The revised Payment Services Directive (PSD2) is a European regulation that makes online payments more secure while supporting competition in financial services. PSD2 went into effect in 2016 as an update to the original PSD, which was established in 2007. Among other provisions, the PDS2 requires banks to open their payment services and customer data to third-party providers (TPPs), which can drive the creation of new financial products and services. The regulation also mandates stronger customer authentication. Although the new authentication measures were required as of September 2019, some countries delayed or phased in their implementation with a final compliance deadline in late 2020.

PSD2 is a major piece of legislation that's reshaping the way digital payments work in Europe. Below, we'll explain what's included in this legislation, how it impacts the financial industry, and what businesses need to know about staying compliant with PSD2.

What's in this article?

• Key objectives of PSD2
  
• What are the main components of PSD2?
  
• How to stay compliant: A PSD2 checklist
  
• How PSD2 impacts the financial industry
  
• Benefits of PSD2 for customers and businesses
  
• Challenges and concerns related to PSD2
  
• How Stripe Payments can help
  

Key objectives of PSD2

PSD2 focuses on improving the retail payments market with stronger security and more competitive offerings. Here are the key objectives of this updated European Union standard:

• Market competition: By opening up access to customer data, PSD2 encourages new players, such as fintech companies, to enter the market and offer innovative financial services. This promotes competition and leads to better products and services.

• Security: PSD2 introduces stricter security requirements for online payments, such as Strong Customer Authentication (SCA). This helps minimise fraud and protect customers' financial data.

• Consumer protection: PSD2 gives customers more control over their financial data and strengthens procedures for handling complaints, leading to faster, more effective resolutions.

• Integrated payments market: PSD2 creates a more integrated and efficient European payments market by standardising payment regulations across the EU. This makes it easier for businesses and customers to make and receive payments across borders.

What are the main components of PSD2?

PSD2 affects several key areas, reshaping how payment services operate in Europe. Here are the main components of PSD2:

• SCA: SCA requires multifactor authentication for most online transactions to minimise fraud in digital payments. This could involve verification with something the customer knows (such as a password), something they have (such as a phone) and something unique to them (such as a fingerprint).

• Open banking: PSD2 requires banks to give TPPs access to customers' bank accounts with customer consent. Access to account (XS2A) services enable open banking, through which customers can use services from fintech companies to manage their finances, pay bills, or even make investments, all directly from their bank accounts.

• TPPs: Customers receive the right to use payment initiation service providers (PISPs) and account information service providers (AISPs). PISPs can initiate payments on a user's behalf, while AISPs can provide users with consolidated information from different bank accounts.

• Transparency: PSD2 creates greater transparency in fees. It sets strict requirements on how charges should be communicated to users and ensures that users are not hit with unexpected fees, especially in cross-border payments.

• Liability and refunds: PSD2 clarifies the responsibilities and liabilities of all parties involved in a payment transaction. This includes clearer rules for how and when customers can get refunds if something goes wrong, such as in cases of unauthorised transactions.

• Surcharge ban: PSD2 prohibits surcharges for card payments. This means businesses in the EU can't charge extra fees for using credit or debit cards.

How to stay compliant: A PSD2 checklist

Staying compliant with PSD2 is an ongoing, multifaceted challenge that demands a thoughtful strategy. Compliance is required in the 30 member countries of the European Economic Area (EAA), as well as Monaco and the United Kingdom. Although Morocco isn't a member of the EU or EAA, it has its own customer authentication mandates modelled after the PSD2. Here's how businesses can manage and maintain compliance.

Strong customer authentication (SCA)

• Implement risk-based authentication: Consider implementing risk-based authentication that adjusts to each transaction and adds extra security checks if anything is flagged as abnormal.

• Add behavioural biometrics: Consider adding behavioural biometrics to your SCA tool kit. This tracks how users naturally interact with a website or app (e.g. how they type, how they navigate your site) to verify identity without the user noticing. This creates stronger security with less hassle for your customers.

APIs and security

• Deploy adaptive API gateways: Use API gateways that can adjust security measures in real time. These gateways should be smart enough to tweak the level of protection based on what kind of data is being accessed.

• Adopt a zero-trust model: Use a zero-trust model in which no one is trusted automatically, even if they're inside your network. Require that every request is authenticated and authorised, with strict segmentation so that users gain access only to what they need.

Data governance

• Automate compliance monitoring: Invest in software that automatically monitors your compliance with PSD2. This system watches data handling practices and flags any potential issues before they become serious. It also simplifies audit processes.

• Anonymise and tokenise customer data: Anonymise and tokenise sensitive customer information. This adds an extra layer of protection even when data is shared by converting real data into something that becomes useless to anyone who might intercept it.

Using technology

• Explore regulatory technology (RegTech): Look into RegTech solutions designed to handle PSD2 requirements. These platforms help manage several tasks, including reporting and risk management.

• Consider compliance-as-a-service (CaaS): If expanding compliance efforts is a challenge, consider partnering with CaaS providers. These services offer ready-made solutions that keep up with regulatory changes, so you can stay compliant without having to build in-house.

Adaptation and agility

• Establish an agile compliance framework: Build an agile compliance framework that can quickly respond to changes in PSD2 or new security threats. This might involve regular sprints where your team assesses recent updates and makes necessary adjustments to your policies and tech stack.

• Collaborate in your industry: Participate in industry groups and forums to keep up with best practices and changes in PSD2. Collaborate with peers to stay ahead of trends and share tactics for staying compliant as the regulatory environment develops.

Customer communication

• Educate customers proactively: Engage your customers with customised communication. Use data insight to segment your audience and deliver specific education efforts through personalised in-app messages, targeted webinars, or detailed FAQs.

• Integrate SCA into UX design: Fine-tune the customer experience by integrating PSD2 requirements into your user experience (UX) design. Test different authentication methods to find the right balance between security and convenience and use analytics to keep improving the user journey.

Risk management

• Use dynamic, real-time risk scoring: Develop risk scoring models that can adapt in real time and use the latest data to predict and prevent compliance risks. Integrate machine learning to shift from a reactive approach to a predictive one and catch issues before they escalate.

• Continuously assess third-party providers (TPPs): Continually monitor TPPs' compliance and security practices over time. Automated tools can help you stay on top of any changes in their risk profiles.

How PSD2 impacts the financial industry

PSD2 has introduced additional regulatory requirements, increased competition, and empowered customers by giving them greater control over their data. Here's how PSD2 has impacted the European financial industry:

• Increased competition: PSD2 lowered the barriers to entry for fintech companies and allowed them to offer services that were once the exclusive domain of traditional banks. This has led to an increase in innovative financial products and services that cater to specific customer needs.

• Shift to open banking: PSD2 has accelerated the adoption of open banking by requiring banks to provide application programming interfaces (APIs) that allow TPPs to access customer accounts. This allows customers to use a single interface to manage their money across multiple banks and platforms.

• Enhanced security measures: PSD2's SCA requirements have forced the financial industry to adopt stronger security measures for online transactions. This has increased adoption of multifactor authentication in Europe.

• Regulatory burden: PSD2 has imposed a substantial regulatory burden on financial institutions. Banks and payment service providers must take steps such as upgrading their IT infrastructure and implementing new security protocols to ensure compliance.

• Customer empowerment: PSD2 has empowered customers by giving them more control over their financial data and choices. Under PSD2, customers can use third-party services to manage their finances and are no longer tied to a single bank for all their financial needs.

• Strategic reorientation: PSD2 has forced traditional banks to rethink their strategies. They must collaborate with fintech companies to stay relevant in a quickly changing financial sector, either by integrating third-party services into their offerings or by developing their own solutions.

• Contextual transaction management: Although PSD2 requirements apply to a wide range of transactions, there are several exceptions. For example, payments made via telephone or physical mail aren't considered electronic payments under the directive. Other exceptions to PSD2 requirements include merchant-initiated transactions, payments made using anonymous methods, and "one-leg-out" transactions, in which either the payer's or the business's bank is located outside of the EEA or EU.

Benefits of PSD2 for customers and businesses

PSD2 creates more financial options and improves transaction costs for customers and businesses. Here are the benefits PSD2 creates for both groups.

Benefits of PSD2 for customers

• Enhanced fraud protection: PSD2's SCA requirements create stronger protection for customer information in online transactions.

• Smarter money management tools: PSD2 encourages the creation of more financial tools and services that can help customers better manage their money with comprehensive overviews and data-driven insight.

• Fewer hidden fees: PSD2 protects customers from hidden fees, particularly with international payments, and prohibits businesses from applying surcharges on debit card, credit card, and SEPA Direct Debit payments.

• Greater control over personal data: Customers receive the right to control who can use and access their financial data, as well as the option to revoke access anytime.

Benefits of PSD2 for businesses

• Faster innovation and new revenue streams: PSD2 allows businesses to tap into new features and services that can refine internal processes, improve the customer experience, and create new revenue streams.

• More flexible-cost effective payment options: PSD2 increases the number of available payment methods, which allows businesses to offer their customers greater flexibility and can make transactions quicker, cheaper, and more secure.

• Stronger customer loyalty: Businesses can develop modern payment solutions and use new technologies to build stronger customer relationships and loyalty.

• Smarter, data-driven decisions: Businesses gain access to more detailed financial data through AISPs, which they can use to craft more personalised services for customers.

• Reduced data processing costs: PSD2 can help businesses save money by eliminating card surcharges and transaction fees from traditional payment networks.

Challenges and concerns related to PSD2

While PSD2 offers many benefits, it also presents challenges. Here are some common hurdles that customers and businesses encounter under PSD2.

Challenges for customers

• Overwhelming number of choices: Users might struggle to find reliable TPPs in a market saturated with new services and apps.

• Data privacy concerns: More providers have access to user data under PSD2. This can raise concerns about data security.

• User experience hiccups: SCA requirements can frustrate users, because it can introduce extra steps such as entering a code and using a fingerprint.

Challenges for businesses

• Regulatory compliance costs: Businesses can face major costs in upgrading their systems and securing their data to meet PSD2 standards. This can be a heavy burden, particularly for businesses with limited resources.

• Increased competition: Traditional banks and established financial institutions must adapt quickly or risk losing customers to newer, more agile fintech companies. This creates a difficult environment in which only the most adaptive businesses can thrive.

• Integration challenges: Businesses must have the technical expertise to integrate third-party services into existing systems without disrupting their operations.

• Security risks: Businesses must remain vigilant about protecting customer data and ensuring that the TPPs with which they share financial data are equally committed to security.

• Customer education: Businesses must help their customers understand changes tied to PSD2, such as why they're being asked to go through extra steps during payment and why new apps are now part of the financial ecosystem. This requires clear communication and effective customer support.

What are the risks of non-compliance?

• Transaction declines: Issuing banks in the EEA are obligated to decline transactions that don't meet PSD2 security requirements. This can result in "hard declines" of any transaction that doesn't meet SCA guidelines.

• Regulatory fines: Regulatory authorities in the EEA can impose heavy fines for PSD2 non-compliance. Although penalties and fines can vary depending on jurisdiction, some organisations could face fines of up to 4% of their annual revenue.

• Legal and fraud risks: Failure to comply with SCA risks can expose a business to additional liability and legal risks, including potential investigations for fraudulent chargebacks or direct consumer protection action for surcharge ban violations.

• Risk of lost revenue: Along with regulatory and legal risks, noncompliance can also damage customer revenue. Declined transactions and added friction during the checkout process can result in decreased conversion rates and abandoned carts, among other negative impacts.

• Reputational harm: Noncompliance can ruin a business's reputation with security-conscious customers. Additionally, submitting non-compliant or fraudulent transactions can trigger a card network to move a business into a high-risk monitoring programme, which can lead to higher processing fees and potential bans.

How Stripe Payments can help

Stripe Payments provides a unified, global payments solution that helps any business – from scaling startups to global enterprises – accept payments online, in person and around the world.

Stripe Payments can help you:

• Optimise your checkout experience: Create a frictionless customer experience and save thousands of engineering hours with prebuilt payment UIs, access to 125+ payment methods and Link, a wallet built by Stripe.
  
• Expand to new markets faster: Reach customers worldwide and reduce the complexity and cost of multicurrency management with cross-border payment options, available in 195 countries across 135+ currencies.
  
• Unify payments in person and online: Build a unified commerce experience across online and in-person channels to personalise interactions, reward loyalty and grow revenue.
  
• Improve payments performance: Increase revenue with a range of customisable, easy-to-configure payment tools, including no-code fraud protection and advanced capabilities to improve authorisation rates.
  
• Move faster with a flexible, reliable platform for growth: Build on a platform designed to scale with you, with 99.999% uptime and industry-leading reliability.
  

Learn more about how Stripe Payments can power your online and in-person payments or get started today.