In AppSealing Blog

Protecting access to data has become a key goal for financial institutes. According to a study, credit card frauds rose by 44% to reach 393,207 in 2020 compared to its 2019 figure. Amidst this rising uncertainty and financial frauds, all’s not lost as measures are being implemented to build more robustness in the systems. Case in point – the European Union’s second Payment Services Directive (PSD2).


With PSD2, two main ideas come into play – (i) using a strong consumer authentication requirement for online transactions through multi-factor authentication (MFA) and (ii) recognizing and regulating third-party providers (TPPs) to access consumer bank accounts/data if the account holders provide the requisite consent. The customer authentication process uses a two-factor authentication (2FA) strategy which combines two pieces of information – a password or pin already known to the user and a separate code generated / fingerprint of the user. This ensures a unique authentication for every transaction. A few exceptions are observed for transactions below 30 euros and the ones which are recurring in nature (Auto-debited). 

Impact of PSD2 on Business and Payment Industries

Since PSD2 impacts all electronic transactions, two main services see a direct impact – Payment Initiation Services (PIS); and Account Information Services (AIS). When it comes to PIS, other providers enable online banking from a consumer’s account to a merchant’s account. Filling in the relevant information (transaction amount, from and to account numbers, dates, message, relevant updates/alerts etc.) is facilitated by the provider. Consumers need not visit their online bank to initiate these transactions.

AIS focuses on collecting and storing customer information in a single place for a global, holistic view. Consumers can thus get access to their aggregated information from multiple accounts in a single application, providing a much more well-rounded overview of their finances in real-time. 

Of course, another change that many customers are facing is having to go through an additional layer of authentication in the form 2FA. Businesses can expect lesser frauds and more seamless transactions. Since these authentication steps will be applicable to only those very specific transactions, customers can expect more robust, secure communication and payments. That would mean transacting with ease, comfort, and an additional layer of protection. 

Who Does PSD2 Apply To?

PSD2 typically applies to transactions where the card issuer and the acquiring bank are based in the European Economic Area. Through this implementation, one-time transactions will become far more robust while low value and merchant-initiated transactions (recurring transactions) will not see any change. Cash payments will remain as-is. Transactions to trusted beneficiaries are also exempted. 

How Can One Ensure PSD2 Compliance?

For the authentication process to kick in and continue smoothly, banks have had to update the authentication elements like relevant messages or additional tokens / one-time passwords to be shared with customers on time. Exceptions should also be factored in so that transactions pertaining to lower financial values or to trusted beneficiaries or the ones associated with auto-debits can happen seamlessly. Storing consumer preference data is also crucial. Taking a relook at the partnerships and ensuring relevant entities are included will further help smoothen the process.

Implications of PSD2 on International Businesses

Though the implications are predominantly focused on EU regions, the USA is not far behind. The US payments industry is already on its way to implement strong authentication practices. One specific standard that is of interest is 3-D Secure version 2 (3DS2), which supports biometrics and one-time passwords (OTPs). Banks still have to implement API to recognize 3DS2 that is shared by all card networks. Its earlier version 3DS1 was dependent on merchants redirecting cardholders to the relevant bank’s site to collect information which was understandably leading to dropouts. 3DS2, on the other hand, doesn’t require a sign-up process.

Businesses should ideally set up their EU entities if a major chunk of their business comes from Europe. Expansion plans also need to consider PSD2 compliance while a company which is headquartered elsewhere but has entities in the EU needs to be compliant too.

Gearing for PSD2

PSD2 enables companies to put a cap on the fraud rates while also ensuring they gain customer trust. The focus should be on providing a smooth MFA strategy while also keeping relevant exceptions in mind. Systems would have to be configured to avoid confusion and customer inconvenience. AppSealing’s app shielding helps financial institutes comply with regulations like PSD2 to ensure secure online transactions and protected data exchange. Companies having entities in the EU or the ones wanting to expand into new geographies in the EU can leverage the multiple benefits of AppSealing’s solution. Click here to get a quick, hassle-free demo.  

Frequently Asked Questions

1. Are banks subject to PSD2?

PSD2 is an EU regulation that protects customers by governing third party access to customer accounts. PSD2 is applicable for banks, payment processors and fintech firms. Banks need to adopt security best practices to mitigate fraud risk and protect customer interests.

2. Does PSD2 apply to debit cards?

Yes PSD2 applies to debit cards. It bans surcharges on payments with debit cards in both B2B and B2C settings.

3. Is PSD2 a legal requirement?

PSD2 is a payment legislation in Europe applicable everywhere within the EU. It intends to modernize the payment market and regulate competition within the European Payments Industry.

4. Which countries does PSD2 apply to?

PSD2 is applicable to all areas within the EU where the card issuer and the bank operate within the European Economic Area. Irrespective of the location of the merchant and customer, European Financial Organizations can abide by the rules of PSD2. All merchants in the EEA need to follow PSD2 compliance.

5. What is the difference between open banking and PSD2?

PSD2 is applicable to all payment account providers within the European Union whereas Open Banking is mandatory for all large banks in the UK and applies only to current accounts.

Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.