EU PSD2 — Payment Services Directive (Directive (EU) 2015/2366)

Overview

EU PSD2 —Payment Services Directive (Directive (EU) 2015/2366) is a EuropeanUnion regulation that strengthens security, transparency, andconsumer protection for electronic payments and payment services. Thedirective establishes requirements for strong customerauthentication, reduces fraud, and fosters innovation and competitionin the financial technology sector.

Published by theEuropean Parliament and Council, PSD2 applies to banks, paymentservice providers, and fintech organizations operating within theEuropean Economic Area. It addresses cybersecurity, data protection,operational risk management, and regulatory compliance by mandatingsecure access to payments infrastructure and setting rules forthird-party providers.

Organizationsembed PSD2 requirements into their compliance programs byimplementing technical controls such as multi-factor authentication,monitoring access to payment data, conducting regular riskassessments, and maintaining robust incident response procedures.PSD2 is often aligned with broader risk management and dataprotection frameworks like GDPR to support overall regulatorycompliance.

Why it Matters

PSD2 establishesa robust regulatory foundation for electronic payments, drivingsecurity, competition, and consumer protection across the financialsector.

Key benefitsinclude:

•  Strengthen payment security governance

Establishcomprehensive oversight for electronic payment processes and ensureeffective control over access to sensitive payment data.

•  Enhance consumer protection

Uphold consumerrights through transparent processes, improved dispute resolutionmechanisms, and mandatory strong customer authentication.

•  Enable secure third-party innovation

Support safeintegration and access for fintech and third-party providers,fostering innovation while maintaining strict security standards.

•  Improve fraud prevention measures

Reduce paymentfraud risk by mandating multi-factor authentication and monitoringrequirements for all payment service providers.

•  Align regulatory and data protection requirements

Promoteconsistent compliance with EU rules, including GDPR, by synchronizingoperational controls and secure data handling across organizations.

How it Works

The EU PaymentServices Directive 2 (PSD2) structures regulatory requirements forpayment service providers around several key areas, including strongcustomer authentication (SCA), secure communication standards, riskmanagement obligations, and the rights and responsibilities ofpayment service users. PSD2 is codified within legal mandates thatreinforce security safeguards for payments, define operationalrequirements for access to account data, and establish governanceover third-party provider (TPP) relationships.

In practice,organizations complying with PSD2 implement technical andorganizational security controls to meet regulatory obligations.Activities typically involve deploying SCA measures, conductingperiodic risk assessments, mapping security practices to compliancedomains, and ensuring continuous monitoring of payment transactions.Firms regularly perform assessments and audits to demonstrateconformity and manage access permissions for TPPs, while updatingpolicies and procedures as regulatory interpretations evolve.

With SmartSuite,organizations operationalize PSD2 by leveraging control librariestailored to directive requirements, maintaining risk registers forpayment-related threats, and governing policies aligned with EUmandates. The platform supports evidence collection, facilitatescompliance tracking, and provides remediation workflows to addressgaps. Audit readiness and real-time reporting dashboards allow forongoing compliance monitoring and streamlined regulatory reviews.

Key Elements

•  Strong Customer Authentication Protocols

Establishesrequirements for verifying customer identity through multi-factormechanisms during payment transactions.

•  Third-Party Access Management

Describes rulesfor secure integration and supervised access by authorized paymentinitiation and account information providers.

•  Data Protection and Confidentiality

Specifiesprovisions for safeguarding payment data and maintaining customerinformation privacy throughout processing activities.

•  Incident Reporting and Response Procedures

Outlinesstructured processes for notification, investigation, and resolutionof security incidents impacting payment services.

•  Operational and Security Risk Controls

Defines measuresfor managing operational risks and enforcing technical safeguardsagainst fraud and unauthorized access.

•  Transparent Information Disclosure

Organizesrequirements for clear communication of terms, rights, andobligations to users of payment services.

Framework Scope

EU PSD2 —Payment Services Directive is implemented by financial institutions,banks, payment service providers, and fintech companies operatingwithin the European Economic Area. The directive governs electronicpayments infrastructure, customer authentication systems, and paymentdata environments, and is typically adopted when meeting regulatoryrequirements, reducing payment fraud, and supporting cybersecurityand compliance programs.

Framework Objectives

EU PSD2 —Payment Services Directive enhances payment security, consumerprotection, and regulatory compliance across electronic paymentservices in the European Economic Area.

•  Strengthen cybersecurity controls to safeguard paymenttransactions and sensitive customer data

•  Promote effective governance over payment service providers andthird-party access

•  Enhance risk management to prevent fraud and ensure operationalresilience

•  Support data protection measures aligned with regulatory andprivacy requirements

•  Improve compliance with statutory obligations for paymentsecurity and consumer rights

•  Enable increased audit readiness through robust monitoring andreporting mechanisms EU PSD2 establishes payment security and accessrequirements for payment service providers and is commonly alignedwith the EBA SCA RTS and GDPR, and mapped to ISO/IEC 27001 or PCI DSScontrols for technical security. Organizations implement PSD2primarily for regulatory compliance, licensing, secure paymentprocessing, and demonstrating operational security to regulators andpartners.

Common Framework Mappings

Organizationsmap PSD2 to complementary frameworks to align security controls,privacy obligations, and operational resilience across payments, dataprotection, and critical infrastructure.

Mappedframeworks include:

DigitalOperational Resilience Act (DORA)

EBA RTS onStrong Customer Authentication (SCA RTS)

EU General DataProtection Regulation (GDPR)

ISO/IEC 27001

NIS2 Directive

NISTCybersecurity Framework (NIST CSF)

Payment CardIndustry Data Security Standard (PCI DSS)

SWIFT CustomerSecurity Controls Framework (CSCF)