PSD2 (the second Payment Services Directive) explained in 3 minutes

The EU’s revised Payment Services Directive (PSD2) could revolutionize the payments industry when the EU member states implement it into national laws in 2018. Bjørn Søland, technical expert at identity and security company Nexus Group, explains the directive and its consequences in 3 minutes.

What is new in PSD2?

“The banks’ monopoly on their customer’s data disappears. This enables bank customers, both business and consumer, to give third-party providers permission to retrieve their account data from their banks. The third-party providers may then, for example, initiate payments for the users directly from their bank accounts.

“PSD2 will also require stronger identity checks of users when they are paying online.

“PSD2 is an extensive directive, and it also includes a range of less revolutionary news, such as a limit on costs for card payments and better consumer protection against fraud,” says Søland.

What is the European Commission’s objective with PSD2?

“The primary goal of the directive is to create a single integrated market for payment services by standardizing the regulations for the banks and for the new payment service providers we have started to see. The PSD2 will ensure transparency and fair competition, and break down the entry barriers for new payment services, which will benefit the customers,” says Søland.

Why could PSD2 revolutionize the payments industry?

“PSD2 will change the payments value chain and change which business models are profitable. When bank customers can use third-party providers such as social media platforms or messaging apps to pay bills straight from their bank accounts, banks might lose many of the customer interactions ­– if the banks do not create equally attractive solutions.

“We will see a lot of new services. For example, bank customers will be able to give third-party providers permission to analyze their spending behavior or aggregate their account information from several banks into one overview. The banks will be required to provide the third-party providers access to their customers’ accounts through open application program interfaces (APIs),” says Søland.


Read blog post Why you should make the EU’s new GDPR your friend


What does “stronger identity checks” mean in practicality?

“When customers access their payment accounts online, initiate electronic payment transactions, or carry out any other actions through remote channels that may imply a risk of payment fraud or other abuses, so called strong authentication will be required.

“Very simply, strong authentication is a procedure based on the use of two or more elements from the categories knowledge, ownership and inherence. This means that user isn’t allowed to authenticate using only a static password,” says Søland.

Who will be responsible for the customer authentication, now when so many new players are expected?

“There are still a few things that need to be ironed out, but it seems clear that the new players have the right to rely on the bank’s authentication of the user. This means that the authentication procedure most probably will remain fully in the sphere of competence of the banks.

“This means that banks need to offer strong authentication, not only to protect their own services but also indirectly to protect the new players’ services,” says Søland.

Are there appropriate standards in place?

The European Banking Authority (EBA) has made regulatory technical standards. They are technology neutral to allow for innovation, but the flip side is that this means that there will be many different technical solutions instead of a single EU-wide solution that could challenge players such as Visa and MasterCard.

“That said, business is local and the majority of the payments in a country are local as well. I think we’ll see a lot of country-wide initiatives before we see successful EU payment schemes,” says Søland.

Do you have any advice for the banks?

“There is still a lot of uncertainty surrounding PSD2 – and 2018 is approaching quickly. I’m not going to give banks advice on how to implement their APIs, but strong authentication is luckily a different story. In this case I would recommend a versatile authentication solution that can accommodate many different authentication methods, both existing and new as they become available.

“I would also recommend the banks to be innovative and offer new services – otherwise they might lose a lot of the customer interactions,” says Søland.