The Payment Services Directive 2 (PSD2) is a piece of legislation enacted by the European Union (EU) that has transformed the way businesses and consumers manage payments across borders. It is a significant deliverable of the European Commission’s vision of a Digital Single Market, aiming to create safer, cost-effective, and more innovative payment services across the EU.

PSD2, or the second Payment Service Directive, fundamentally dismantles the monopoly traditional banks have had on user data. It does this by facilitating bank customers, including both business entities and individual consumers, to utilize the services of third-party providers for managing their financial affairs. This groundbreaking regulation provides a robust legal framework to govern the operations of these third-party providers. Under this structure, third-party providers are permitted to access users’ financial data directly from the banks, provided the corresponding user has given explicit consent for this access.

Payment Services Directive 2 (PSD2)

The significance of PSD2 goes beyond just giving users more control over their data. It also lays the groundwork for the emergence and proliferation of new and innovative payment and account services. It’s through these advancements in financial technology that the directive aims to facilitate a significant increase in consumer protection within the rapidly evolving digital payments landscape.

Overall, PSD2 seeks to democratize financial data, promote competition and innovation in the financial technology industry, and bolster consumer rights and protections in the digital sphere.

In this article, we’ll explore in greater depth PSD2, namely it’s key elements, compliance requirements, how it compares and contrasts with PCI DSS, and more.

The Origin of PSD2

PSD2 is an upgrade to the original Payment Services Directive (PSD) that was enacted in 2007. The initial directive established a set of rules and regulations to make cross-border payments as easy, efficient, and secure as ‘national’ payments within an EU country. However, with the ever-evolving nature of digital payments and the emergence new payment service providers (PSPs), an update was deemed necessary, leading to the introduction of PSD2 in January 2018.

PSD2, since its inception, has undergone various iterations to meet the changing landscape of digital payments. A key milestone was the adoption of the Regulatory Technical Standards (RTS) in 2019, which outlined specific requirements for strong customer authentication (SCA) and secure communication. The directive continues to evolve to keep pace with advancements in technology, the rise of fintech companies, and changes in customer behavior.

PSD2 vs. PCI DSS: Similarities and Differences

Payment Services Directive 2 (PSD2) and Payment Card Industry Data Security Standard (PCI DSS) are two significant regulatory standards within the financial services industry. PSD2, introduced by the European Union, is a directive aimed at increasing pan-European competition and participation in the payment industry, including non-banks, and creating a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. Conversely, PCI DSS is a proprietary information security standard administered by the Payment Card Industry Security Standards Council, designed to reduce credit card fraud through increased controls around cardholder data.

Both PSD2 and PCI DSS focus on the protection of sensitive payment information. PSD2 achieves this by introducing strict security requirements for the initiation of electronic payments and protection of financial data, thereby helping reduce the risk of fraud for electronic transactions and enhancing the protection of consumer data. Similarly, PCI DSS requirements are in place to ensure all companies that process, store, or transmit credit card information maintain a secure environment, thus providing robust security for cardholder data.

Yet, despite these shared goals, there are key differences between the two regulations. PSD2 mandates banks to open their payments infrastructure and customer data to third parties, which provides new business opportunities and increased competition. conversely, PCI DSS does not require data sharing and focuses solely on securing cardholder data to prevent fraud and data breaches.

In terms of regulatory compliance, businesses that handle payments transactions, regardless of their nature or volume, must comply with PCI DSS. This includes merchants, financial institutions, point-of-sale vendors, and hardware and software developers involved in processing payments. On the other hand, PSD2 applies specifically to payment service providers operating within the European Economic Area, including banks, building societies, e-money institutions, and any third-party service providers, such as account information service providers and payment initiation providers.

It’s worth noting that PCI DSS compliments PSD2 in many ways. While PSD2 encourages competition and innovation in the payments market, PCI DSS ensures these new payment services maintain the highest level of security to protect cardholder data. Thus, companies using these payment services can gain a competitive edge, as consumers are more likely to trust and use services that prioritize their data’s security.

Ultimately, both PSD2 and PCI DSS play pivotal roles in the financial industry by promoting a secure and innovative payment landscape. Although they have different scopes and apply to different entities, their ultimate goal is consumer protection. By adhering to these standards, businesses not only comply with legal requirements but also earn customer trust, which is essential for the sustainability and growth of their operations.

The Structure of PSD2

The Revised Payment Service Directive (PSD2) is a significant legislative piece that contains certain crucial elements, all of which are designed to forge an open and more competitive market landscape for payment services. This includes the introduction of innovative types of payment service providers, the imposition of mandatory strong customer authentication (SCA), enhanced safeguards for consumer rights, and the directive that banks are obligated to provide third-party providers with access to the customer’s account information.

Elaborating on these aspects, the introduction of two new types of payment service providers, namely Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), has significantly opened up the market, encouraging healthy competition. PISPs are entities that facilitate online payments directly from the user’s bank account, thereby eliminating the need for traditional payment gateways. This grants customers more autonomy and increases the speed and efficiency of online transactions.

On the other hand, AISPs provide services such as account aggregation, which allows customers to gain a holistic and comprehensive view of their financial status across multiple accounts. Such a service empowers consumers to better manage and monitor their financial activities, leading to improved financial health and awareness.

To maintain high-security standards, however, all these new services are underpinned by the strong customer authentication (SCA) principle. The SCA requires the use of two or more independent sources of validation, such as something the customer knows (a password or pin), something the customer has (a card or mobile device), or something the customer is (biometrics, such as fingerprints or voice recognition). This principle ensures that a high level of security is met while conducting online transactions, thereby protecting consumers from potential fraud and cyber threats.

What PSD2 Means for Businesses

The emergence of the PSD2 brings with it a plethora of opportunities especially for businesses, and particularly for companies operating within the fintech sector. This new directive aims to encourage innovation and healthy competition against traditional banking establishments.

PSD2’s primary advantage lies in its provision for businesses to have access to customer account data. Businesses can harness this access to develop and launch new financial products and services that are designed with a strong customer focus. This innovative potential goes beyond mere product design to include simplification of payment procedures and the lowering of transaction costs, both of which can enhance customer experience and satisfaction.

Alongside the benefits of innovation and competition, PSD2 also mandates for stringent security measures to be put in place by businesses. This will inevitably lead to an increase in customer trust, as businesses demonstrate their commitment to secure transactions and customer data protection.

An integral part of these security measures is the need for strong customer authentication. This is expected to substantially reduce instances of fraud, providing another boost to customer confidence. As businesses begin to experience lower rates of fraud and its associated costs, they are also likely to see an increase in customer loyalty and retention. Consumers who feel their data and transactions are secure are more likely to stick to those businesses, thus supporting long-term business growth and sustainability.

In summary, through PSD2, businesses, especially fintech companies, now have the chance to emerge as strong competitors in a domain earlier dominated by traditional banks. They can achieve this by using the customer account access granted by PSD2 to curate personalized financial offerings and streamline payment processes. The enhanced security measures enforced by the directive not only benefit the customers but also the businesses in terms of gaining customer trust, reducing fraud, and bolstering customer retention.

What PSD2 Means for Consumers

PSD2 provides consumers significant advantages in terms of convenience and personal financial management. The freedoms granted by this regulatory change allow consumers to explore a broader variety of payment services beyond what their own banks can offer. This essentially gives consumers greater control over their personal financial data and how it’s managed.

Additionally, this revolutionary directive fosters a competitive environment amongst various payment services providers. As a result, consumers may potentially benefit from lower costs for these services, as companies will strive to provide more affordable and attractive options in an effort to stand out and take the lead in the market.

Despite its multiple advantages, PSD2 also brings about certain concerns, particularly concerning the privacy and security of data. This directive does indeed impose strict security regulations, in an attempt to protect consumers’ sensitive financial information during its transfer and storage. However, the act of sharing such confidential data with third-party service providers inherently carries some risk.

As a result, it is of utmost importance for consumers to fully comprehend the implications of consenting to such data sharing. They need to be aware of who they are sharing their data with, how it will be used, and what measures are in place to protect it in order to make informed decisions about their personal financial data.

Compliance Requirements and Risks

PSD2 compliance requirements are vast and reflect changes in the financial services sector prompted by technological innovation.

Under this European Union directive, businesses are required to fulfill several obligations to comply with the rules laid out in the framework. Firstly, companies must obtain the necessary licenses that permit them to operate within the framework of PSD2. These licenses ensure that they adhere to all stipulations of the directive, giving their services legitimacy under European law. This process might involve rigorous checks and assessments to ascertain that businesses can provide services that align with the stipulated standards.

Next, businesses must implement strong customer authentication methods as a significant aspect of PSD2 compliance. This means that the process of validating customer identities must be bolstered. It’s an essential requirement to help prevent fraud and instill trust in the digital financial ecosystem. Businesses must employ multi-factor authentication, including elements like PINs, tokens, mobile apps, and biometric data, to confirm a user’s identity.

Moreover, ensuring the security of communication channels between all parties, including customers, banks, and third-party providers, is essential. The directive stipulates that these channels must be encrypted and follow high standards of data security to prevent breaches.

In addition, compliance with PSD2 requires companies to respect stringent data privacy rules and regulations. Personal data of customers must be safeguarded vigilantly. It includes stringent measures like gaining explicit customer consent before sharing data and adopting measures to anonymize data where necessary.

Failure to adhere to these compliance requirements could lead to severe consequences. Non-compliance might result in substantial financial penalties – potentially running into millions of Euros – which could significantly impact the business’s financial health. Further, there may be legal repercussions including, but not limited to, lawsuits and heavy fines imposed by regulatory bodies.

Furthermore, non-compliance could lead to damage to the company’s reputation, particularly considering the digital age’s spotlight on data privacy and security. A tarnished reputation may discourage customers and potential business partners, leading to a decline in the company’s market value.

PSD2 Implementation and Adaptation Challenges

The introduction of PSD2 brings a plethora of opportunities and benefits, however, it is also accompanied by several significant challenges. The foremost obstacle encountered by companies centers around the technical implementation of PSD2, which can be complex and require expert knowledge.

In order to comply with the directive, changes must be made on both infrastructure and system levels, increasing the technical complexity. These changes involve the establishment of secure communication channels and the implementation of strong customer authentication mechanisms to ensure consumer data is robustly protected. This can potentially place a financial burden on smaller businesses and start-ups due to the significant investments that may be required to be in compliance. This could result in financial strain and increased operational costs, impacting these companies’ abilities to compete.

Furthermore, another considerable challenge that PSD2 introduces is a heightened risk of cybercrime. As banks are required to open their systems to third party providers in order to share customer data, the risk of cyberattacks potentially increases. This necessitates the need for further investment into cybersecurity measures and infrastructure.

This added complexity directly increases the financial burden on businesses, who now must invest more heavily in cybersecurity strategies to protect sensitive customer data. The responsibility lies heavily on businesses to ensure that their systems have the capacity and resiliency to weather potential cyber threats and attacks in this new open banking era.

The Future of PSD2 and its Adequacy

With the rapid development of technology, PSD2 will need to evolve in order to remain relevant. The rise of cryptocurrencies, digital wallets, and blockchain technology pose new challenges and opportunities for the directive, requiring adaptation and updates to legislation. It’s imperative for regulators and businesses to keep up with the pace of technological advancements and ensure the directive continues to meet its objectives.

One of the key areas where PSD2 will need to focus is on data privacy. With increasing concerns about the misuse of consumer data, the directive must reinforce its data protection measures. Enhanced data encryption, stricter consent mechanisms, and better data anonymization techniques could be potential areas of focus for future iterations of PSD2. In fact, PSD2’s success in the long term will depend on its ability to balance the promotion of innovation with the assurance of security and privacy.

Kiteworks Helps Organizations Operating in the EU Comply With PSD2

PSD2 has indeed revolutionized the payment services landscape within the European Union. By breaking down banks’ monopoly on user data, it has fostered competition and innovation in the payments market. Businesses, particularly fintech companies, have the opportunity to leverage customer data to create more personalized and customer-centric financial products. Meanwhile, consumers benefit from increased control over their financial data, along with a wider range of payment services to choose from.

However, the directive also presents challenges, particularly in terms of technical implementation and cybersecurity.

Moreover, with the rapid pace of technological advancements, it is essential for PSD2 to continually evolve in order to remain effective and relevant. This includes addressing emerging challenges posed by technologies like cryptocurrencies and blockchain, as well as prioritizing data privacy. Despite these challenges, it is clear that PSD2 is a significant step forward in creating a safer, more efficient, and innovative payments landscape in the EU.

The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP and managed file transfer, so organizations control, protect, and track every file as it enters and exits the organization.

Kiteworks allows organizations to control who can access sensitive information, with whom they can share it, and how third parties can interact with (and for how long) the sensitive content they receive. Together, these advanced DRM capabilities mitigate the risk of unauthorized access and data breaches.

These access controls, as well as Kiteworks’ enterprise-grade secure transmission encryption features also enable organizations to comply with strict data sovereigntyrequirements.

Kiteworks deployment options include on-premises, hosted, private, hybrid, and FedRAMP virtual private cloud. With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how. Finally demonstrate compliance with regulations and standards like GDPR, ANSSI, HIPAA, CMMC, Cyber Essentials Plus, IRAP, DPA, and many more.

To learn more about Kiteworks, schedule a custom demo today.


Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo