The EU’s Payment Services Directive (PSD2) harmonizes regulation and strengthens security and consumer protection in payment transactions. It requires strong customer authentication for most electronic payments and standardized access to account and payment interfaces for licensed third-party providers. Strong customer authentication has been mandatory in the EU since 14.9.2019.
What PSD2 means for online businesses
For online businesses, PSD2 affects how customers authenticate their payments and how banks and payment service providers exchange information. The sections below explain how different payment methods are handled under PSD2 and what this means for your daily operations.
Card payments: Authentication requirements and exemptions
Under PSD2, strong customer authentication is generally required for online card payments, including small charges made through mobile services such as food delivery or parking apps.
Authentication is carried out through verification services such as 3D Secure (such as Verified by Visa or MasterCard SecureCode), where the payment is confirmed with the cardholder’s bank. The authentication method used depends on the card issuer’s solution.
Exemptions from strong authentication for card payments
PSD2 allows certain transaction-specific exemptions to strong customer authentication. Exemptions are not guaranteed. The card issuer may decline them, or the required technical conditions may not be met.
One key exemption applies to merchant-initiated card charges that take place without customer interaction, such as:
- recurring magazine subscriptions
- parking fees based on license plate recognition in garages
In these cases, strong customer authentication is typically required when the customer first enters their card details. The customer must also be clearly informed about the nature and timing of future charges they agree to.
Bank payments: Authentication and standardized interfaces
In Finland, bank payments require strong customer authentication. Customers confirm payments using their bank’s authentication method.
PSD2 standardizes the technical interfaces used for bank payments. These interfaces are implemented by banks and payment service providers and do not require any action from businesses.
Mobile payments: Authentication handled by the provider
Mobile payment methods such as MobilePay, Siirto, Apple Pay, and Google Pay are subject to strong customer authentication requirements.
Authentication is typically performed within the payment provider’s own app, using methods such as biometric recognition or device-based verification.
Buy now, Pay later payments
Buy now, Pay later payment methods such as invoices or installment plans are generally not classified as electronic remote payments under PSD2.
However, providers typically use strong customer authentication because these payment methods create a credit relationship between the customer and the service provider.
Customer questions about strong authentication
PSD2 defines how strong customer authentication must be implemented. Banks use authentication methods such as mobile apps, SMS confirmations, or biometric verification to confirm payments.
Customers may have questions about how the payment amount and payee are displayed during authentication or how the confirmation process works.
Strong authentication and payment confirmation are carried out by the payment instrument provider, such as a bank.