With PSD2

PSD2 implementation has gone fairly smoothly for most parties. This probably owes to the several years of delays allowed for the compliance deadline. That said, there are three points at which PSD2 adoption has negatively impacted operations:

Customer Experience

Maintaining an optimized customer experience is already a challenge. However, PSD2 has exacerbated the matter. Today’s consumers value smooth-yet-flexible service at least as highly as security (if not higher). Merchants often struggle to find ways to provide a frictionless experience, especially since implementing the required security measures causes friction, almost by definition.

SCA security protocols are a step in the right direction for consumers, merchants, and banks. But, finding a way to implement that security without negatively influencing the customer experience is proving problematic.

Chargeback Policy

The Consumer’s right to file chargebacks on credit and debit card purchases is guaranteed by law. Disputes are different with PISPs, though. Since these are not credit or debit card transactions, there’s no guarantee that a service provider can resolve customer disputes when goods or services aren’t received.

Thus far, PISPs have not proved themselves in the arena of disputed transactions just yet. Many merchants have seen little-to-no fluctuations in the frequency of disputes, aside from a general rise in post-pandemic CNP transactions and their resulting chargebacks. This is a “remains to be seen” situation.

Important!

Chargebacks are widely abused and used to commit friendly fraud, and the system is in desperate need of an update for the eCommerce age in general. That said, chargebacks remain an essential consumer protection tool, ensuring that consumers won’t pay the price for fraud.

One-Leg” Compliance

If you have any transactions with parties in the EU, the PSD2 will affect your business, no matter which side of the pond you call home. Merchants in North America will need to abide by some (though not all) of the new regulations to access consumers in EU member states.

Transactions in which one party is in the European Economic Area (EEA), but the other is out, are called one-leg transactions. The PSD2 stipulates that, for one-leg transactions in which the buyer is in the EEA but the seller is not, SCA is still required.

3DS Requirements

Since PSD2 requires SCA to verify users, many merchants sought 3-D Secure solutions to comply with the directive. This turned out to be a mistake, as PSD2 affects every aspect of 3DS software with some startling side effects.

Authentication failures like false declines, abandonment, and a loss of consumer trust are just a few examples of the problems resulting from too many safeguards in place at once. Heightened security is a great thing, but that security can lead to lost revenue and even chargebacks when technical issues arise. 3DS tends to trigger issuer declines to combat fraud, and due to its sensitivity, merchants are feeling the backlash in their conversion rates.

How Does PSD2 Affect Conversion?

Let’s look at that last point in a little more detail.

Frankly, the initial impact of PSD2 on conversion wasn’t great. Comparing 3DS conversion rates with non-3DS transactions paints a relatively clear picture of PSD2’s failings across the EU.

Decrease in Conversions per Country Post-PSD2:

Great Britain Germany France Spain Italy
25-30% 50% 40-50% 40% 40-50%

(Source: Forter)

Referring to this graph, we can see the European market was not prepared for the new regulations. According to Forter, high 3DS authentication declines result from technical failure or issuer decline. This indicates that the payment ecosystem is not fully prepared to handle the new regulation.

Now, the good news is that widespread adoption of newer version of 3DS technology has largely addressed this problem. But, it still serves as an illustrative example of what can happen when new regulations are implemented without merchants and other players being prepared for the change.

What About PSD3?

In June 2023, the European Commission proposed a third payment services directive (PSD3) along with a Payment Services Regulation (PSR). The final PSD3/PSR legislative drafts are expected to be available by the end of 2024. If this deadline is met, the rules established by PSD3/PSR legislation could go into force as soon as the second half of 2026.

PSD3/PSR seeks to improve upon some of PSD2’s practical weaknesses. For example, the pair of proposals will streamline compliance requirements for AISPs and PISPs. This could make it easier for prospective and incumbent firms operating in the EU market to secure and maintain authorization to do business, respectively.

PSD3/PSR also introduces an array of new consumer protections. It mandates greater fee transparency among ATM service providers, requires “duly justified response and reasoning” from the PSP when accounts are closed, and further limits consumers’ liability for fraud—specifically when they are victims of APP fraud.

It will be interesting to see what PSD3 will entail once the final draft is ready. In the meantime, merchants have to focus their attention on remaining compliant while ensuring that conversion is not negatively impacted.

How Can Merchants Counteract Pitfalls & Remain Compliant?

Merchants want to get ahead of the game and remain compliant. To do so, a simple fix might be to shift focus to other fraud prevention solutions and practices. We recommend that merchants:

Use the Right Fraud Tools

In addition to 3DS, you should deploy several other fraud tools that work in tandem to secure your transaction power. This includes AVS, CVV, and two-factor authentication, to name a few.

Conduct Regular Audits

Conduct regular audits of all internal operations to ensure you’re doing what needs to be done. Are you staying up to date with tech changes? Are your employees abiding by your established protocols?

Keep Software Up to Date

Outdated software can cause multiple problems. Outdated fraud prevention solutions may fail to intercept new threats. Keep up with all software updates and patches and deploy them as soon as possible.

Need Help?

PSD2 regulations are complex, and guidelines for compliance can be vague and confusing.

What if someone could show you the ropes?

With more than a decade of experience in the payments industry, Chargebacks911® is the leading chargeback management solution provider in Europe. Reach out to us for a no-obligation discussion about how to navigate the regulatory challenges and opportunities presented by PSD2, PSD3/PSR, and future EU directives.

FAQs

What is the meaning of PSD2?

Officially the Revised Payment Services Directive and colloquially the “Payment Services Directive 2,” PSD2 is a European Union (EU) regulation that lays out security requirements for payment service providers (PSPs). Entered into force in January 2016, PSD2 expands consumer protections and requires PSPs to implement Strong Customer Authentication security standards.

Is PSD2 applicable in the US?

Officially, no. PSD2 is only enforced within the European Union (EU) and the European Economic Area (EEA). However, PSD2 would apply to US merchants with EU customers or US payment service providers that process payments in the EU.

What are the main requirements of PSD2?

PSD2 protects customer data and enhances payment transaction security by requiring payment service providers (PSPs) to adhere to several standards. First, PSD2 mandates strong customer authentication, which requires PSPs to implement two-factor authentication security measures. Second, PSPs must monitor suspicious or fraudulent transaction and device activity on behalf of customers. Third, PSD2 unifies technical standards regarding application programming interface (API) access for third-party PSPs.

What is the difference between GDPR and PSD2?

GDPR sets standards for the storage, processing, and transfer of customer data. It grants consumers rights over their personal data and is broadly applicable to a wide range of industries (not just the payments space). PSD2 is a regulatory framework that applies more narrowly to the payments industry. It mandates strong customer authentication security measures, enhances fraud monitoring requirements, and unifies technical standards surrounding application programming interface (API) access for third-party payment service providers, or TPPs.

What are the risks of using PSD2?

Most of the risks surrounding PSD2 involve the sharing of “sensitive personal data” with third-party payment service providers (TPPs). For example, it may be more difficult for banks that share customer data with TPPs to keep that data private. The movement of data between banks and TPPs also introduces security risks, given that data is most vulnerable when it is in transit. PSD2 also elevates transaction fraud risk, since some TPPs may be unreliable or even criminal. 

Who needs to be PSD2 compliant?

Any payment service provider that does business in the EU, the European Economic Area (EEA), or the UK, must be PSD2 compliant.

Mark Watson

Author

Mark Watson

Relationship Manager & Chargeback Specialist

Mark Watson is a Relationship Manager & Chargeback Specialist at Chargebacks911. He possesses nearly two decades of experience in the payments space, having previously managed a team of Visa and Mastercard chargeback staff in the dispute resolution unit at NatWest before taking on his current role.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form