Impacts for online and mobile payments due to PSD2

PSD2 strong customer authentication

The payments industry has slowly become aware that is has to prepare for new regulations after the European Commission set out new laws, together forming the Payment Services Directive 2 (PSD2). Strong customer authentication, security, transparency and innovation are key in PSD2, which comes into effect in 2018.

Mobile and online payments

The first Payment Services Directive was put up in 2007 after online payments skyrocketed due to the rising use of mobile devices and the Internet. It was setup by the European Union to increase European competition and participation of non-banks and other payments services providers and to increase customer protection.


Improved customer protection

The Payment Service Directive II enhances new guidelines in consumer protection, promotes innovation through transparency and improves the security of payment services. Commissioner Jonathan Hill, responsible for Financial Stability, Financial Services at Capital Markets Union, said: “European consumers want to know that their payments are safe when they shop or make a payment online. The new Payment Services Directive will ensure that electronic payments in Europe become more secure and more convenient for European shoppers. This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow.”


Consumers benefit

Mr. Hill is probably right that consumers will benefit from the new PSD2. Banks, non-banks and other financial services providers however, are required to change the core of their business: Banks must allow access to payment account information to any Third Party Payment Provider (TPP), which means they have to open up for competitors in order to improve competition in the fintech market.



This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow."


Strong Customer Authentication

Another new important aspect is the addition that payments providers must comply with strong customer authentication (SCA) as defined under PSD2. SCA, like One Time Passwords, is the predecessor of one factor authentication, which is no longer considered safe to use at all. SCA puts an extra layer over login sessions or transactions. Instead of just logging in with a password, users must identify themselves with another tool such as a mobile phone or biometric methods like fingerprints and iris scans.


Mandatory guidelines

Of all the guidelines in PSD2, TPP and strong customer authentication will impact the way financial organisations and payment services providers are operationally managed. These two guidelines are mandatory and will come into force in 2018, pending EU member legislation and EBA Regulatory Technical Standard finalisation. The guidelines require new significant investments to their systems. Although implementing SCA is relatively easy and straightforward and can be done via third party companies it could be seen as a shift away from how the banking and finance industry has been working.

It is reasonable for companies to prepare and research the new guidelines as the European Commission has adopted the proposal for PSD2 on October 2015.

  • More information? Contact CM's Financial Services specialist Richard van Anholt via this form. He'll tell you more on PSD2, TPP and Strong Customer Authentication. 
Financial Services

Enjoyed this article? Please share the news!

About the author

Erik Eggens is an allround journalist, editor, content creator and copywriter and takes a keen interest in mobile, finance and politics.

Connect with Erik on

LinkedIn, Twitter.