Meet your PSD2 compliance obligations

Payment Services Directive 2 (PSD2) is a fundamental piece of payments-related legislation that came into force in Europe and the UK in January 2018. It is the update of the original Payment Services Directive that had the objective of creating a single market for payments within the European Union.

The main scope of PSD2 is to encourage pan-European competition and participation in the payment industry, also from non-banks, and to provide for a level playing field by harmonising consumer protection and the rights and obligations from payment providers and users.

PSD2 has links and similarities in some of its goals and clauses to the GDPR for data protection and privacy, such as notifying regulators of certain security breaches with a time-frame.

Organisations that PSD2 applies to

PSD2 applies to existing Payment Service Providers (PSPs), i.e. banks, payment institutions and e-money institutions and new FS/Fintech start-ups, retailers and service providers. These new players are divided into three types:

Account Information Service Providers (AISPs)

AISPs are providers that can connect to bank accounts and retrieve information from them. The Payment Service User will authorise the AISP to access their data through a secure connection and download their transactional information.

By definition this group has access to a large amount of personal data and hence will need to factor in the requirements of GDPR as well as their financial sector obligations.

Payment Institutions (PIs)

PIs can initiate payment transactions directly from bank accounts. Historically, the payer initiated a payment directly through their bank. With PSD2, PIs initiate payments through the bank’s payment systems and infrastructure on behalf of the payers; they act as a bridge between the payer and the payee.

E-Money Institutions (EMIs)

An EMI is an issuer of electronic money or ‘e-money’, electronically stored monetary value which is issued on receipt of funds, for making payment transactions and must be accepted as a means of payment by someone other than the EMI. Examples are pre-paid cards and electronic pre-paid accounts for online use.

PSD2 implications for cyber security

PSD2 provides that payment service providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide.

The European Banking Authority (EBA) published security and operational risk guidelines addressing:

Post-Brexit, the UK updated its Approach Document and it continues to reflect requirements deriving from EU law.

Achieve PSD2 compliance with Huntsman Security’s PSD2 solution

Measurement of security control efficacy, continuous monitoring, reporting, the ability to handle API or machine-to-machine transaction flows and rapid (automated or system-assisted) incident detection, verification and response are all vital cyber security capabilities for companies bound to the PSD2 regulation.

Huntsman Security’s PSD2 solution can support you in developing your organisation’s alignment to PSD2.

Find out more about PSD2 compliance


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.