What does the new Directive on Payment Services (PSD2) Mean for PSPs?

On October 8th, the European Parliament adopted the revised Directive on Payment Services, also known as PSD2. This new directive, which is the long awaited successor of the first Payment Services Directive from 2007, aims to harmonize the European retail payments market, which is very much fragmented along national borders, and foster the adoption of innovative, easy-to-use and secure payment schemes.

Industry Briefing - Strong Authentication of Internet Payments in Europe - the new PSD2PSD2 is the latest development in a series of European regulatory initiatives aimed at securing Internet payments. These initiatives intend to combat Card-Not-Present (CNP) fraud and increase the confidence of European citizens regarding e-commerce, e-banking and other online activities.

Contrary to the EBA guidelines, national regulatory authorities cannot opt out from PSD2, as it will be translated into national law by the EU Member States. This means also countries such as the UK, who opted out from the EBA guidelines, will be subject to PSD2 and its requirements regarding strong customer authentication.

PSD2 uses the same definition of “strong customer authentication” as the EBA guidelines, which is based on the traditional concept of two-factor authentication.  But PSD2 goes a step further for “electronic remote payment transactions”, which includes all transactions over the Internet. For such transactions, Payment Service Providers must apply strong customer authentication that includes “elements which dynamically link the transaction to a specific amount and a specific payee”.

Although strong payment authentication is already common practice in online banking services in many European countries, it may present a significant step for e-commerce services and may impact the check-out processes of e-commerce merchants. Hence e-commerce merchants will need to find secure but also convenient authentication mechanisms.

For more information around the authentication requirements of PSD2 and what it means for Payment Service Providers, download our latest Industry Briefing – Security of Internet Payments: Strong Authentication and P2D2.

Industry Briefing - Strong Authentication of Internet Payments in Europe - the new PSD2

  • 4

4 Responses to What does the new Directive on Payment Services (PSD2) Mean for PSPs?
  1. Dear Frederik, thanks for the overview.
    Concerning your definition of “strong payment authentication” I think one requirement is missing, namely the secure re-visualisation of the payment data (amount+payee). Without re-visualisation a Man-in-the-Middle attack is possible – and avoiding MitM is exactly the reason why linking authentication with payment data is required.
    Example: The German Postbank BestSign USB-sticks have a display
    Without the display they would not be secure against MitM even though their signature is linked with the payment data.
    So I think, “secure visualisation of the payment data” should be another requirement for a “strong” authentication.
    What do you think? Cheers, Bernd Borchert

  2. Hi Bernd, the definition of strong payment authentication comes from PSD2. It does not require visualisation of payment data on a secure device.

    Of course from a security point of view it is better to use devices with secure display functionality in order avoid social engineering attacks.

    Kind regards,


  3. The information that is presented is excellent. As i am student just have a small quire on the card not present transaction. say for example, when making the online purchase, PSD2 insists that you need not enter the details of your debit or credit card but can permit the merchant to get directly from the banks and my question is how will the merchant recognize that i am particular customer of the bank and what inputs i need to provide to make direct payment.

  4. Hi Soumya, under PSD2 the merchant will request the customer’s bank to authenticate the customer. PSD2 foresees multiple authentication flows for this, such as redirection, embedded, and decoupled. The API specifications of the Berlin Group provide more detail.

Leave a Comment