PSD2 in a nutshell
The EU’s Payment Services Directive (PSD2) aims to harmonize regulation and enhance security and consumer protection in payment transactions.
The most significant changes introduced by PSD2 include:
- a requirement for strong customer authentication in electronic account and payment transactions
- an obligation for banks to open account and payment interfaces to third-party providers
The strong authentication requirement came into effect on 14.9.2019.
What does PSD2 mean for online merchants?
Card payments – strong authentication required, with limited exceptions
Under PSD2, strong customer authentication is now generally mandatory. This applies even to mobile services making small charges, such as food delivery or parking payment apps.
Authentication is handled through verification services (3D Secure, such as Verified by Visa or MasterCard SecureCode), where the payment is confirmed in the cardholder’s bank. Consumers may notice changes in their bank’s authentication methods as a result.
To preserve a smooth payment experience, the regulation allows certain transaction-specific exemptions. However, exemptions are not guaranteed—the card issuer may decline them, or the necessary technical capabilities may be unavailable.
Exemptions from strong authentication for card payments
One key exemption applies to merchant-initiated card charges that occur without customer interaction, such as:
- recurring magazine subscriptions
- parking fees based on license plate recognition in garages
Even in these cases, the customer must be strongly authenticated when entering card details, and they must be clearly informed about the nature of future charges they are agreeing to.
Bank payments – authentication stays the same, but technical implementation is unified
In Finland, bank payments already require strong authentication. PSD2 does not change this, except in cases where banks update their own authentication methods.
However, changes are expected on the technical side, such as the introduction of standardized bank payment interfaces. These updates, made by payment service providers, do not require any action from merchants but may affect the consumer’s payment experience.
Mobile payments – payment flow unchanged for merchants
Mobile payment methods (e.g. MobilePay, Siirto, Apple Pay) are also subject to strong authentication requirements. These providers typically perform authentication within their own apps—using methods like fingerprint recognition.
From the merchant’s perspective, the payment flow remains unchanged. For consumers, however, the payment experience may vary depending on the authentication method used.
Buy now, Pay later – no immediate changes
PSD2 does not apply to invoice or installment payment methods, as they are not considered electronic remote payments under the regulation. Even so, strong authentication is typically used, since these payment methods create a credit relationship between the customer and the service provider.
In practice, invoice and installment payments are expected to remain unchanged for both merchants and consumers.
Strong authentication may raise questions from merchants – be prepared for consumer inquiries
PSD2 sets specific rules for how strong authentication must be implemented. Banks have updated their authentication solutions with tools like mobile apps and SMS-based confirmations.
These new authentication flows may raise questions from customers, for example about how the payment amount and payee are shown or how the process works.
Strong authentication and payment confirmation are always carried out by the payment instrument provider, such as a bank. Merchants do not need to make any changes to their systems in response to these updates.