Table of Contents

PSD2 Compliance

PSD2 (Payment Services Directive) is a revised EU regulation that has transformed online payment security and data access. 

Its chief aim was to create a more efficient and integrated payments market and give consumers greater control over their data. By promoting competition and innovation in the FinTech industry, PSD2 ensures a safer and more dynamic digital economy.

While PSD2 is a European directive, it affects companies globally. With data governance and security at the center of PSD2, companies like Cyera are key to helping organizations comply and build trust among their consumers.

What is PSD2 and Why Was It Introduced?

PSD1 was introduced back in 2007 to harmonize EU payment services and make cross-border transactions more efficient. However, the payments sector rapidly digitalized and PSD1 was no longer sufficient to keep up with the changes.

PSD2, introduced in 2016 and enforced by January 2018, modernized these rules to align with the digital era. 

The key goals of PSD2 are to:

  • Give consumers more control over their personal financial data and stronger protections for unauthorized transactions and banking fees.
  • Heighten data security through Strong Customer Authentication (SCA).
  • Enable open banking practices with third-party services
  • Promote innovation and competition by allowing third-party providers to access banking infrastructure.
  • Standardize payment regulations across the EU, making cross-border payments simple and efficient.

Although PSD2 is an EU regulation, it has had a global ripple effect. Any company that processes payments with EU members or handles EU financial data must comply.

The Core Requirements of PSD2 Compliance

PSD2 incorporates several mandatory requirements for any payment service providers operating within the EU.

Strong Customer Authentication

SCA requires payment gateways to ask their users to verify their identity using at least two independent factors, often called two-factor or multi-factor authentication.

Providers must request at least two of the following:

  • Something the user knows, like a password or 3D Secure 2 protocols
  • Something they have, like a phone with SMS verification
  • Something they are, like biometric data such as fingerprints or facial recognition

Open banking and Third-Party Access (TPPs)

Banks are mandated to open their APIs to allow licensed third-party providers to access their financial infrastructure (with consent).

For example, account information service providers (AISPs) can use the APIs to access account details, and payment initiation services providers (PISPs) can initiate payments on a user’s behalf.

This enables services like payment initiation and account aggregation by FinTech companies. 

Data transparency and fee clarity

All financial services and products must now present transparent information surrounding transaction fees and currency conversion rates.

Surcharges are now banned for things like ticketing, delivery services, and travel, as well as EU consumer credit and debit cards.

Additionally, user agreements must be clear and easy for consumers to understand.

Complaint Handling and Consumer Rights

Businesses are now required to resolve issues in a timely, regulated way. There must be transparent procedures for handling complaints with accessible dispute resolution options available.

Companies must maintain detailed compliance records to demonstrate adherence.

Who Must Be PSD2 Compliant?

Many global businesses mistakenly assume that PSD2 only applies to countries located within the European Economic Area (EEA). However, this is not the case. 

Essentially, PSD2 encompasses all of the following:

  • Companies processing payments within the EU.
  • Global businesses with EU-based users or operations.
  • Fintechs, payment providers, online marketplaces, and e-commerce platforms.
  • Even US-based companies need to comply if they handle EU consumer data.

For instance, a US e-commerce company selling products to the German market must implement PSD2 compliance for those transactions.

How PSD2 Impacts Businesses

PSD2 can impact the day-to-day operations of a business in several ways:

  • Security Upgrades: Businesses must implement SCA to protect customer login and transaction data. This typically requires updated software and procedures.
  • Infrastructure Investments: Companies must build APIs or upgrade existing ones as well as set up secure gateways. They must also set up systems to track and report compliance in real time.
  • Customer Experience Changes: Additional authentication steps can cause friction for customers, so checkout pages may have to be adjusted to ensure a good customer experience.
  • Strategic Shifts: Traditional banks must adapt to a more open ecosystem and may need to collaborate with or compete against FinTechs. 

Although these changes can be seen as inconvenient by a business, the results are already making a significant difference.

While the US continues to experience the highest levels of fraud-related losses, the EU (through the implementation of PSD2) has reduced theirs by 40% - 60%.

Common Challenges in Achieving Compliance

When implementing PSD2 compliance, financial companies can face significant hurdles that span across technical, regulatory, and operational areas.

The most challenging issues surround:

  • Legacy systems that don’t integrate well with modern APIs.
  • Balancing user experience with the security enhancements, which can impact conversion rates.
  • The right way to educate consumers about the new authentication procedures.
  • Monitoring third-party provider (TPP) risk, performing due diligence, and ensuring correct data handling.
  • Rising compliance costs, particularly for smaller or mid-size organizations.

Best Practices for Staying Compliant

If you’re not yet PSD2 compliant, here’s a checklist of what you need to do:

  • Adopt contextual and behavioral authentication tools for SCA.
  • Incorporate behavioral biometrics to reduce friction for customers without compromising security.
  • Provide API gateways for third-party providers that can adjust security measures in real time and that use zero-trust architecture.
  • Tokenize or anonymize sensitive customer data to minimize exposure.
  • Set up continuous monitoring systems for risk management and analysis. For instance, Cyera will provide complete visibility into data classification and automatically flag any risks.
  • Clearly disclose all transaction fees, conversion rates, and user terms to consumers.
  • Regularly audit third-party partners and integrations.
  • Register with relevant regulatory authorities and keep up to date with evolving PSD2 requirements.
  • Educate users through UX-focused onboarding.
  • Train staff on PSD2 obligations.

Preparing for PSD3 and Future Payment Regulations

PSD2 is certainly not the final iteration of this regulatory framework. PSD3 and new Payments Services Regulations are just around the corner, and you must be prepared.

To ready yourself for these changes, an agile and compliance framework is essential.

This is where Cyera can step in and become your long-term partner in addressing these evolving requirements. Thanks to its adaptive technology, Cyera future-proofs your business by providing flexible frameworks, real-time data governance, and automation that scales in line with your requirements.

Using a system like Cyera shifts your organization from reactive compliance to proactive resilience that can quickly adapt to changing regulatory landscapes.

Global Implications: PSD2 Outside the EU

We can’t emphasize this point enough: Even if your organization is not geographically based within the EEA, you must still comply with PSD2 if you do business with consumers in this part of the world.

EU citizens shop globally, and if your site or app serves them, you must comply.

Besides doing your customers a disservice, the implications of non-compliance can be severe. You risk fines, payment disruption, and, eventually, reputational damage as an untrustworthy business.

Aligning your business with global best practices is the best way to get ahead of the competition and protect yourself from the repercussions of regulatory non-compliance.

How Cyera Supports PSD2 Compliance

To give your organization the best head start, it’s critical to invest in modern technology that can handle and keep up with the frequent changes surrounding PSD2.

Cyera is your ally in making this happen. Its innovative technology can:

  • Classify, monitor, and govern sensitive financial data in real time across cloud, on-premises, and hybrid environments.
  • Continuously monitor third-party data access and API flows.
  • Automate compliance checks and send alerts for potential violations before they escalate.
  • Provide agile controls for changing regulatory environments.
  • Educate stakeholders with accessible dashboards and deep analytical insights.

Ultimately, Cyera helps you build an adaptable, long-term strategy for compliance and innovation, no matter what changes elsewhere in the world.

Make PSD2 Compliance a Strategic Advantage

Try to view PSD2 compliance as less of a regulatory burden and more of an opportunity to modernize systems and increase trust and loyalty among your consumers. 

With the right partner, you can easily navigate changing regulations and future-proof your business for the long term.

We invite you to explore Cyera’s solutions for financial services and compliance readiness.

Get in touch with us to schedule a demo and run a free data access risk assessment.