The legislation was enacted in part to require providers of payment services and third-party payment service providers to improve customer authentication processes and introduce Strong Customer Authentication (SCA) protocols, such as two factor authentication (2FA).
The widespread implementation of 3D Secure version 2 security protocol (3DS2) and other multi-factor authentication processes in consumer and business payment environments is a result of the Directive.
The framework governs payment services and electronic payment transactions within the European Union (EU). It builds upon the original Payment Services Directive (PSD) and aims to promote competition, innovation, and security in the European payment industry.
PSD2 has had a significant impact on the European payment landscape, promoting innovation, competition, and security while providing consumers with enhanced payment options and protection. It has paved the way for open banking initiatives, driving the development of new payment services and fostering a more integrated and dynamic European payments market.
The main components and objectives of the PSD2 directive are:
PSD2 scope: It applies to payment service providers (PSPs) operating within the EU, including banks, payment institutions, e-money institutions, and other entities involved in payment services. It covers various types of payment transactions, including credit transfers, direct debits, card payments, and mobile payments.
Strong customer authentication (SCA): PSD2 introduces stronger security requirements for electronic payment transactions through the implementation of Strong Customer Authentication. SCA mandates that customer authentication for most electronic payments must involve at least two independent factors from three categories: knowledge (something only the user knows), possession (something only the user possesses), and inherence (something inherent to the user, such as biometric data). SCA aims to enhance the security of online payments and reduce fraud.
Access to accounts (XS2A): PSD2 promotes open banking and grants third-party providers (TPPs), known as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), access to customers' payment accounts with their consent. AISPs can retrieve account information, such as transaction history and balances, while PISPs can initiate payment transactions on behalf of the customer. This provision encourages competition and innovation by enabling new players to offer innovative payment services and products.
Strong customer authentication exemptions: PSD2 defines certain exemptions to SCA for specific payment scenarios. Low-value transactions, recurring transactions of fixed amounts, and transactions within a trusted beneficiary list are examples of cases where SCA may be exempted. These exemptions aim to facilitate frictionless payments while maintaining a balance between security and user convenience.
Enhanced security and fraud prevention: PSD2 requires PSPs to implement measures to detect and prevent fraud, including transaction monitoring, risk assessment, and secure communication channels. It also establishes liability rules for unauthorized transactions to ensure a fair distribution of responsibility among PSPs, merchants, and customers.
Payment security incident reporting: PSD2 mandates PSPs to report significant operational or security incidents to their competent authorities. This provision enhances transparency and enables authorities to assess and address potential risks to the payment ecosystem.
Consumer protection: PSD2 strengthens consumer protection by providing clearer rights and obligations for payment service users. It ensures that customers are provided with comprehensive information about payment services, charges, and complaint handling procedures. Additionally, PSD2 sets out rules to address unauthorized or incorrectly executed payment transactions and facilitates the refund process. For more information see https://ec.europa.eu/