Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
What is the Payment Services Directive 2 (PSD2)? Complete Guide
Last updated
December 1, 2025
{x} minute read

What is the Payment Services Directive 2 (PSD2)? Complete Guide

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Nicholas Sollitto
Senior Cybersecurity Writer
Nicholas's cybersecurity writing has been featured in G2.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

In November 2015, the European Union (EU) passed the Revised Payment Services Directive (PSD2) to replace the original PSD and further regulate payments throughout the EU and the larger European Economic Area (EEA).

The EU originally enacted the PSD to promote competition in the banking sector and standardize the obligations placed on payment service providers (PSPS) across the proverbial playing field. While the PSD2 still upholds the mission of the PSD, it also includes increased regulations that offer consumer protections and further secure electronic payments.

This PSD2 guide will analyze the compliance requirements of the directive, discuss how the EU revised the policies of the PSD, and define essential regulations and terms used throughout the law.

Complying with PSD2’s security standards requires strict oversight of third-party entities. Discover how Third-Party Risk Management software helps secure your entire payment service supply chain.

What is the Payment Services Directive 2 (PSD2)?

PSD2 is a part of the Payment Card Industry Data Security Standard (PCI DSS), and the directive primarily affects consumers, brokers, and banks. The PSD 2 includes regulations for protecting online payments, securing digital payment transactions, enhancing customer data security, and implementing strong customer authentication (SCA).

Is PSD2 Compliance Mandatory?

Yes, all banks, financial institutions, and other entities that deal with personal financial data or provide financial services in the EU must comply with the regulatory provisions of PSD2. All countries in the EU have adopted the PSD2.

When Did the PSD2 Go Into Effect?

While the PSD2 was passed initially near the end of 2015, its enactment and effective date were delayed by several postponements. The revised directive officially became effective across the EU on December 31, 2020.

The following is a complete timeline of important PSD and PSD2 events:

  • 2007: The EU passed the PSD to unify the payment market throughout the European Union.
  • 2013: The EU begins generating the foundation of PSD2 after the European Commission concludes that technological advancements have made portions of PSD obsolete.
  • January 2016: Various EU member countries vote to pass PSD2. The EU agrees to enact the regulation in 2018.
  • June 2017: The EU introduces a new, open API requirement. The API permits third-party access under the regulatory technical standards (RTS) set by the PSD2.
  • November 2018: PSD2 expands to include strong customer authentication (SCA), improve the security of consumer bank accounts, and prevent digital payment fraud.
  • January 2018: All remaining member states pass the PSD2. EU agrees on a timeline to implement the directive.
  • December 31, 2020: The European Banking Authority (EBA) officially makes the PSD2 regulation live after multiple delays, and the directive becomes effective in all member countries throughout Europe.

What are the Compliance Requirements of PSD2?

The PSD2 sets forth security requirements that protect the open banking ecosystem and prevent cyber attacks and information security threats from occurring.

Overall, the PSD2 includes five main compliance requirements:

  • Open API
  • Strong Customer Authentication (SCA)
  • Customer transparency
  • Rapid complaint resolution
  • Surcharge bans

Third-Party Access Through Open API

The main technological requirement of the PSD2 requires banks and other financial service providers to implement and maintain an application programming interface (API) that allows account information service providers (AISPs) to access customer information (when the consumer grants access).  

SCA and Multi-Factor Authentication

Another core requirement of the PSD2 is strong customer authentication or SCA. The directive obligates all payment processors and digital banking providers to utilize multi-factor authentication for user login. To comply with this requirement, financial institutions can permit payment service users to use a combination of PINs, biometrics, and message verification techniques to access their payment accounts.

Improved Customer Transparency

The PSD2 looks to improve customer transparency across the board. However, its main areas include institutional terms and conditions and currency conversion rates used in digital third-party payment systems (TPPS) throughout the payments industry.

Each of these two categories of information needs to be explicitly expressed to the consumer and easily accessible.

Rapid Complaint Resolution

The PSD2 also obligates payment providers and payment initiation service providers to resolve consumer complaints promptly. The directive also includes explicit procedures and mandates for criticism and solution reporting.

Surcharge Ban Instances

Under PSD2, businesses are prohibited from implementing surcharges (additional charges added to a transaction on top of standard pricing) for ticketing, food, travel, and delivery purposes.

The PSD2 surcharge ban applies to e-commerce issuers using surcharges in all consumer contexts, including personal and corporate.

The Cybersecurity Challenges of PSD2

Overall, the requirements of PSD2 pose significant cybersecurity challenges, especially to new institutions operating without robust cybersecurity risk management programs.

The main cybersecurity challenges financial organizations will face while becoming PSD2 compliant is continuing to defend their attack surface and protecting consumer personal data after implementing an open API. While most cyber-conscious organizations will have protocols to manage their web channels, identifying API vulnerabilities and mitigating API security risks will require additional security measures, mainly when an institution utilizes multiple third-party vendors to offer API access to its consumers.

Financial institutions relying on more third-party service providers or vendors must develop strong third-party risk management (TPRM) procedures. The most effective TPRM programs include strategies that help organizations identify, assess, mitigate, and treat risks across their entire supply chain.

Cybersecurity tools like UpGuard Vendor Risk can help organizations manage the security challenges of PSD2 compliance.

UpGuard Vendor Risk can improve an organization’s vendor lifecycle by allowing the organization to:

  • Decrease the time and energy it spends creating, sending, and reviewing vendor questionnaires
  • Monitor all vendors and their risks in one intuitive dashboard
  • Conduct robust risk assessments
  • Calculate the impact of remediated risks
  • Understand what risk factors are impacting a vendor’s security posture
  • Assess vendor risks and request remediation in a single workflow

PSD2 Exemptions

The PSD2 recognizes payment exemption options for a variety of transaction types. These exemptions allow merchants and other payment processors to initiate payments and complete some transactions without meeting the Strong Customer Authentication requirements of the PSD2.

Examples of exemptions recognized by the PSD2 include:

  • Transaction risk analysis (TRA),
  • Low transaction value,
  • Safelisted merchants,
  • Subscription, and
  • Secure corporate payment exemptions

The most common exemption type recognized by the PSD2 is a Transaction Risk Analysis (TRA) exemption. TRA exemptions enable merchants processing low-risk transactions to do so without the requirement of additional verification methods. 

Penalties For Non-Compliance

Given that PSD2 compliance is mandatory for all applicable entities operating a business within the EU, penalties for non-compliance can be severe. Institutions that fail to meet the requirements of PSD2 can be charged with financial penalties of up to 4% of their annual returns.

How Can UpGuard Help Businesses Comply with PSD2?

UpGuard can help financial institutions and their security teams manage their attack surface, mitigate third-party risk, achieve regulatory compliance, prevent data leaks, and install continuous monitoring across their supply chain.

The standards set by PSD2 impact all areas of a financial institution’s operation, including its Third-Party Risk Management programs and Cyber Vendor Risk Management strategies.

UpGuard Breach Risk and Vendor Risk Management tool empower organizations with a powerful cybersecurity toolbox that includes access to:

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts