In November 2015, the European Union (EU) passed the Revised Payment Services Directive (PSD2) to replace the original PSD and further regulate payments throughout the EU and the larger European Economic Area (EEA).
The EU originally enacted the PSD to promote competition in the banking sector and standardize the obligations placed on payment service providers (PSPS) across the proverbial playing field. While the PSD2 still upholds the mission of the PSD, it also includes increased regulations that offer consumer protections and further secure electronic payments.
This PSD2 guide will analyze the compliance requirements of the directive, discuss how the EU revised the policies of the PSD, and define essential regulations and terms used throughout the law.
Learn how UpGuard helps financial institutions monitor their attack surfaces>
What is the Payment Services Directive 2 (PSD2)?
PSD2 is a part of the Payment Card Industry Data Security Standard (PCI DSS), and the directive primarily affects consumers, brokers, and banks. The PSD 2 includes regulations for protecting online payments, securing digital payment transactions, enhancing customer data security, and implementing strong customer authentication (SCA).
Is PSD2 Compliance Mandatory?
Yes, all banks, financial institutions, and other entities that deal with personal financial data or provide financial services in the EU must comply with the regulatory provisions of PSD2. All countries in the EU have adopted the PSD2.
When Did the PSD2 Go Into Effect?
While the PSD2 was passed initially near the end of 2015, its enactment and effective date were delayed by several postponements. The revised directive officially became effective across the EU on December 31, 2020.
The following is a complete timeline of important PSD and PSD2 events:
- 2007: The EU passed the PSD to unify the payment market throughout the European Union.
- 2013: The EU begins generating the foundation of PSD2 after the European Commission concludes that technological advancements have made portions of PSD obsolete.
- January 2016: Various EU member countries vote to pass PSD2. The EU agrees to enact the regulation in 2018.
- June 2017: The EU introduces a new, open API requirement. The API permits third-party access under the regulatory technical standards (RTS) set by the PSD2.
- November 2018: PSD2 expands to include strong customer authentication (SCA), improve the security of consumer bank accounts, and prevent digital payment fraud.
- January 2018: All remaining member states pass the PSD2. EU agrees on a timeline to implement the directive.
- December 31, 2020: The European Banking Authority (EBA) officially makes the PSD2 regulation live after multiple delays, and the directive becomes effective in all member countries throughout Europe.
What are the Compliance Requirements of PSD2?
The PSD2 sets forth security requirements that protect the open banking ecosystem and prevent cyber attacks and information security threats from occurring.
Overall, the PSD2 includes five main compliance requirements:
- Open API
- Strong Customer Authentication (SCA)
- Customer transparency
- Rapid complaint resolution
- Surcharge bans
Third-Party Access Through Open API
The main technological requirement of the PSD2 requires banks and other financial service providers to implement and maintain an application programming interface (API) that allows account information service providers (AISPs) to access customer information (when the consumer grants access).
SCA and Multi-Factor Authentication
Another core requirement of the PSD2 is strong customer authentication or SCA. The directive obligates all payment processors and digital banking providers to utilize multi-factor authentication for user login. To comply with this requirement, financial institutions can permit payment service users to use a combination of PINs, biometrics, and message verification techniques to access their payment accounts.
Improved Customer Transparency
The PSD2 looks to improve customer transparency across the board. However, its main areas include institutional terms and conditions and currency conversion rates used in digital third-party payment systems (TPPS) throughout the payments industry.
Each of these two categories of information needs to be explicitly expressed to the consumer and easily accessible.
Rapid Complaint Resolution
The PSD2 also obligates payment providers and payment initiation service providers to resolve consumer complaints promptly. The directive also includes explicit procedures and mandates for criticism and solution reporting.
Surcharge Ban Instances
Under PSD2, businesses are prohibited from implementing surcharges (additional charges added to a transaction on top of standard pricing) for ticketing, food, travel, and delivery purposes.
The PSD2 surcharge ban applies to e-commerce issuers using surcharges in all consumer contexts, including personal and corporate.
The Cybersecurity Challenges of PSD2
Overall, the requirements of PSD2 pose significant cybersecurity challenges, especially to new institutions operating without robust cybersecurity risk management programs.
The main cybersecurity challenges financial organizations will face while becoming PSD2 compliant is continuing to defend their attack surface and protecting consumer personal data after implementing an open API. While most cyber-conscious organizations will have protocols to manage their web channels, identifying API vulnerabilities and mitigating API security risks will require additional security measures, mainly when an institution utilizes multiple third-party vendors to offer API access to its consumers.
Financial institutions relying on more third-party service providers or vendors must develop strong third-party risk management (TPRM) procedures. The most effective TPRM programs include strategies that help organizations identify, assess, mitigate, and treat risks across their entire supply chain.
Cybersecurity tools like UpGuard Vendor Risk can help organizations manage the security challenges of PSD2 compliance.
UpGuard Vendor Risk can improve an organization’s vendor lifecycle by allowing the organization to:
- Decrease the time and energy it spends creating, sending, and reviewing vendor questionnaires
- Monitor all vendors and their risks in one intuitive dashboard
- Conduct robust risk assessments
- Calculate the impact of remediated risks
- Understand what risk factors are impacting a vendor’s security posture
- Assess vendor risks and request remediation in a single workflow
PSD2 Exemptions
The PSD2 recognizes payment exemption options for a variety of transaction types. These exemptions allow merchants and other payment processors to initiate payments and complete some transactions without meeting the Strong Customer Authentication requirements of the PSD2.
Examples of exemptions recognized by the PSD2 include:
- Transaction risk analysis (TRA),
- Low transaction value,
- Safelisted merchants,
- Subscription, and
- Secure corporate payment exemptions
The most common exemption type recognized by the PSD2 is a Transaction Risk Analysis (TRA) exemption. TRA exemptions enable merchants processing low-risk transactions to do so without the requirement of additional verification methods.
Penalties For Non-Compliance
Given that PSD2 compliance is mandatory for all applicable entities operating a business within the EU, penalties for non-compliance can be severe. Institutions that fail to meet the requirements of PSD2 can be charged with financial penalties of up to 4% of their annual returns.
How Can UpGuard Help Businesses Comply with PSD2?
UpGuard can help financial institutions and their security teams manage their attack surface, mitigate third-party risk, achieve regulatory compliance, prevent data leaks, and install continuous monitoring across their supply chain.
The standards set by PSD2 impact all areas of a financial institution’s operation, including its Third-Party Risk Management programs and Cyber Vendor Risk Management strategies.
UpGuard BreachSight and UpGuard Vendor Risk empower organizations with a powerful cybersecurity toolbox that includes access to:
- Up-to-date vendor security ratings,
- Comprehensive Vendor risk profiles,
- Real-time security updates,
- Customizable risk assessments,
- Flexible security questionnaires,
- Intuitive remediation workflows, and
- Custom report templates