Payment Services Directive 2 (PSD2) and SCA explained

A guide to PSD2 and Strong Customer Authentication, explaining the rules, exemptions and what businesses need to know to stay compliant across the EU and UK.

By Content team

16 min read • 9 January 2026

In this article you will find

The Payment Services Directive 2, commonly known as PSD2, was introduced to modernise the European payments landscape, strengthen consumer protection and encourage innovation across the financial services ecosystem.

Since coming into force, PSD2 has reshaped how online payments are processed by opening access to bank data, regulating third-party payment providers and introducing Strong Customer Authentication to reduce fraud. For businesses operating in the EU and EEA, understanding PSD2 and SCA is essential to delivering secure payment experiences while maintaining high conversion rates.

In this guide, we explain what PSD2 is, how it differs from previous and upcoming regulations, how SCA works in practice and what merchants and payment service providers need to do to remain compliant.

What is PSD2?

PSD2 is an EU directive aimed at regulating the industry of online payments across the EU and the European Economic Area (EEA). The legislation was introduced in 2018 and its purpose is to create a more integrated and seamless payments experience across all EU member states. PSD2 also introduced Strong Customer Authentication (SCA), a measure set to enhance secure payments and reduce fraud.

While SCA introduces an additional step in the payment journey, it also enables stronger fraud prevention and greater consumer trust when supported by the right payment service provider.

What's the difference between PSD1, PSD2 and PSD3?

The Payment Services Directives have evolved to reflect changes in technology, consumer behaviour and the growing complexity of the payments ecosystem.

PSD1, introduced in 2007 and implemented in 2009, established the foundation for a single European payments market. Its primary goal was to increase transparency, improve consumer protection and enable faster and more efficient cross-border payments within the EU. PSD1 also allowed non-bank payment institutions to enter the market, encouraging competition and innovation while supporting the development of SEPA payments.

However, PSD1 did not anticipate the rise of open banking, real-time payments or new digital payment models.

PSD2, which came into force in 2018, modernised the original framework. It formally introduced open banking by granting regulated third-party providers access to customer payment accounts with explicit consent.

PSD2 also introduced Strong Customer Authentication to reduce fraud, banned surcharging for most consumer card payments and expanded the scope of regulation to cover certain international transactions, known as one leg transactions. While PSD2 significantly improved security, it also introduced further operational layers for merchants and PSPs, particularly around SCA implementation and exemptions.

PSD3, together with the proposed Payment Services Regulation (PSR), was introduced in 2023 and represents the next phase of payments regulation in the EU. The aim is to simplify and harmonise the regulatory framework by addressing any gaps in PSD2. Key objectives include improving the consistency of SCA application, strengthening fraud prevention measures, enhancing consumer protection and reducing complexity for PSPs operating across multiple markets.

Unlike PSD2, PSD3 is expected to work alongside the PSR, which will be directly applicable across all EU member states. This approach is designed to reduce national inconsistencies, provide greater regulatory clarity and create a more resilient and competitive payments ecosystem that supports innovation while maintaining high security standards.

The new framework is currently expected to apply from mid-2026 to early 2027, due to the 18-21 month period for EU member states to transpose it into national laws.

Why is PSD2 important?

PSD2 is an important step towards a single digital market in the EEA, which aims to make the EU's single market fit for the digital age. The new measures also ensure all PSPs active in the EU are subject to supervision and appropriate rules.

There will be wide-reaching implications for a range of parties, including banks, other PSPs, fintech companies and customers without the right payments partner, helping companies navigate PSD2. In brief, here are the changes introduced by PSD2:

  • Two-factor Strong Customer Authentication (SCA) to be implemented across the majority of online transactions in the EEA.
  • Retailers may directly ask shoppers for permission to use their bank account information.
  • PSD2 outlines two types of regulated third-party providers (TPPs) that will be granted direct access to customer accounts: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
  • No more card transaction surcharges for B2C transactions.
  • Improvements to consumer protection on payments.

What are the Regulatory Technical Standards (RTS) of PSD2?

In November 2017, the EU Commission released the Regulatory Technical Standards (RTS) for PSD2. The RTS directly affects PSPs, card issuers and acquirers in all EU member states. However, certain EU member states, including the UK, have implemented transitional measures for a phased implementation of the rules in the context of card based payments for eCommerce transactions.

The Regulatory Technical Standards are the technical implementation standards of PSD2 and SCA, have taken effect on 31st December 2020. The following RTs specify the requirements of SCA, which is an authentication that: a) Is based on the use of two or more elements categorised as i. Knowledge (something only the user knows), ii. Possession (something only the user possesses), iii. Inherence (something the user is) and b) Ensures the elements are independent from one another, in that the breach of one does not compromise the reliability of the others and c) Is designed in such a way as to protect the confidentiality of the authentication data.

PSD2 and screen scraping

Screen scraping is now prohibited under PSD2, which sets the legal ground for Open Banking across Europe. Screen scraping is the programmatic use of a website that impersonates a web browser to extract data or perform actions that users would usually perform manually on the website. Despite being a commonly used practice, it has already been the subject of heavy litigation in Europe since the process was considered contrary to many issuers' general terms and conditions.

Under PSD2, banks will be required to grant third parties access to customer data, given customers' explicit consent, via specific, dedicated APIs, but only about the particular service at hand. If you're interested in open banking, skip to this part.

PSD2 compliance

To comply with SCA and PSD2, the best option for merchants is to implement 3DS2. 3DS 2 is the authentication protocol that complies with PSD2 and SCA requirements. It offers issuers ten times more data to make their risk-based decision on whether to present the 3DS window or not, which will reduce the number of challenges and help reduce the risk of fraudulent activity. It will also be optimised for mobile devices to improve user experiences and all of these are on top of the chargeback liability benefit.

3DS2 also helps answer the question for desktop or older smartphone users who do not have access to biometric functionality. So, whilst it is no silver bullet, 3DS 2 will help operators fulfil the two-factor authentication requirements, without adding another integration to their already stacked development queue.

PSD2 regulations within the UK

The law was applied in the UK and the rest of Europe on 13th January 2018. However, we expect additional rules that are currently under development to apply. The last update from the FCA was on 27th November 2020, which reflected that even in the event of a no-deal Brexit, the SCA would still come into effect on the given deadlines.

Also, it reflected the limit increase of contactless card payments to GBP 100. It is good to save the link to the FCA regarding RTS for CA and Common and Secure Open Standards of Communication or read the service update information from your payment service provider if and when the requirements change.

What are the challenges ahead for GDPR and PSD2?

PSD2 and EU GDPR (General Data Protection Regulation) were both introduced in 2018 as separate sets of legislation focusing on consumer data. GDPR aims to protect personal data, making it easier for consumers to know when their data is being used and raise objections about its use. PSD2 regulates the payments market but also creates access to personal data, allowing third parties to enter the payments market and provide new account information and payment initiation services.

Any access these third parties have to personal data must comply with GDPR. As of 1st January 2021, GDPR was split into two regulations, EU GDPR and UK GDPR, to reflect the UK leaving the EU after Brexit.

What is Strong Customer Authentication (SCA)?

SCA stands for Strong Customer Authentication, which is an indispensable part of the PSD2 legislation. In a nutshell, SCA will require online payments in the EU between EU issued cards and the operator's payment provider located in the EU to process transactions using two factors of identification. There must be two of the following factors: something a person knows, something a person has or something a person is. SCA introduces mandatory two-factor authentication in online payments. The authentication process requires the consumer to answer either two of the three questions categorised as follows:

  • The knowledge factor (something only the user knows, e.g. a password or a PIN)
  • The possession factor (something only the user possesses, e.g. the card or an authentication code generating device)
  • The inherence factor (something the user is, e.g. the use of a fingerprint or voice recognition

These factors are independent; this means that the breach of one element does not compromise the reliability of the others. The introduction of SCA is an opportunity for merchants, as it benefits your customers against theft and protects your business against fraudsters and potential chargebacks.

SCA use cases

In practice, Strong Customer Authentication is already familiar to many consumers and can take several forms depending on the payment method and device used. Common use case examples of SCA include:

  • A shopper completing an online card payment and confirming the transaction via their banking app using fingerprint or facial recognition.
  • Entering a one time passcode sent by the card issuer via SMS or generated within a secure banking app.
  • Logging into an online account using a password followed by a push notification approval on a registered mobile device.
  • Confirming a payment using a physical card reader or token provided by the bank.

These methods combine two independent authentication factors, such as possession and inherence or knowledge and possession, to meet SCA requirements. For merchants, modern SCA flows such as app-based authentication and biometric checks help improve security while keeping friction at checkout to a minimum.

Exemptions from SCA

All online payments are subject to SCA. However, the legislators have set certain exemptions which are applicable. We’ve put together an explanation on the core exemptions below and outlined more in our SCA guide here:

  • Recurring transactions (i.e. in the form of memberships, subscriptions etc.), however:
  • The first recurring transaction will need to be authenticated with two-factor or multi-factor authentication.
  • The sum of each consecutive recurring transaction must be the same every billing period for the transaction to be exempted from SCA.
  • Contactless electronic payment transactions at a point of sale (POS) but:
  • A single transaction cannot exceed EUR 50.
  • The total amount of transactions cannot exceed EUR 150 or five consecutive transactions without authentication.
  • Remote electronic payment transactions of low value (i.e. payment transactions initiated on the internet or through a device that can be used for distance communication), however:
  • A single transaction cannot exceed EUR 30.
  • The total amount of transactions cannot exceed EUR 100 or five consecutive transactions without authentication.
  • Customers accessing online the balance of their payment accounts linked to your webshop:
  • The first time your customers access the balance of their payment accounts, two-factor authentication must be applied.
  • If there have been 90 days since your customers last accessed the balance of their accounts, two-factor authentication will have to be applied again.

Informing customers about SCA

Many merchants will be using 3DS 2.0 to meet the SCA requirements. There will be little to no impact on their customers' user experience for those already using it. Those who haven't implemented 3DS 2 yet will need to start educating their customers as soon as possible to reduce the risk of drop-off. In this direction, merchants may find transactional data to be of great benefit. Analyse your average transaction value (ATV) per payment channel in as much detail as possible, your customers’ ATV, their spending habits and your transaction routing capabilities.

Not every transaction will be affected, but consumers will need to verify themselves at some point, either after a total spend of EUR 100 or five transactions since their last authentication. Ways to optimise your payments include outlining how you are going to route transactions, who is going to be impacted and who isn't from the exemptions. It’s also good to inform customers that this is a Europe-wide requirement and that it's not just your business changing their usual experience.

Letting them know all eCommerce merchants must comply and that you will do your absolute best to make their checkout experience as smooth as possible features your proactive approach to payment security. This communication could also inform them that they won't always get the 3DS 2.0 window and educate them on how to whitelist your website with their card issuer. Consumers use a wide range of sites and spending will vary depending on what they are purchasing; therefore, your message needs to be carefully considered and distributed at the optimal time specific to your offering.

Open Banking and PSD2

PSD2 provides the legislative and regulatory foundation for Open Banking. The nine largest banks in the UK are implementing Open Banking through the Open Banking Implementation Entity (OBIE), as mandated by the Competition and Markets Authority (CMA). The mandate also includes a requirement for the largest banks to produce an open API in the UK.

Open Banking is the first collaborative implementation of Open APIs ever seen across Europe. It aims to enable third-party companies to give more accuratepersonal financial guidance tailored to customers' needs and delivered securely, in confidentiality, with the use of Open APIs.

Under PSD2, banks will be required to grant TPPs access to customer payment accounts, known as XS2A (Access to Account). Institutions wishing to act as Payment Initiation Service Providers (PISPs) or Account Information Service Providers (AISPs), must be authorised PSPs. Essentially, third-party companies can use Open Banking APIs, only with the consumers' explicit consent, to access customer data to provide; an overview of a customer's payment accounts with different banks all in one place (e.g. a mobile app) or to initiate payments directly from customer payment accounts (e.g. a retailer) so long as they have the customer's consent.

What is the difference between Open Banking and PSD2

There are two main differences between Open Banking and PSD2. Firstly, PSD2 does not specify the creation of API standards. In other words, each bank has the option to make their data available through different technical standards, only to add a layer of complexity for Open Banking Adoption across European banks.

Moreover, PSD2 only opens access to customer transactional data for specific institutions, which must also be regulated PSPs. The CMA, on the other hand, could grant access to a broader range of third-party companies through its ‘whitelisting' process. For instance, the CMA has recognised that price-comparison websites (PCWs) do not fall within the scope of PSD2. It will, therefore, set up separate whitelisting arrangements under which PCWs can become authorised to access customer data.

What does surcharging mean?

Acquirers pay a fee to the cardholder's issuing bank. This is called an interchange fee. The interchange fee is sometimes passed on to merchants, who subsequentlysurcharge it to the final customer or cardholder. This process describes surcharging.

What are the PSD2 new surcharging rules?

Overall, the second Payments Service Directive aims to regulate the payments industry across the entire EU. Until recently, a majority of merchants have been classifying surcharging as an additional card scheme fee. PSD2 bans surcharging for all B2C transactions and certain B2B transactions.

B2C payments under PSD2, aiming to protect consumers across the EU and the EEA, PSD2 prohibits merchants from charging consumers additional fees for making payments by certain payment methods. For instance, merchants operating in the travel, retail or hospitality sector are no longer allowed to charge consumers additional fees for paying with a debit or credit card. This measure applies to transactions within an EU or EEA member state or across its borders in online or physical stores.

The surcharging ban applies when:

  • The cardholder's issuing bank and the PSP of the merchant are both located in the EEA
  • The consumer makes a payment using a debit or credit card (Visa and Mastercard) or payment in euros using direct debit or credit transfer (known as SEPA payments)

B2B payments under PSD2, although PSD2 mainly affects B2C surcharging fees, certain B2B payments will be regulated as well. The surcharge ban applies to B2B payments in euros made by business entities using direct debit or credit transfer, where the bank or card issuer of the business customer and PSP of the merchant are both located in the EEA. However, B2B payments made using a corporate credit or debit card can still be surcharged by law.

How can emerchantpay help?

Working with a PSP that understands and caters to the new PSD2 and SCA standards is key to navigating the evolving payment security measures. emerchantpayoffers full support for merchants to provide a PSD2 compliant payment solution across all sectors.

Reach out to our payment experts and learn how you can stay up-to-date with the latest about PSD2 and SCA.

Related articles

Emerging fraud in the payments industry

As digital payments continue to evolve, so too does fraud. Criminals are becoming more sophisticated, exploiting new technologies, changing [Read more]

26 February 2026

emerchantpay recognised as ‘Payment Acquirer 2025’ at The Brit Fintech Awards

We are proud to announce that emerchantpay has been named Payment Acquirer of the Year 2025 at the Brit Fintech Awards held in London. The [Read more]

06 November 2025

What is an Acquirer Reference Number (ARN)?  

An Acquirer Reference Number (ARN) is a unique 23-digit code used for Visa and Mastercard payments. ARN lets merchants, banks and customers [Read more]

02 October 2024

We are using cookies to give you the best experience on our site. By continuing to use our website without changing the settings, you are agreeing to our use of cookies. For more information, check out our Cookie policy.
Change settings