PSD2
What Is PSD2? Definition and How It Works
Definition
PSD2 (Payment Services Directive 2) is the European Union directive that revised the regulatory framework for payment services across the EEA, introducing Strong Customer Authentication requirements for electronic payments and open banking obligations for account-holding institutions.
How it works
PSD2 replaced PSD1 and came into effect across EEA member states from January 2018, with SCA enforcement phased in through 2019-2021. The directive was transposed into national law by each EEA member state, creating some variation in implementation details, but the core requirements are uniform across the EEA.
The two main operational impacts for payment companies and merchants are SCA and open banking. SCA mandates strong two-factor authentication for customer-initiated electronic payments, implemented in practice through 3DS 2.x for card payments. Open banking obligations require account-holding institutions (banks) to provide third-party providers (TPPs) with API access to customer account data (with consent) and the ability to initiate payments from those accounts.
Open banking under PSD2 created two new licenced entity types: Account Information Service Providers (AISPs), which access account data with customer consent, and Payment Initiation Service Providers (PISPs), which initiate payments directly from customer bank accounts. PISPs bypass card networks entirely, enabling account-to-account payment flows that carry no interchange.
PSD2 also introduced requirements around payment authorisation limits, refund rights, liability allocation in fraud cases, and transparency in fees. For merchants, SCA and open banking are the two provisions with the most direct operational impact.
Why it matters
SCA non-compliance has hard consequences: issuers must decline transactions that require SCA under PSD2 but have not been authenticated. Non-compliance is not a fine risk, it is a transaction decline risk that directly hits approval rates.
Open banking creates a card-alternative payment channel: PISPs under PSD2 can initiate account-to-account payments directly, bypassing card networks. For merchants, open banking payments carry lower transaction costs than card payments (no interchange) and instant settlement in markets with faster payment infrastructure.
PSD2 geographic scope is EEA-only: PSD2 applies to payment service providers operating in the EEA. UK merchants and PSPs operate under UK PSD2 (a retained version post-Brexit) rather than EU PSD2 directly, though requirements are substantially aligned. Non-EEA transactions follow one-leg-out rules.
PSD3 is in development: the European Commission has proposed PSD3, which will update and consolidate payment services regulation. Merchants should monitor PSD3 progress and prepare for SCA and open banking requirement updates when the new directive is adopted and transposed.
With PXP
PXP operates as a licenced Payment Institution under PSD2, covering both acquiring services and payment initiation capabilities. PXP's 3DS integration handles SCA compliance for card payment flows, and PXP supports open banking payment initiation for merchants seeking lower-cost account-to-account alternatives to card acceptance.
Frequently asked questions
What is the difference between PSD2 and SCA?
PSD2 is the EU directive that created the regulatory framework for payment services across the EEA. SCA (Strong Customer Authentication) is one specific requirement within PSD2, mandating two-factor authentication for qualifying electronic payments. PSD2 also covers open banking, liability rules, and service provider licensing. SCA is the requirement that most directly affects payment checkout flows.
Does PSD2 apply to non-European merchants?
PSD2 applies to payment service providers operating in the EEA. For a non-EEA merchant selling to EEA customers: if the merchant's acquirer is inside the EEA, PSD2 SCA requirements apply (two-legs-in). If the acquirer is outside the EEA, the transaction is one-leg-out and SCA is not mandated under PSD2, though issuers may still request authentication. Merchants routing EEA transactions through non-EEA acquirers to avoid SCA risk scheme compliance issues.
What is the relationship between PSD2 and open banking?
PSD2 is the regulatory basis for open banking in Europe. It mandates that banks (account-holding institutions) provide API access to licenced third-party providers, enabling AISPs to access account data and PISPs to initiate payments. This infrastructure created the European open banking ecosystem. Without PSD2's mandatory access requirement, banks had no obligation to enable third-party access to account data.
What changes are expected under PSD3?
PSD3 is expected to strengthen SCA requirements, expand open banking functionality, improve liability rules for fraud, and address gaps that emerged during PSD2 implementation. The Commission published draft proposals in 2023; formal adoption and member state transposition typically takes 2-3 years. Merchants and PSPs should monitor the legislative timeline and assess operational implications as the text is finalised.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started