AuditXYZ

Compliance Framework

Payment Services Directive 2 (EU) 2015/2366

PSD2 revolutionized European payments by mandating open banking and strong customer authentication. This guide covers SCA requirements, open banking APIs, licensing, and compliance for payment service providers.

$50,000–$1,000,0006–18 monthsAudit Required2015 (with 2019 SCA enforcement, PSD3 proposed 2023)
Request a ConsultationSee process
Issuing BodyEuropean Parliament and Council of the European Union
First Published2015-11-25
Latest Version2015 (with 2019 SCA enforcement, PSD3 proposed 2023)
Typical Cost$50,000–$1,000,000
Typical Timeline6–18 months
Audit RequiredYes
Audit FrequencyAuthorization by national competent authority required. Ongoing regulatory supervision with periodic reviews.
Geographyeuropean-union, united-kingdom

PSD2: EU Payment Services Directive Guide

The Second Payment Services Directive (PSD2) transformed the European payments landscape by introducing open banking requirements and strong customer authentication (SCA). By requiring banks to share account data with authorized third parties and mandating two-factor authentication for electronic payments, PSD2 opened the door to a new generation of financial services while raising security standards.

What PSD2 Covers

PSD2 creates two new categories of regulated payment service providers: Account Information Service Providers (AISPs) that can access account data with customer consent, and Payment Initiation Service Providers (PISPs) that can initiate payments directly from customer bank accounts. Banks must provide secure APIs enabling these services.

Strong Customer Authentication requires that electronic payments use at least two of three authentication factors: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). Exemptions exist for low-value transactions, trusted beneficiaries, and certain merchant-initiated transactions.

Who Needs PSD2 Compliance

PSD2 applies to all payment service providers operating in the EU/EEA, including banks, payment institutions, electronic money institutions, AISPs, and PISPs. E-commerce merchants are indirectly affected through SCA requirements on customer-initiated payments. The UK retained PSD2 post-Brexit with plans for its own open banking evolution.

Implementation Approach

For banks, the primary obligation is building compliant open banking APIs and implementing SCA across payment channels. For fintechs seeking AISP or PISP authorization, the process involves regulatory licensing, building secure API integrations, and implementing customer consent management. For merchants, integration with SCA-compliant payment flows is essential.

Cost Considerations

Banks typically invested $1 million to $50 million in PSD2 compliance including API infrastructure, SCA implementation, and fraud monitoring systems. Fintech startups entering as AISPs or PISPs can expect $50,000 to $300,000 for licensing, API development, and compliance infrastructure. The proposed PSD3 will bring additional changes that organizations should factor into their planning.

Get the PSD2 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

pci-dssgdprmifid-ii

Get matched with a PSD2 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
MiFID II
Framework
MiFID II is the EU's comprehensive framework for investment services regulation. This guide covers transaction reporting, best execution, investor protection, and compliance requirements for financial firms.
View
PCI DSS
Framework
PCI DSS v4.0 is the global standard for protecting payment card data. This guide covers all 12 requirements, merchant levels, SAQ types, cost breakdowns, and the transition from v3.2.1 to v4.0.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View