PSD2 – The new European legislation in…

Update (31.10.2019):
The technical implementation of PSD2 culminated in a lot of challenges for Payment Service Providers as well as retailers. Therefore, the European Banking Authority (EBA) recommended the national Financial Market Authorities to extend the deadline for the implementation until 31.12.2020.

Austria and Germany already followed the recommendation:
Österreichischer Handelsverband via APA OTS 
Bundesanstalt für Finanzdienstleistungsaufsicht

GDPR was keeping everybody busy around this time last year – this year, another EU regulation is on our minds: PSD2. The Revised Payment Service Directive (EU 2015/2366) – or PSD2 – brings along stricter authentication requirements in the form of a two-factor authentication (2FA) for businesses with an ecommerce check-out system. The final deadline for implementation is 14 September 2019. The core of this European regulation is to reinforce user protection and improve security when it comes to digital payments carried out within the EEA (European Economic Area). It was adopted by the European Parliament and Council as early as 2015, and by 13 January 2018, all members of the EU were required to incorporate this new legislation into national law. 

Why stricter authentication?

Basically, the idea behind the revised PSD2 is to add extra levels of authorisation onto electronic payment procedures to protect users from fraud, phishing and unauthorised money transactions. This is achieved by a stronger focus on customer authentication processes. One approach to fulfill the regulatory requirements is to implement 2FA.

Process of two-factor authentication
Process of two-factor authentication

What does 2FA entail and who is affected?

Two-factor authentication (2FA) is used as an additional layer of security to ascertain the identity of a user authorising a payment online. It uses a combination of at least two different components out of 3 categories. The 3 categories to authenticate payment processing are listed in the chart below:

Something you knowSomething you ownSomething you are
Mobile phone
Wearable device
Facial features
Smart card
Voice patterns
Iris format

BadgeDNA signature

Source: EUR-Lex (2019)

A retailer could, for example,  combine an element from the category Something you know with a component from the category Something you are. One possible solution to meet the requirement would be to combine a chosen password with a fingerprint to authorise the processing of a payment.  It has to be implemented by all players who have an ecommerce payment check-out system in place, at the latest on 14 September 2019 (e.g. Zalando has successfully implemented 2FA).

What to do until 14 September 2019

To sum it up, in order to comply with the regulations of PSD2 aiming at reinforcing consumer protection as well as improving innovation and security of online payments, you have to make sure to have adequate security standards in the form of 2FA integrated into your ecommerce payment check-out systems by 14 September 2019. On a side note: Regarding the new EU regulation, the retail industry has expressed concerns about the possible implications that come along with it. However, it is also argued that the benefit of the added security might as well be appreciated by customers. 

These are links which provide you with information on how different players in the ecommerce industry are tackling the PSD2.

European Banking Authority:


Bundesministerium für Finanzen: