PSD2 Explained: What It Means for Merchants and Payments
If you sell to customers in Europe, PSD2 explained in plain language is one of the most valuable things you can read this quarter. The second Payment Services Directive reshaped how online and in-person payments are authorised, who can access account data, and what your customers experience at checkout. Whether you run an e-commerce store, a service business, or a mobile-first operation, PSD2 quietly governs a large share of every euro that flows to you. This guide breaks down what PSD2 actually requires, why Strong Customer Authentication matters, how SCA affects conversion, and the practical steps merchants can take to keep payments smooth and secure.
Key Takeaways
What Is PSD2 and Why Was It Introduced?
The Payment Services Directive 2 (PSD2) is European Union legislation that came into force in 2018, replacing the original 2007 directive. Its goals were straightforward even if its details are technical: make electronic payments safer, increase competition, and give consumers more control over their financial data.
Before PSD2, banks held a near-monopoly on account access and the flow of payment data. Innovation was slow, fraud-prevention standards varied between providers, and new fintech entrants struggled to plug into the banking system. PSD2 set out to change all three problems at once.
The Three Pillars of PSD2
Most of what merchants need to understand sits inside three big themes:
Who PSD2 Applies To
PSD2 covers payment service providers operating in the European Economic Area, and it reaches any business that takes electronic payments from EEA customers. That includes card payments, bank transfers, and the growing category of account-to-account transactions. Even if your business is based outside the region, the moment you serve European cardholders, these rules shape how those transactions are authenticated and settled.
Strong Customer Authentication (SCA): The Core Requirement
If there is one phrase every merchant should memorise from this whole topic, it is Strong Customer Authentication. SCA is the security mechanism at the heart of PSD2, and it is the part customers actually feel at checkout.
What SCA Actually Requires
Under SCA, most electronic payments must be authenticated using at least two of three independent factors:
The two factors must be independent, meaning the compromise of one does not compromise the other. A password typed into the same phone that receives the one-time code is a classic example of how implementations are scrutinised for true independence.
Why Two Factors Matter
Single-factor authentication, like a password alone, is notoriously weak. Credentials get phished, reused, and leaked. By requiring a second, independent factor, SCA dramatically raises the cost and difficulty of fraud. For merchants, that translates into fewer fraudulent chargebacks and a stronger liability position when disputes arise.
How 3-D Secure 2 Fits In
For card payments, SCA is most commonly delivered through 3-D Secure 2 (3DS2), the updated version of the card networks' authentication protocol. Unlike the clunky first-generation 3-D Secure, 3DS2 passes far more contextual data to the card issuer — device information, transaction history, shipping details — so the issuer can make a smarter risk decision. When risk is low and the data is rich, many issuers approve the payment without forcing the customer through an extra step. That silent, behind-the-scenes flow is exactly what you want.
How PSD2 and SCA Affect the Checkout Experience
The biggest practical concern for merchants is friction. Every extra tap, redirect, or one-time code introduces a chance for the customer to abandon the cart. Understanding how PSD2 shapes checkout lets you minimise that drop-off.
The Trade-Off Between Security and Conversion
There is a real tension here. Strong authentication reduces fraud, but poorly implemented authentication reduces sales. A confusing redirect, a slow SMS code, or an authentication screen that does not render on mobile can all cost you a completed order. The merchants who win are the ones who treat authentication as a design problem, not just a compliance checkbox.
Practical Checkout Improvements
To keep checkout smooth while staying aligned with SCA expectations:
What Customers Experience
In practice, a well-handled SCA flow can be nearly invisible: a biometric prompt on the customer's banking app, a tap, and back to your confirmation page. A poorly handled one feels like an interrogation. The gap between those two experiences is almost entirely down to implementation quality and the data you pass through.
SCA Exemptions Every Merchant Should Know
PSD2 was never meant to force a challenge on every single transaction. The framework includes SCA exemptions designed to keep low-risk payments frictionless. Knowing these can meaningfully lift your conversion rate.
Common Exemption Categories
Who Decides on an Exemption
A crucial point that confuses many merchants: requesting an exemption is not the same as receiving one. The customer's card issuer always has the final say. You can flag a transaction as eligible, but the issuer may still demand authentication. Smart routing means presenting strong risk signals so issuers are comfortable granting the exemption you request.
Balancing Exemptions and Liability
Exemptions reduce friction but can shift fraud liability back toward the merchant in some cases. There is a genuine business decision here: chase maximum frictionless throughput, or accept a little more authentication for stronger chargeback protection. The right answer depends on your average order value, your fraud profile, and your margins.
Open Banking: The Other Half of PSD2
While SCA grabs the headlines, the open banking provisions of PSD2 may have the deeper long-term impact. By requiring banks to expose secure interfaces, PSD2 created a new ecosystem of regulated services that connect directly to accounts.
Two New Service Types
Why This Matters for Merchants
Payment initiation opens a door to account-to-account payments at checkout. Instead of a card transaction with interchange fees and chargeback exposure, the customer approves a direct bank transfer authenticated through their own banking app. For merchants, the appeal is lower cost and reduced fraud, though settlement timing and customer familiarity still vary by market.
Open banking also feeds smoother onboarding. Verified account data can streamline KYC checks and reduce the manual friction of bringing a new customer or merchant online — a theme that runs across modern payment platforms.
How PSD2 Connects to the Wider Payments Landscape
PSD2 is fundamentally a framework for traditional, account-based and card-based payments in Europe. But it does not exist in a vacuum. The same forces that drove PSD2 — demand for lower fees, stronger security, and faster settlement — are pushing merchants to explore newer rails alongside cards.
Cards, Bank Transfers, and Stablecoins Side by Side
Modern merchants increasingly want optionality. Card acceptance remains essential, and PSD2's authentication rules make those card payments safer than ever. At the same time, on-chain stablecoin payments have emerged as a complementary option, particularly for cross-border and digital-first commerce, where settlement on networks like Solana can be fast and low-cost.
This is where a tool like FiatFlex fits naturally into a merchant's stack. As a mobile payment platform, it lets a merchant accept contactless Tap to Pay payments over NFC — Visa, Mastercard, Amex, Apple Pay, Google Pay, and Samsung Pay — directly on a compatible phone, with no separate terminal. The same app also supports crypto acceptance: USDC, EUROC (EURC), and SOL on Solana through payment links and QR codes, with the merchant choosing when to convert to euros. Euros can then be withdrawn to a SEPA-area bank account. Card payments still flow through the card networks and their PSD2-aligned authentication; the crypto side simply adds another way to get paid.
Designing a Resilient Payment Mix
The lesson for merchants is not to pick one rail and ignore the rest. A resilient setup typically blends:
Spreading acceptance across rails reduces single-point-of-failure risk and lets you meet customers where they already are.
Practical PSD2 Checklist for Merchants
To turn theory into action, here is a condensed checklist you can work through with your payment provider and developers:
Frequently Asked Questions
Does PSD2 apply to every online payment in Europe?
PSD2 and its SCA requirements apply broadly to electronic payments where both the payer's and the payee's providers are in the European Economic Area. There are nuances: certain transactions, such as some merchant-initiated charges, one-leg-out transactions where one party sits outside the EEA, and specific low-risk categories, may be handled differently or fall under an exemption. The practical takeaway is that if you sell to European customers, you should assume SCA is in scope and design your checkout accordingly.
What is the difference between SCA and 3-D Secure 2?
Strong Customer Authentication is the regulatory requirement: payments must be verified with at least two independent factors. 3-D Secure 2 is one of the technical protocols used to deliver that authentication for card payments. Think of SCA as the rule and 3DS2 as a primary tool for meeting it on cards. Other payment types, such as bank-initiated transfers through open banking, satisfy SCA through the customer's own banking app rather than through 3DS2.
Will Strong Customer Authentication hurt my conversion rate?
It can, but mostly when it is implemented poorly. A clunky redirect, a slow one-time code, or an authentication page that breaks on mobile will cost sales. A well-built flow — rich transaction data, biometric prompts, smart use of exemptions, and clear customer messaging — keeps friction low and can even improve approval rates because issuers trust well-structured transactions. The merchants who suffer are usually the ones who treated SCA as a checkbox rather than a checkout-design priority.
How does open banking relate to PSD2?
Open banking is a direct product of PSD2. The directive required banks to provide secure interfaces so licensed third parties could, with customer consent, read account data (Account Information Services) or initiate payments (Payment Initiation Services). For merchants, the most interesting outcome is account-to-account payment initiation, which can lower costs and reduce fraud compared with cards. Open banking and the card-focused SCA rules are two complementary halves of the same regulation.