PSD2 compliance: the basics

Posted On

By Prateek Panda


The rise of cross-border financial institutions, international e-commerce, and cybercriminals attempting to commit fraud and steal sensitive customer information necessitates much-improved security measures for electronic payments. For these reasons, the EU introduced its second Payment Services Directive (PSD2), which came into force across all 28 EU countries on September 14, 2019.

PSD2 intends to improve the regulation of payment service providers and strengthen the protections surrounding electronic payments with the ultimate goal of creating a standardized single market for banks and payment providers across the EU. 

Some of its most important elements:

Multi-factor authentication: Accenture has estimated that the risk of cybercrime is $5.2 trillion over the next five years. PSD2 compliance is expected to reduce the risks of fraud and theft through the use of multi-factor authentication, specifically Strong Customer Authentication (SCA). Under SCA, payment service providers must require two out of three of the below from customers:

  • Something the customer knows (e.g., PIN, password, date of birth)
  • Something the customer possesses (e.g., phone or key material)
  • Something inherent to the customer (e.g., fingerprint, facial recognition)

Improved access for third party providers (TPPs): A core concept of the EU’s single market is competitive freedom. To this end, PSD2 works towards removing banks’ and financial institutions’ monopoly on their customers’ data. A stated aim of the directive is to promote greater competition by permitting businesses and consumers to authorize TPPs to directly access account information; for example, by allowing Amazon to take a payment from your bank without using an intermediary like PayPal. 

Better banking collaboration: The improved flow of information between financial institutions under PSD2 should make for smoother interactions and reduced costs. Greater collaboration between payment service providers and banks means that banks will be better able to bolt on services to improve the customer experience rather than developing them in-house. 

Consumer protection from hidden costs: Banks and payment service providers employ a variety of methods to build costs and charges into their processes. For example, sub-market foreign exchange rates can mask extra fees. With PSD2 compliance, financial service providers are obligated to inform their customers of the “real costs and charges” associated with transactions.

Use of API hubs: Financial institutions must provide open, secure Application Programming Interfaces (APIs) to facilitate collaboration and interactions between consumers, banks, and third-party payment service providers. This open banking allows for requests from TPPs, the aggregation of consumer data, and improved service provision for all parties. Such collaboration relies on standardized and open-source common standards of communication (CSC).

Greater geographical implications: The range of transactions affected by the Payment Services Directive has been expanded considerably and now includes transactions with ‘one leg out’, such as where only one party is from the EU. Previously, both parties needed to be incorporated in the EU to fall under the directive’s jurisdiction. 

How PSD2 Affects Businesses and Available Solutions

With the obligations laid out, PSD2 compliance is now the responsibility of financial institutions and payment service providers who have interactions within the EU. Here’s how it may affect your business and what you can do to ensure PSD2 compliance.

Identity verification: One of the central tenets of PSD2 compliance is the introduction of Strong Customer Authentication and a much more robust identity verification process for electronic payments. To do this, banks and financial institutions will require at least two modes of identification (such as a two-factor authentication process).

As a global leader in application shielding technologies, Intertrust helps financial service providers implement more secure identity verification procedures to combat theft and protect their customers from identity fraud.

Secure APIs: APIs that provide secure  interactions and transactions between financial institutions, third parties, and consumers form another core element of PSD2 compliance. Standardized APIs facilitate fast, easy, and secure payments, but also offer an attractive target for cybercriminals. These APIs need to be among the most secure entities in the digital world.

Security certificates: Secure communication under PSD2 rely on certifications, specifically the granting of Qualified Certificates for Website Authentication (QWACs) for data protection over TLS and Qualified Certificates for Electronic Seals (QSealCs) for secure signatures and authentication. These certificates ensure the safety of user data and the secure identification of payment service providers.

Providing access-to-accounts (XS2A): The access-to-accounts (XS2A) element of PSD2 compliance means that financial institutions must grant third parties access to customer information if authorized by the customer. This creates a lucrative target of attack for criminals wishing to steal sensitive financial data. Application shielding, through code obfuscation and hardening of vulnerabilities, can secure financial apps against tampering and reverse engineering.

Creating trusted ecosystems: Operating within the standardized PSD2 environment means greater opportunities for collaboration and innovation. However, this can only happen if the EU banking system and individual institutions create trusted ecosystems that enable access for the devices and apps of secure users and avoids infiltration and data leakage. 

Intertrust has extensive experience of creating the trusted ecosystems necessary for the modern, super-connected world, with our solutions applied across millions of devices to mitigate software attack risks. 

Intertrust Can Help with PSD2 Compliance 

PSD2 compliance is a necessity for all financial institutions doing business with the EU. The directive aims to improve collaboration and competition while also providing an easier and safer payment environment for customers. Combining all of these elements is a major task, which is why many institutions turn to digital security specialists such as Intertrust to assist with their PSD2 compliance. 

To find out how Intertrust can help your PSD2 compliance efforts, get in touch with our team of experts today.



whitecryption CTA Banner

About Prateek Panda

Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.

Related blog posts


Streaming app security: why you should protect code as well as content

Read more


How application shielding fits into the DevSecOps framework

Read more


How DUKPT key management works in POS environments

Read more