PSD2, short for the Revised Payment Services Directive, is the engine behind secure online payments, bank integrations, and instant checkouts across Europe.
It’s not just a regulation. It’s a shift that opened the gates for fintech players, tightened security rules, and made sure your bank isn’t the only one calling the shots anymore.
But while it makes life easier for users, it’s also a compliance beast for businesses. From securing APIs to locking down endpoints, PSD2 is strict about how data moves and where it ends up.
So, what’s the full picture? Let’s break it down.
What is PSD2 and why does it matter?
PSD2 is a law made by the European Union to make online payments safer and give people more control over their banking data. It came into effect in 2018, replacing the original PSD that had been around since 2007.
The main idea behind PSD2 is simple:
- Make digital payments more secure
- Encourage more competition in the financial space
- Give customers more control over who can access their financial info
Before PSD2, only banks could access your payment and account information. Now, with PSD2, you can permit other apps and services, like budgeting tools or new payment apps, to securely connect to your bank account. This gives you more choices and access to better features or lower fees.
PSD1 vs PSD2: How is PSD2 different from the original PSD?
The original PSD was introduced to create a common set of rules for payments across EU countries. It was the first step to make payments smoother within the region.
But it had limits. It didn’t cover new types of digital payments and didn’t account for how fast fintech was growing.
Here’s what PSD2 changed:
- Third-party access: Under PSD2, banks must allow licensed third-party providers (TPPs) to access customer account data and start payments, only with customer permission. This was not possible under the original PSD.
- Stronger security: PSD2 introduced Strong Customer Authentication (SCA). This means businesses must verify a user’s identity using at least two methods, like a password and a fingerprint. The original PSD didn’t have this rule.
- Wider coverage: PSD2 includes transactions involving one party outside the EU (called “one-leg-out” payments), especially if the service provider is in the EU. PSD didn’t cover this properly.
- More customer rights: PSD2 gives users more power to challenge unauthorized transactions and improves refund rules.
Who needs to comply with PSD2?
PSD2 applies to a wide range of businesses. If your company handles payments, account data, or any financial transactions in the EU or with EU-based customers, this law likely applies to you.
Here’s a breakdown:
- Banks and credit institutions: These are the primary targets. PSD2 forces them to open up their systems (through secure APIs) to other service providers, once the customer gives consent.
- Payment Initiation Service Providers (PISPs): These are companies that let users make payments straight from their bank accounts, skipping card networks. Think of apps that let you pay directly from your bank during checkout.
- Account Information Service Providers (AISPs): These services collect account data across multiple banks and show it in one place, like money tracking or budgeting apps.
- E-money institutions and Fintech startups: Any business offering digital wallets, prepaid cards, or similar tools must follow PSD2 if they operate in the EU.
- Merchants and eCommerce platforms: If you accept online payments in the EU, you must follow rules like Strong Customer Authentication and handle customer data carefully.
- Third-party providers (TPPs): Any company accessing bank data or initiating payments on behalf of users falls under PSD2 and must be registered with the relevant authority in their country.
Bottom line: if your business connects to, uses, or processes bank-related data in any form, PSD2 sets the rules you must follow.
What are the main components of PSD2?
The rules are built around security, transparency, and customer control.
Here’s what PSD2 demands:
1. Strong Customer Authentication (SCA)
Businesses must verify a user’s identity using at least two out of three:
- Knowledge – Something the user knows
(Example: Password, PIN) - Possession – Something the user has
(Example: Phone, token device, smart card) - Inherence – Something the user is
(Example: Fingerprint, facial recognition)
This helps block fraud during online payments, logins, or account access.
2. Open Banking APIs
Banks are required to build secure APIs that allow licensed third-party providers to:
- Access account details (with permission)
- Initiate payments on behalf of users
This breaks the monopoly banks used to have and makes the system more open.
3. Clear customer consent
No data can be shared or accessed without explicit user permission. The business must also make it easy to cancel that permission anytime.
4. Transparency in fees and transactions
Businesses must clearly show:
- How much will a payment cost
- Any added charges
- Real-time updates about the transaction status
This helps users avoid hidden fees.
5. Incident reporting and fraud monitoring
Companies must have systems to:
- Detect unusual activity
- Report major security issues to regulators within 24 hours
This keeps regulators informed and improves response to fraud.
These requirements apply whether you’re a bank, app, or online store, as long as you deal with customer payments or account data.
How does PSD2 impact consumer privacy and data protection?
PSD2 gives users more control over who can access their financial data and how it’s used. It’s designed to protect personal information while still allowing innovation in payments and banking.
Here’s how PSD2 handles privacy:
1. Explicit user consent is mandatory
No business can access account data or initiate payments without clear and direct permission from the user. Consent must be:
- Given by the user (not assumed)
- Easy to understand
- Easy to withdraw at any time
2. Only necessary data can be collected
Apps and services can only request the information they need to provide their function. For example, a payment app can’t ask for your full transaction history if it only needs your name and account number.
3. No hidden sharing
Data shared under PSD2 can’t be sold or passed on to other companies without another round of user approval.
4. Data Security Measures
Companies must follow strict technical and security standards to protect customer data—this includes encryption, access controls, and secure storage.
NOTE: PSD2 doesn’t override the General Data Protection Regulation (GDPR); it complements it. So, any company under PSD2 also has to meet GDPR’s privacy requirements, making sure your data is handled responsibly.
What are the penalties for failing to comply with PSD2?
Penalties for businesses:
- Fines – Regulatory authorities can impose hefty fines on companies that don’t follow PSD2. These fines vary depending on the severity of the violation and the country, but they can reach millions of euros in some cases.
- License suspension or revocation – For payment service providers, fintech, or banks, non-compliance can lead to the suspension or loss of their operating license. This means they would no longer be allowed to provide payment services in the EU.
- Reputational damage – A company caught violating PSD2 risks losing customer trust. If users feel their data or money is at risk, they may leave for safer alternatives, which can hurt the business long-term.
- Legal action – In serious cases, companies may face legal lawsuits from customers or other businesses affected by their failure to comply with PSD2.
Penalties for failing to meet SCA requirements:
- Unsuccessful transactions: If a business doesn’t implement Strong Customer Authentication (SCA), transactions could be declined. This could lead to lost sales or business opportunities.
- Security incidents: A breach due to weak endpoint security, lack of SCA, or insufficient data protection could expose companies to additional fines and force them to compensate affected customers.
Where to begin with PSD2 compliance: Endpoint security first
Before diving into API security or SCA workflows, start with the basics: manage your endpoints.
Why? Because every user interaction with financial data, be it account access, transaction approval, or app integration, happens on a device. And if that device isn’t secure, everything else falls apart.
Here’s how businesses can build a strong foundation for PSD2 compliance through endpoint security:
1. Secure access control – Make sure only verified users can access financial data from any device. Enforce strong device-level authentication and block untrusted users from even getting close.
2. Remote visibility and control – Monitor endpoints in real time. Spot unauthorized access or odd login behavior quickly. If a device is lost or compromised, admins should be able to wipe it instantly.
3. Encrypt everything – Whether it’s data moving between an app and a bank or a login request from a mobile device, encryption should be non-negotiable. It keeps sensitive info safe in transit.
4. Guard against malware – An infected device can silently leak passwords, intercept security codes, or fake transactions. Real-time protection and regular scans keep attackers out.
5. Set app and user-level boundaries – Not every user needs access to every app or feature. Limit access to just what’s needed. This reduces risk and keeps endpoints lean and compliant.
Final thoughts
For businesses, complying with PSD2 is an opportunity to build trust, offer better services, and stay competitive in this changing market. However, failure to meet the regulations can lead to significant fines, legal risks, and damage to reputation.
Remember, endpoint security plays a critical role in PSD2 compliance. Businesses must ensure that devices accessing sensitive financial data are well-protected and that customer authentication is always up to the mark.
