PSD2 in Full Effect

The second Payment Services Directive or PSD2 is a European law which comes into full force on 14th September which will make it more secure for consumers to make electronic payments when shopping online or using online banking services.

The first Payment Services Directive (PSD1) was adopted in 2007, providing the legal foundation for an EU single market for payments, to establish safer and more innovative
payment services across the EU. The objective was to make cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State. (Source: European Commission).

PSD2 aims to make payments safer, increase consumer protection and continue to foster innovation and competition while maintaining a level playing field for all parties.

Implications for Retailers

While some elements of the PSD2 legislation have applied from 13th January 2018, the full rollout from September will result in changes to how retailers use digital payments channels and how consumers shop online by introducing added security rules referred to as Strong Customer Authentication (SCA).

The Banking and Payments Federation of Ireland (BPFI) have indicated the following key changes coming into effect as of September 14th:

  • PSD2 requires existing banks to share customer data with authorised third-party providers where the customer gives consent. This will be done through APIs (application programme interface) which banks are currently developing.
  • PSD2 will facilitate consumer protection by requiring these third-party service providers to be authorised and regulated by the national competent authority, such as the Central Bank of Ireland. They will be prohibited from accessing any other data from a customer’s accounts beyond that explicitly authorised by the customer.
  • New regulatory technical standards (RTS) will introduce security requirements – including strong customer authentication – which service providers will have to observe when they process payments or provide payment-related services.
  • PSD2 introduces new rules which prohibit ‘surcharging’ for card payments in most cases, meaning merchants who take online payments are no longer able to charge a customer an extra fee when they make payments using their card.
  • PSD2 stipulates that, except in cases of fraud or gross negligence by the consumer, the maximum amount a consumer could be obliged to pay in the case of an unauthorised payment transaction will decrease from €150 to €50.

This regulation affects all customer payments (B2C only) made with debit and credit cards, direct debit payments and credit transfers.

Retailers are required to operate at a higher level of security, most notably by providing Strong Customer Authentication (SCA), often known as two-factor authentication. Two-factor authentication not only requires a username and password, but also a device, e.g. mobile, smart watch, that the user currently has on them.

eCommerce consultancy group eConsultancy recommends the following four steps for retailers and merchants to manage the implementation of PSD2 law into their payments

  • Analytics – Retailers should be tagging all clicks and payment actions (where possible) to better understand user behaviour and optimise the payment process. Analytics should be used at every point of the customer journey to understand the impact of each decision and keep the focus on improving conversion and reducing dropout.
  • Progressive roll-out – Rather than rushing to introduce lots of measures at once, businesses should plan a progressive roll-out of technologies to meet regulatory compliance, with an emphasis on keeping changes to the payment flow smooth and signposted to customers.
  • Communicate – Copy, call-outs, even emails can be used to let the customer know how, and when, important aspects of the flow will change, so that they’re not too jarring when they do arrive.
  • Stay up-to-date – Businesses should check whether they are using the current version of a payment provider’s integration tooling, as this will invariably require an upgrade for PSD2.

Those lagging behind on old versions of the tooling may find that the effort to upgrade will be greater than expected.

Further information about PSD2 can be found on