Barclays uses cookies on this website. Some cookies are essential to provide our services to you. Other cookies help us to analyse how you use the site, so we can improve your experience on our site. Cookies are stored locally on your computer or mobile device. Please select 'Accept all' to consent to cookies, or select ‘Reject all’ to reject all but essential cookies’, or select 'Manage cookies' to change your preferences. For more information visit our cookie policy.

What is PSD2 and will it affect how merchants take payments?

5-minute read

This article gives an overview of the EU Payments Services Directive (PSD2), which brings in new laws aimed at improving consumer rights and enhancing online security. To find out how we can support your business, call our payment experts on 0800 096 8237

PSD2 follows on from the original Payment Services Directive (PSD), which was adopted by the EU in 2007. This legislation established an EU single market for payments to encourage the creation of safer, more innovative payment services. PSD’s authors also aimed to make cross-border payments in the EU as easy, efficient and secure as payments within a member state.

PSD2 builds on the previous legislation in the following three areas, which we'll look at in more detail:

Increased customer rights in areas including complaints handling, new rules on surcharging and currency conversion

Enhanced security through SCA (Strong Customer Authentication) criteria

Enablement of third-party access to account information providing a framework for new payment and account services.


Enhancing customer rights

PSD2 seeks to improve customer rights in a number of ways.

1. Transparency

Terms and conditions are clear and transparent, enabling customers to make an informed choice.

The regulation also mandates greater transparency around currency and exchange rates at the point of sale. Products like dynamic currency conversion are within the scope of this requirement.

2. Complaints

PSD2 requires payment providers to resolve complaints in a timely and appropriate manner. For example, it states that payment providers must respond to certain complaints (e.g. those where a customer is out of funds) within 15 days.

3. Reporting

As part of the new regulations around complaints, PSD2 stipulates how incidents must be reported, whether that be customer complaints, incidents of fraud, system down time, or something else. There are now clear timeframes that dictate how providers have to report incidents to the relevant authority.

4. Earmarking of funds

Another important point relates to the earmarking of funds. PSD2 requires card issuers to make funds available to customers as soon as the final amount is known.

To give an example, in some sectors (e.g. car rental or hotels) a pre-authorisation amount might be taken to confirm a booking. In this instance, an estimated amount will be earmarked or ring-fenced in the customer’s account before the final amount is confirmed at a later date.

When the final amount is confirmed, there is an obligation for the merchant to inform their acquirer who must then instruct the issuer to release those funds. This ensures that the open-to-buy balance is released to customers at the earliest possible opportunity.

5. Surcharging

The final part of PSD2 that aims to improve consumer rights is the prohibition of surcharges on certain consumer card transactions, adding to the existing IFR (Interchange Fee Regulation) that came into force in June 2015.

The products affected include consumer credit cards, debit cards, and pre-paid cards, with surcharging banned on those products across the EU.

Commercial cards aren’t necessarily subject to the same rules on surcharging. EU member states are able to legislate against surcharging on commercial cards if they choose – France, Italy and Sweden are among the countries who have gone down this route. The UK has decided to allow surcharging on commercial cards, alongside Germany and the Netherlands.

Prior to PSD2 97% of online transactions were frictionless.

Reducing fraud and enhancing security

PSD2’s new SCA (Secure Customer Authentication) requirement will have a big impact on the way merchants take payments from customers. It introduces a two-factor ID requirement for certain transactions, potentially creating additional friction at the checkout.

In order to make a payment, customers will be required to provide two forms of ID from the following three options:

  • Knowledge:  something only the customer knows, such as a PIN or password.
    Possession:  something only the customer has, such as a mobile phone or payment card.
    ​Inherence:  something unique to the customer, such as their fingerprint.

    ​In the first draft of PSD2 this two-factor process was applied to all transactions, however the payments industry has successfully lobbied for certain exemptions.

The full list of exemptions is set out in the Regulatory Technical Standards, including:

Face-to-face contactless payments: In a ‘card present’ scenario, the convenience of contactless at point-of-sale would remain, however customers will be asked to complete a Chip and PIN transaction when they reach the maximum total contactless spend, or have exceeded the card issuer's limits for consecutive contactless transactions since they were last authenticated

Online payments: single transactions must be less than €30, up to a maximum of €100 or five transactions.

Transaction risk analysis: a transaction can be exempted from SCA if it is “low risk”. This exemption is subject to certain requirements and conditions being met.

Corporate payments: this includes ‘secure virtual payments’, such as virtual cards or B2B cards. The transaction must be initiated by a legal person (e.g. a business) rather than a consumer.

: consumers can whitelist merchants so that all future transactions with that merchant do not require additional security checks.

Recurring payments: this refers to recurring payments made to the same merchant for the same amount.

What is PSD2?

Open Banking

Third-party access and Open Banking have gained lots of attention since the arrival of PSD2. These created a requirement for ASPSPs (Account Servicing Payment Service Providers - such as banks - to enable third-party providers – known as AISPs (Account Information Service Providers), PISPs (Payment Initiation Service Providers) and CBPIIs (Card Based Payment Instrument Issuers) – to access bank accounts and create entirely new, independent services.

As with other elements of PSD2, the aim here is to give consumers greater visibility and control over their finances.


PISPs are digital services that enable a push payment directly from a customer’s bank account to a merchant. Put simply, it’s like a simple pay button for an ecommerce transaction with the PISP providing the link between the customer’s bank account and the retailer.

The idea is to remove the need for a card, creating a new payment experience for consumers. Currently, it only really relates to ecommerce transactions – it doesn’t yet translate to face-to-face purchases.


AISPs are consumer services that aggregate a person’s financial data in one place. For example, you could consent to allow a comparison site to aggregate all your bank account information, loans and other financial products. This would give you a better view of your spending and the option to switch if better rates are available.


Card Based Payment Instrument Issuers (CBPII) are organisations that issue card-based payment instruments which can be used to initiate a payment transaction from a payment account held with another payment service provider (such as Barclaycard). CBPIIs may opt to carry out a Confirmation of Funds (CoF) check on your account before executing a transaction. This lets them know if there are enough funds available on your account to execute the transaction.

...the aim is to give consumers greater control and visibility over their finances.

PSD2 Timetable

The new EU regulation Payment Services Directive 2 (PSD2) is an industry-wide regulation, introduced in 2018 to make online transactions safer and more secure.

The SCA requirements and third-party access framework came in to force in September 2019. The SCA enforcement date is 14 March 2022 in the UK, and the EEA deadline was 31 December 2020.

For more, read our article on the new SCA deadline and what it means for merchants.

Brace yourself for PSD2

Designed to tackle the rising levels of fraud, Payment Services Directive 2 (PSD2) is now in effect. To help you, we’ve put together all the important info you need, including insights into how it’ll impact your business in one place.