• Gemalto is now part of the Thales Group, find out more.

PSD2 regulation - Get ready with Gemalto

The new PSD2 directive is a fundamental piece of payment legislation in Europe. 

It was to go into effect on 14 September 2019.  However, the European Banking Authority (EBA) granted further potential exemptions and set the new deadline to 31 December 2020.

The PSD2 regulation drastically impacts the financial eco-system and infrastructure for banks, fintechs, and businesses using payment data for the benefits of consumers. 

The Payment Services Directive 1(aka PSD1 or Directive 2007/64/EC) opened up the European banking and financial services market and went into effect almost ten years ago. 

Let's dig in.


What is PSD2?

The revised Payment Services Directive 2 (PSD2) aims to better align payment regulation with the current state of the market and technology.

It introduces security requirements for the initiation and processing of electronic payments, as well as for the protection of consumers' financial data. 

It also recognizes and regulates Third-Party Providers (TPPs) that are allowed to access or aggregate accounts and initiate payment services.

This will clearly shake up the payments market, particularly in the eCommerce space, by encouraging greater competition, transparency, and innovation in payment services. 

In short, PSD2 aims at facilitating consumer access to their banking data and driving innovation by encouraging banks to exchange customer data securely with third parties.

PSD2 directive: What is the new timeline? 

After a long debate, end November 2017, the European Banking Authority (EBA) published the final release of the RTS (Regulatory Technical Specifications), which details all the payment actors' responsibilities and obligations. 

On  13 March 2018, the European Parliament and the European Council have approved them, opening an 18-month delay for their actual implementation that should have happened before 14 September 2019. 

This date was the "final deadline" for all companies within the EU to comply with PSD2’s Regulatory Technical Standard (RTS) related to the directive (EU) 2015/2366.

New dedicated Open API interfaces were available (as of March, 14th 2019) for a six month testing period. European regulators have completed new technical standards and defined precisely how banks must link their technology platforms to outsiders. 

The bad news? 

Many banks and merchants were not ready for both the March and September deadlines. The EBA has to reset a deadline for the end of 2020.

The good news?

This will genuinely cement open banking into place, according to Bloomberg.

PSD2 compliance: Who's ready? 

As stated by Finextra, 41% of the 442 European banks part of a survey failed to meet the March 2019 deadline. They could not provide a testing environment to third-party service providers. 

This six month testing period before the September deadline was seen as critical for them to test the APIs that will connect them to banks and also key to pilot new services.

During MONEY 2020 early June 2019, several speakers also pointed out that some banks and financial providers were clearly dragging their feet in handing over data to customers, arguing about their compliance and risk scenarios. 

We shared our feedback on this in our blog post about the latest industry thinking on Open Banking.

And it happened.

The European Banking Authority (EBA) announcement (so-called Opinion), made last October, clearly showed that it has acknowledged that massive numbers of online merchants were not ready for this change.

The new deadline to implement Strong Customer Authentication (SCA) has been pushed back by fifteen months. It's enough time, according to the EBA, to make the expected developments.

PSD2 regulation: Impacts on banks and TPPs 

Security is top-of-mind

The core principles of the PSD2 RTS – i.e. Strong Customer Authentication​ (SCA), Secured Communication, Risk Management and Transaction Risk Analysis (TRA) – have been maintained, confirming the directive's security objectives. 

To protect the consumer, PSD2 requires banks to implement multi-factor authentication for all proximity and remote transactions performed on any channel. 

This means using two of these three features: 

  • Knowledge: Something only the user knows, e.g. password, code, personal identification number
  • Possession: Something only the user possesses, e.g. token, smart card, mobile handset
  • Inherence: Something the user is, e.g. biometric characteristics, such as a fingerprint.
Besides, the elements selected must be mutually independent, which means that the breach of one should not compromise any of the others.

Smooth user experience

To ensure smooth user experience, PSD2 requests banks to put in place security measures that are "compatible with the level of risk involved in the payment service" to find the right balance between security and user convenience. 

To simplify life for consumers, the RTS list several situations for which Payment Service Providers (PSPs) are not required to perform strong customer authentication. 

Most of these exemptions are related to low-value payments, repetitive transactions and transactions to trusted beneficiaries. 

PSD2 and open banking

The move to open banking means removing barriers between competitors as it requires banks to allow their account details and transactions to be shared with third parties through APIs.

PSD2 hinges on a critical connection between retailers, fintechs, and banks. 

This relationship will be powered by APIs that banks need to open to any Third-Party Provider that wants to aggregate account data and/or initiate payment services.

This builds a common ground of more robust collaboration and better interoperability between traditional financial institutions and new players of the banking and payment space. 

And to provide consistent and seamless user experience, banks will also have to collaborate to define a common approach, at least at a country or regional level.

Why we need strong authentication standards to deliver the promises of Open Banking​  

A new world of opportunity

PSD2 is a customer-centric regulation that should lead to an improved customer environment, bringing benefits not only to end-users but to all banking and payment parties.

New partnerships and open-banking APIs with the right security level brought by SCA and risk monitoring can generate value by:

  • Adding third-party capabilities to core offerings
  • Capitalizing on consumer behavior and storing consumer preference data
  • Making the multi-factor authentication process as easy as possible for the customer. 

New customer onboarding will be made easier, offering end-users better tools to manage their finance and enticing them to buy new products and services that can be offered by banks and TPPs.

Banks will be able to better use financial data to provide competing services at competitive rates. 

Already, leading banks have started building strong partnerships and open-banking API Hubs, showing how PSD2 regulation can be the perfect tool for more innovation in payment and banking.

PSD2 compliance: Where do we fit in?

As a leading provider of digital security solutions, Gemalto enables banks and financial institutions to meet the challenges raised by PSD2.

Gemalto helps financial organizations understand and address PSD2 requirements relating to strong customer authentication, risk management, and Open Banking API.

We have released a first white paper introducing PSD2 in general, and how it opens the market of payments, and additional white papers allowing us to analyze PSD2 compliance of various solutions.

An additional white paper describes how Gemalto’s solutions may help our customers comply with PSD2 security requirements. 

Strong Customer Authentication  

Strong Customer Authentication

Strong Customer Authentication, as defined in PSD2, means that transactions are authenticated using 2‑factor authentication or more.

Read more

psd2 regulation  

How to improve user experience?

By evaluating risk and adapting accordingly, banks are able to offer a targeted approach that strikes the right balance between security and user convenience.

Read more

what is psd2  

Innovate with Open Banking API​​​

By working more closely with third-party actors, financial institutions can better prepare themselves for the market changes and proactively identify areas of research and development.

Read more

 Read our white Papers

  • Strong Customer Authentication (SCA) to be in compliance with the PSD2 Regulation

    Discover how Nordea In Finland implemented Strong Customer Authentication (SCA) to be in compliance with the PSD2 Regulation

    Learn how Nordea in Finland is achieving PSD2 compliancy with future proof SCA
  • PSD2 and RTS - Q&A

    PSD2 and RTS: Everything you need to know

    All the questions you have are now answered. Learn more on the Scope of application of PSD2 and the RTS, Implementation of Strong Customer Authentication (SCA), Risk management and exemptions to SCA, Interfaces and data exchange

    Download the Q&A
  • Risk management in the context of PSD2 and EBA’s RTS

    Banks around Europe are facing the challenge of implementing the revised Payment Services Directive (PSD2) and, in practice, its related Regulatory Technical Standards (RTS).

    Download the whitepaper
  • PSD2 The expert company

    The PSD2 Expert - Compliant means for your authentication needs

    Compliancy with PSD2 is one of the most important challenges for banks in this decade and Gemalto is fully committed to support its customers on this journey.

    PSD2 compliant means for your authentication needs
  • Understand PSD2 compliance and discover PSD2 solutions

    Read our white papers​​​ to understand the latest implications of PSD2 for the banking and payment landscape in ​europe​​​​.​​

    Download the whitepapers


  • Posted on Oct 23, 2019

    How banks can reduce customer identity fraud using data intelligence

    Contextual analysis of authentication attempts provides a risk score that helps banks scale up security measures accordingly

    Read this post
  • Posted on Jul 31, 2019

    Our insights from the latest European Banking Authority’s paper on PSD2 readiness, advances and challenges

    We analyze the European Banking Authority’s latest opinion paper on PSD2, which gives companies more clarity on what to expect from this upcoming legislation

    Read this post
  • Posted on Mar 13, 2019

    PSD2’s dynamic linking in a mobile world

    PSD2’s requirements for financial institutions include “dynamic linking” to authenticate a financial transaction. We explore what this means and how it can work on mobile devices.

    Read this post