PSD2

PSD2 is the foundational regulatory text for European payments. Its two major commercial impacts — SCA requirements and open banking mandates — have reshaped how payments are built and priced in the EU and EEA.

Key Provisions

Strong Customer Authentication: PSD2 mandated SCA for electronic transactions, requiring multi-factor authentication for most card-not-present payments. The SCA requirements took effect progressively between 2019 and 2021 after enforcement delays, with full enforcement varying by market.

Open Banking / Account Access: Banks with more than a certain payment account threshold must provide API access to licensed TPPs. This created two new categories of regulated entity:

• AISPs (Account Information Service Providers): Can read account data with customer consent
• PISPs (Payment Initiation Service Providers): Can initiate payments from a customer's bank account directly

Liability shift: PSD2 formalized liability rules for unauthorized transactions and introduced the concept of strict liability for PSPs, with narrower fraud claim windows for consumers.

Surcharging prohibition: PSD2 prohibits merchants from surcharging consumers for using regulated payment instruments (consumer credit and debit cards within the EU), though the rules for commercial cards and three-party schemes are more complex.

Open Banking in Practice

The open banking provisions of PSD2 have had mixed uptake. While the technical standards (defined in the RTS and implemented via common API frameworks like Berlin Group / NextGenPSD2 and Open Banking UK) are in place, merchant and consumer adoption of PISP-initiated payments has grown slowly in most markets.

The notable exception is account-to-account (A2A) payments in markets with strong instant payment infrastructure — the Netherlands (iDEAL), Poland (BLIK), and increasingly across the SEPA Instant Credit Transfer network. In these markets, PSD2-enabled payment initiation sits alongside card payments as a genuine alternative, typically at lower cost to merchants.

PSD2 vs. PSD3 / PSR

The European Commission published proposals for PSD3 and a new Payment Services Regulation (PSR) in 2023. The PSR would convert key PSD2 provisions into directly applicable EU regulation (removing national transposition variations), while PSD3 would update the directive for remaining areas. As of 2025, these remain in legislative process.

Global Authentication Equivalents

PSD2 has no direct global equivalent. Other major markets have developed their own authentication frameworks:

United Kingdom: Post-Brexit, the FCA adopted its own SCA rules largely mirroring PSD2. The UK's Open Banking Implementation Entity (OBIE) created one of the world's most mature open banking ecosystems, with over 11 million users as of 2025.

India: RBI's two-factor authentication mandate for card-not-present transactions predates PSD2 and is among the world's strictest. Additional-factor authentication (OTP, biometric) is required for most online card transactions regardless of amount.

Australia: No SCA mandate equivalent, though the Consumer Data Right (CDR) framework establishes open banking principles for data sharing.

Singapore / Asia: Singapore's MAS requires two-factor authentication for high-value transfers; Bank Negara Malaysia and Bank Indonesia have analogous requirements. These are bank-centric rules rather than merchant-facing SCA mandates.

For operators building global payment products, the SCA technical stack — 3DS2 integration, exemption engine, soft-decline handling — is specific to EU/UK exposure and must be maintained separately from authentication approaches in other regions.

Operational Impact for PSPs

PSPs operating under PSD2 must hold appropriate licenses (PI or EMI) for payment initiation and account access activities. Operating outside licensed scope in an EEA market is a regulatory breach, not merely a commercial risk. License passporting allows a license obtained in one EEA state to cover activity across the EEA, though Brexit eliminated UK passporting.