Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/Digital/PSD2
💻Digital services

Payment Services Directive 2 (PSD2) — Directive (EU) 2015/2366

Analysis from 18 April 20262 sourcesConsolidated version of 17.01.2025 (incorporating amendments by Directive (EU) 2022/2556 and Regulation (EU) 2024/886)EUR-Lex Original

Does my payment checkout actually comply with Strong Customer Authentication — and what happens to my business if a regulator finds it does not?

Any entity providing payment services in the EU must apply Strong Customer Authentication since 14 September 2019, and national competent authorities can impose effective, proportionate and dissuasive penalties for non-compliance — including public disclosure of sanctions [Art. 97, Art. 103].

Short Answer

PSD2 requires every payment service provider to apply Strong Customer Authentication (SCA) when a payer accesses an account online, initiates an electronic payment, or performs any remote action that may imply fraud risk [Art. 97(1)]. For remote electronic payments, the authentication must dynamically link the transaction to a specific amount and payee [Art. 97(2)]. Account servicing payment service providers must grant payment initiation service providers (PISPs) and account information service providers (AISPs) access to payment accounts via secure, standardised APIs [Art. 66, Art. 67]. Penalties are set at national level and must be effective, proportionate and dissuasive; competent authorities may publicly disclose any administrative penalty imposed [Art. 103].

Who is affected

Credit institutions, electronic money institutions, payment institutions authorised under Art. 11, payment initiation service providers (PISPs), account information service providers (AISPs), and any natural or legal person providing payment services in the EU — including those benefiting from the small payment institution exemption under Art. 32 (monthly average payment transactions not exceeding EUR 3 million). Technical service providers that never hold funds are excluded [Art. 3(j)].

Deadline

Fully applicable since 13 January 2018 (transposition deadline) [Art. 115(1)]. SCA requirements under Art. 97 apply since 14 September 2019 (18 months after the EBA Regulatory Technical Standards entered into force) [Art. 115(4)]. Obligations are ongoing — no upcoming staged deadline.

Risk

Penalties are determined by each Member State's national transposition and must be effective, proportionate and dissuasive [Art. 103(1)]. Competent authorities may publicly disclose any administrative penalty unless disclosure would seriously jeopardise financial markets [Art. 103(2)]. For unauthorised payment transactions, the payment service provider must refund the payer immediately, and in any event no later than the end of the following business day [Art. 73(1)]. The payer's maximum liability for unauthorised transactions from a lost or stolen instrument is capped at EUR 50 [Art. 74(1)]. Where the PSP fails to require SCA, the payer bears no financial loss [Art. 74(2)].

Proof

Legal status

  • In force
  • as of 2026-04-18
  • Consolidated version of 17.01.2025 (incorporating amendments by Directive (EU) 2022/2556 and Regulation (EU) 2024/886)

Primary sources

What to do now

Legal / DPO

  • Review all payment service contracts and framework contracts for compliance with pre-contractual and contractual information requirements — the Directive prescribes exhaustive transparency obligations including charges, exchange rates, and liability allocation [Art. 45, Art. 51, Art. 52].
  • Verify that liability clauses for unauthorised payment transactions cap the payer's loss at EUR 50 for lost/stolen instruments and shift full liability to the PSP where SCA was not applied [Art. 73, Art. 74].
  • Ensure complaints-handling procedures and access to alternative dispute resolution (ADR) bodies are in place in every Member State where services are provided [Art. 101, Art. 102].

Compliance

  • Confirm that the institution holds valid authorisation or registration in the home Member State and is entered in the public register maintained by the competent authority [Art. 11, Art. 14, Art. 15].
  • Establish an operational and security risk management framework with effective incident management procedures, including classification of major incidents and notification to the competent authority without undue delay [Art. 95, Art. 96].
  • Verify that funds safeguarding obligations are met — client funds must be segregated via deposit in a central bank or credit institution, or covered by an insurance policy or comparable guarantee [Art. 10].

IT / Security

  • Implement Strong Customer Authentication using at least two independent elements from knowledge, possession, and inherence categories, with dynamic linking for remote electronic payments [Art. 97(1), Art. 97(2)].
  • Build and maintain secure open communication interfaces (APIs) enabling PISPs and AISPs to identify themselves, authenticate, and communicate securely with account servicing PSPs, in line with the EBA Regulatory Technical Standards [Art. 98(1)(d)].
  • Protect the confidentiality and integrity of payment service users' personalised security credentials through adequate security measures, and ensure security measures are technology-neutral and business-model-neutral [Art. 97(3), Art. 98(2)(d)].

Product / Engineering

  • Design checkout flows that integrate SCA natively — exemptions exist for low-value transactions, recurring payments with fixed amounts, and transactions assessed as low-risk via transaction risk analysis, but the PSP must justify each exemption [Art. 98(1)(b), Art. 98(3)].
  • Provide account information service and payment initiation service interfaces that do not create obstacles to third-party providers — account servicing PSPs must not block or obstruct PISP/AISP access [Art. 66, Art. 67, Art. 115(6)].
  • Implement clear, user-friendly refund mechanisms — the payer has a right to an immediate refund for unauthorised transactions, and an unconditional right to a refund for authorised direct debits within 8 weeks [Art. 73, Art. 76].

Key Terms

Payment service provider (PSP)
A body authorised under Art. 1(1) — credit institution, electronic money institution, payment institution, post office giro institution — or a natural or legal person benefiting from an exemption under Art. 32 or 33 [Art. 4(11)].
Strong Customer Authentication (SCA)
Authentication based on two or more independent elements from the categories knowledge, possession, and inherence, designed so that a breach of one does not compromise the others [Art. 4(30)].
Payment initiation service (PIS)
A service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider [Art. 4(15)].
Account information service (AIS)
An online service to provide consolidated information on one or more payment accounts held by the user with one or more other payment service providers [Art. 4(16)].
Payment institution
A legal person that has been granted authorisation under Art. 11 to provide and execute payment services throughout the Union [Art. 4(4)].
Framework contract
A payment service contract governing the future execution of individual and successive payment transactions, which may include the obligation and conditions for setting up a payment account [Art. 4(21)].
Personalised security credentials
Personalised features provided by the payment service provider to a payment service user for authentication purposes [Art. 4(31)].
?

Frequently Asked Questions

What is Strong Customer Authentication (SCA) and when must it be applied?
SCA is an authentication process based on two or more independent elements from the categories knowledge (something the user knows), possession (something the user possesses), and inherence (something the user is) [Art. 4(30)]. PSPs must apply SCA when a payer accesses a payment account online, initiates an electronic payment transaction, or carries out any remote action implying a risk of fraud [Art. 97(1)].
Are there exemptions from SCA requirements?
Yes. The EBA Regulatory Technical Standards under Art. 98 define exemptions based on risk level, transaction amount and recurrence, and the payment channel used [Art. 98(3)]. Common exemptions include low-value remote transactions (under EUR 30, cumulative cap EUR 100), trusted beneficiary lists, recurring transactions with fixed amounts, and transactions assessed as low-risk via transaction risk analysis.
What happens if a PSP fails to apply SCA and an unauthorised transaction occurs?
Where the PSP does not require SCA, the payer bears no financial losses unless the payer acted fraudulently [Art. 74(2)]. Where the payee or the payee's PSP fails to accept SCA, it must refund the financial damage caused to the payer's PSP [Art. 74(2)].
What are the capital requirements for a payment institution?
Initial capital varies by service type: EUR 20,000 for money remittance services (Annex I point 6), EUR 50,000 for payment initiation services (Annex I point 7), and EUR 125,000 for services including deposits, transfers, issuing payment instruments, or acquiring payment transactions (Annex I points 1–5) [Art. 7].
Can small payment service providers benefit from a lighter regime?
Yes. Member States may exempt natural or legal persons whose monthly average total value of payment transactions does not exceed EUR 3 million from most authorisation requirements under Art. 32. However, these persons remain subject to AML obligations under Directive (EU) 2015/849 [Art. 32(6)].
What must account servicing PSPs provide to third-party providers (PISPs and AISPs)?
Account servicing PSPs must allow PISPs and AISPs to rely on the authentication procedures provided to payment service users [Art. 97(5)]. They must communicate securely with PISPs and AISPs [Art. 66, Art. 67] and must not block or obstruct the use of payment initiation and account information services [Art. 115(6)].
How does PSD2 interact with DORA (Regulation (EU) 2022/2554)?
Directive (EU) 2022/2556 (amending PSD2 as M1) aligns PSD2's operational security and incident reporting provisions with DORA. Payment institutions must now manage ICT risk and report major ICT-related incidents in accordance with Chapter II of Regulation (EU) 2022/2554 [Art. 95 as amended, Art. 98(5)].
3

Assessment Factors & Checklist

Premium
Start 7-day free trial
4

Questions for Your Lawyer

Premium
Start 7-day free trial
5

Conclusion & Summary

Premium
Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial

Keine Kreditkarte heute. Kündigung jederzeit.