Regulations & Compliance
11 min read

PSD2 Explained: What It Means for Merchants and Payments

By FiatFlex Team ·

PSD2 Explained: What It Means for Merchants and Payments

If you sell to customers in Europe, PSD2 explained in plain language is one of the most valuable things you can read this quarter. The second Payment Services Directive reshaped how online and in-person payments are authorised, who can access account data, and what your customers experience at checkout. Whether you run an e-commerce store, a service business, or a mobile-first operation, PSD2 quietly governs a large share of every euro that flows to you. This guide breaks down what PSD2 actually requires, why Strong Customer Authentication matters, how SCA affects conversion, and the practical steps merchants can take to keep payments smooth and secure.

Key Takeaways

  • PSD2 is the European Union's second Payment Services Directive. It modernised payment rules, opened bank account access to licensed third parties, and mandated stronger security at checkout.
  • Strong Customer Authentication (SCA) is the headline requirement: most electronic payments must be verified with at least two independent factors.
  • SCA applies to many card and account-to-account payments, but a set of exemptions exists to reduce friction for low-risk transactions.
  • Open banking emerged from PSD2, letting account information and payment initiation services connect to bank accounts through regulated APIs.
  • • Merchants who understand the rules can reduce declined transactions, lower fraud, and design a faster checkout.
  • • The direction of travel matters too: stablecoin and on-chain payment rails are becoming a practical complement to traditional card flows.
  • What Is PSD2 and Why Was It Introduced?

    The Payment Services Directive 2 (PSD2) is European Union legislation that came into force in 2018, replacing the original 2007 directive. Its goals were straightforward even if its details are technical: make electronic payments safer, increase competition, and give consumers more control over their financial data.

    Before PSD2, banks held a near-monopoly on account access and the flow of payment data. Innovation was slow, fraud-prevention standards varied between providers, and new fintech entrants struggled to plug into the banking system. PSD2 set out to change all three problems at once.

    The Three Pillars of PSD2

    Most of what merchants need to understand sits inside three big themes:

  • Security and authentication. The directive introduced Strong Customer Authentication, raising the bar for verifying that a payment is genuinely authorised by the account holder.
  • Open access (open banking). Licensed third parties can, with customer consent, access account information or initiate payments directly from a bank account through secure interfaces.
  • Consumer protection and transparency. Clearer rules on fees, refunds, liability for unauthorised transactions, and surcharging give customers more confidence.
  • Who PSD2 Applies To

    PSD2 covers payment service providers operating in the European Economic Area, and it reaches any business that takes electronic payments from EEA customers. That includes card payments, bank transfers, and the growing category of account-to-account transactions. Even if your business is based outside the region, the moment you serve European cardholders, these rules shape how those transactions are authenticated and settled.

    Strong Customer Authentication (SCA): The Core Requirement

    If there is one phrase every merchant should memorise from this whole topic, it is Strong Customer Authentication. SCA is the security mechanism at the heart of PSD2, and it is the part customers actually feel at checkout.

    What SCA Actually Requires

    Under SCA, most electronic payments must be authenticated using at least two of three independent factors:

  • Something the customer knows — a password, PIN, or passphrase.
  • Something the customer has — a phone, hardware token, or a registered device.
  • Something the customer is — a biometric such as a fingerprint or face scan.
  • The two factors must be independent, meaning the compromise of one does not compromise the other. A password typed into the same phone that receives the one-time code is a classic example of how implementations are scrutinised for true independence.

    Why Two Factors Matter

    Single-factor authentication, like a password alone, is notoriously weak. Credentials get phished, reused, and leaked. By requiring a second, independent factor, SCA dramatically raises the cost and difficulty of fraud. For merchants, that translates into fewer fraudulent chargebacks and a stronger liability position when disputes arise.

    How 3-D Secure 2 Fits In

    For card payments, SCA is most commonly delivered through 3-D Secure 2 (3DS2), the updated version of the card networks' authentication protocol. Unlike the clunky first-generation 3-D Secure, 3DS2 passes far more contextual data to the card issuer — device information, transaction history, shipping details — so the issuer can make a smarter risk decision. When risk is low and the data is rich, many issuers approve the payment without forcing the customer through an extra step. That silent, behind-the-scenes flow is exactly what you want.

    How PSD2 and SCA Affect the Checkout Experience

    The biggest practical concern for merchants is friction. Every extra tap, redirect, or one-time code introduces a chance for the customer to abandon the cart. Understanding how PSD2 shapes checkout lets you minimise that drop-off.

    The Trade-Off Between Security and Conversion

    There is a real tension here. Strong authentication reduces fraud, but poorly implemented authentication reduces sales. A confusing redirect, a slow SMS code, or an authentication screen that does not render on mobile can all cost you a completed order. The merchants who win are the ones who treat authentication as a design problem, not just a compliance checkbox.

    Practical Checkout Improvements

    To keep checkout smooth while staying aligned with SCA expectations:

  • Send rich data with every transaction. The more context the issuer receives through 3DS2, the more likely the payment clears without a challenge screen.
  • Optimise for mobile. Authentication flows must render cleanly on small screens, where a large share of payments now happen.
  • Support trusted-device and biometric flows. Biometrics are fast and familiar, and they satisfy the inherence factor without typing.
  • Pre-fill and validate data early. Accurate billing and contact details reduce authentication failures down the line.
  • Communicate clearly. A short message explaining that the customer's bank may ask them to confirm reduces surprise and abandonment.
  • What Customers Experience

    In practice, a well-handled SCA flow can be nearly invisible: a biometric prompt on the customer's banking app, a tap, and back to your confirmation page. A poorly handled one feels like an interrogation. The gap between those two experiences is almost entirely down to implementation quality and the data you pass through.

    SCA Exemptions Every Merchant Should Know

    PSD2 was never meant to force a challenge on every single transaction. The framework includes SCA exemptions designed to keep low-risk payments frictionless. Knowing these can meaningfully lift your conversion rate.

    Common Exemption Categories

  • Low-value transactions. Small payments below a set threshold may be exempt, with cumulative limits to prevent abuse.
  • Transaction risk analysis (TRA). Acquirers with low fraud rates can request an exemption when their real-time risk scoring deems a payment safe.
  • Trusted beneficiaries. Customers can add a merchant to a whitelist with their bank, so future payments to that merchant skip the challenge.
  • Recurring transactions. Fixed-amount subscriptions often require full authentication only on the first payment, with subsequent charges exempt.
  • Merchant-initiated transactions (MITs). Charges you initiate under an existing agreement, such as variable subscription billing, can fall outside the standard SCA flow when set up correctly.
  • Who Decides on an Exemption

    A crucial point that confuses many merchants: requesting an exemption is not the same as receiving one. The customer's card issuer always has the final say. You can flag a transaction as eligible, but the issuer may still demand authentication. Smart routing means presenting strong risk signals so issuers are comfortable granting the exemption you request.

    Balancing Exemptions and Liability

    Exemptions reduce friction but can shift fraud liability back toward the merchant in some cases. There is a genuine business decision here: chase maximum frictionless throughput, or accept a little more authentication for stronger chargeback protection. The right answer depends on your average order value, your fraud profile, and your margins.

    Open Banking: The Other Half of PSD2

    While SCA grabs the headlines, the open banking provisions of PSD2 may have the deeper long-term impact. By requiring banks to expose secure interfaces, PSD2 created a new ecosystem of regulated services that connect directly to accounts.

    Two New Service Types

  • Account Information Services (AIS). With consent, these services read account data to power budgeting tools, lending decisions, accounting reconciliation, and identity checks.
  • Payment Initiation Services (PIS). With consent, these initiate a payment directly from the customer's bank account, bypassing card networks entirely.
  • Why This Matters for Merchants

    Payment initiation opens a door to account-to-account payments at checkout. Instead of a card transaction with interchange fees and chargeback exposure, the customer approves a direct bank transfer authenticated through their own banking app. For merchants, the appeal is lower cost and reduced fraud, though settlement timing and customer familiarity still vary by market.

    Open banking also feeds smoother onboarding. Verified account data can streamline KYC checks and reduce the manual friction of bringing a new customer or merchant online — a theme that runs across modern payment platforms.

    How PSD2 Connects to the Wider Payments Landscape

    PSD2 is fundamentally a framework for traditional, account-based and card-based payments in Europe. But it does not exist in a vacuum. The same forces that drove PSD2 — demand for lower fees, stronger security, and faster settlement — are pushing merchants to explore newer rails alongside cards.

    Cards, Bank Transfers, and Stablecoins Side by Side

    Modern merchants increasingly want optionality. Card acceptance remains essential, and PSD2's authentication rules make those card payments safer than ever. At the same time, on-chain stablecoin payments have emerged as a complementary option, particularly for cross-border and digital-first commerce, where settlement on networks like Solana can be fast and low-cost.

    This is where a tool like FiatFlex fits naturally into a merchant's stack. As a mobile payment platform, it lets a merchant accept contactless Tap to Pay payments over NFC — Visa, Mastercard, Amex, Apple Pay, Google Pay, and Samsung Pay — directly on a compatible phone, with no separate terminal. The same app also supports crypto acceptance: USDC, EUROC (EURC), and SOL on Solana through payment links and QR codes, with the merchant choosing when to convert to euros. Euros can then be withdrawn to a SEPA-area bank account. Card payments still flow through the card networks and their PSD2-aligned authentication; the crypto side simply adds another way to get paid.

    Designing a Resilient Payment Mix

    The lesson for merchants is not to pick one rail and ignore the rest. A resilient setup typically blends:

  • Card acceptance with well-implemented SCA for everyday domestic and in-person sales.
  • Account-to-account or open-banking payments where they are mature and cost-effective.
  • Stablecoin and on-chain options for borderless, digital transactions and customers who prefer them.
  • Spreading acceptance across rails reduces single-point-of-failure risk and lets you meet customers where they already are.

    Practical PSD2 Checklist for Merchants

    To turn theory into action, here is a condensed checklist you can work through with your payment provider and developers:

  • • Confirm your checkout supports 3-D Secure 2 and renders authentication cleanly on mobile.
  • • Pass as much contextual data as possible with each transaction to enable frictionless approvals.
  • • Map which SCA exemptions apply to your business model and discuss exemption routing with your acquirer.
  • • Decide your stance on the friction-versus-liability trade-off based on order value and fraud exposure.
  • • Evaluate whether open banking payment initiation makes sense for your market.
  • • Monitor authentication success rates and decline reasons, and iterate on the weak points.
  • • Keep customer communication clear so unexpected bank prompts do not cause abandonment.
  • • Consider diversifying acceptance across cards, bank transfers, and stablecoin rails for resilience.
  • Frequently Asked Questions

    Does PSD2 apply to every online payment in Europe?

    PSD2 and its SCA requirements apply broadly to electronic payments where both the payer's and the payee's providers are in the European Economic Area. There are nuances: certain transactions, such as some merchant-initiated charges, one-leg-out transactions where one party sits outside the EEA, and specific low-risk categories, may be handled differently or fall under an exemption. The practical takeaway is that if you sell to European customers, you should assume SCA is in scope and design your checkout accordingly.

    What is the difference between SCA and 3-D Secure 2?

    Strong Customer Authentication is the regulatory requirement: payments must be verified with at least two independent factors. 3-D Secure 2 is one of the technical protocols used to deliver that authentication for card payments. Think of SCA as the rule and 3DS2 as a primary tool for meeting it on cards. Other payment types, such as bank-initiated transfers through open banking, satisfy SCA through the customer's own banking app rather than through 3DS2.

    Will Strong Customer Authentication hurt my conversion rate?

    It can, but mostly when it is implemented poorly. A clunky redirect, a slow one-time code, or an authentication page that breaks on mobile will cost sales. A well-built flow — rich transaction data, biometric prompts, smart use of exemptions, and clear customer messaging — keeps friction low and can even improve approval rates because issuers trust well-structured transactions. The merchants who suffer are usually the ones who treated SCA as a checkbox rather than a checkout-design priority.

    How does open banking relate to PSD2?

    Open banking is a direct product of PSD2. The directive required banks to provide secure interfaces so licensed third parties could, with customer consent, read account data (Account Information Services) or initiate payments (Payment Initiation Services). For merchants, the most interesting outcome is account-to-account payment initiation, which can lower costs and reduce fraud compared with cards. Open banking and the card-focused SCA rules are two complementary halves of the same regulation.