La banking management with banking apps on Android that comply with PSD2 regulations It has become commonplace for businesses and users. Online payments, mobile banking, financial aggregators… everything relies on this European directive that has completely changed the game in terms of security, competition, and innovation in payment methods.
If you've noticed that your bank is now asking you double verification to enter or payThe fact that there are apps that connect with several entities at once, or that coordinate cards are hardly used anymore, is “blamed” by PSD2 and the push for the so-called open bankingLet's calmly break down what it is, how it works, and what it means for businesses, banks, fintech companies, and customers.
What is PSD2 and why is it being talked about so much?
PSD2 is the Second Payment Services Directive of the European Union (Payment Services Directive 2) regulates how payment services are provided and supervised within the European Economic Area. It originated as a revision of the first PSD of 2007, which already sought to promote a single market for payments in the EUBut it had fallen short in the face of the boom in e-commerce, online banking, and fintech.
With this review, the European Commission aims to three major goalsTo strengthen the security of transactions, better protect consumers, and increase competition and innovation in the financial sector. All of this laying the foundations for what is known as open bankingwhere banking data is no longer locked within each bank and can be shared with third parties in a controlled and secure manner.
The directive began to be implemented in stages. from January 13, 2018However, the major milestone was the entry into force of the strong authentication and third-party access obligations the 14 September 2019In order not to "break" electronic commerce, the European Banking Authority established an additional transition period that was extended until December 31, 2020 at the latest.
Main new features introduced by PSD2
The most striking change is the obligation for banks open their payment infrastructure to third-party companies authorized, known as TPPs (Third Party Payment Service Providers). This includes new types of regulated services and the redefinition of security in online payments through the strong customer authentication (SCA).
Payment Initiation Services (PIS)
Payment initiation services, or PIS, allow a third party initiate a payment directly from the customer's bank account. The TPP app or platform automatically fills in the transfer details (amount, IBAN, description) and notifies the merchant that the transaction has been successfully initiated.
Thanks to PSD2, a user can Pay from your bank's app with any of your accountsEven if they belong to other entities, provided they have given their consent and the appropriate technical integration exists. This streamlines online payments and reduces intermediaries, while increasing customer control over how and from where they pay.
Account Information Services (AIS)
Account Information Services (AIS) focus on collect and store data from multiple bank accounts from the same client in a single environment. Thus, the person or company obtains a global view of your financial situation and can easily analyze income, expenses, savings and financing needs.
These financial aggregation solutions are the foundation of many apps for advanced banking management and tools for businesses that automate reconciliation, reporting, and treasury analysis. Before PSD2, TPPs offering these types of services encountered legal and technical barriers that prevented them from scaling up their model to a European level.
Opening up to third parties and the end of “screen scraping”
With PSD2, banks are required to enable standardized and secure access to accounts for these providers. In practice, this translates into the use of Open banking APIsAlthough the directive does not explicitly mention the term API, the industry consensus is that they are the most reasonable technical means of complying with the standard.
By regulating access, the aim is also to curtail unsafe techniques such as screen scrapingThese scams involved an app impersonating the user, capturing their screen, and reusing their credentials. Under the new regulations, TPPs must be registered, authorized and supervised by the competent authorities, operate through secure interfaces and always have the explicit consent of the client.
Strong Customer Authentication (SCA): The New Security Standard
The other major component of PSD2 is Strong Customer Authentication (SCA). This requirement aims to ensure that online payments and account access will be much more secureboth on the web and in mobile apps or other electronic channels.
The SCA requires that, with few exceptions, at least two of these three factors to authorize operations and access:
- Something you know: a password, a PIN, a pattern, a signature key.
- Something you possess: a mobile phone, a physical token, a key card, a one-time code.
- Something you are: a biometric data such as a fingerprint, facial recognition or iris.
These factors must be independent of each otherso that if one account is compromised, the rest are not jeopardized. For example, even if someone steals the password, they won't be able to operate the system if they don't have access to the mobile device or can't pass the [information/data/password]. biometric control.
In practice, this means that Simply entering the card number, expiry date, and CVV is no longer enough. To complete an online purchase, payment usually requires an additional step, such as entering a code received via SMS, approving a notification in the bank's app, or validating with a fingerprint or facial recognition.
Step-by-step online card payments
For a user, the card payment process in an e-commerce store that complies with PSD2 usually looks something like this:
- The customer enters the card details (number, cardholder, expiry date and CVV) at the store's checkout, making sure they are spelled correctly.
- The trade sends the payment request to the issuing bank so that it can process it.
- The bank activates the flow of strong authenticationIt typically sends an SMS with a one-time code or a notification to the banking app for the customer to validate with a PIN, fingerprint, or other method. Once the identity is verified, the transaction is authorized.
It's a process that usually takes time a few seconds or minutesIf the authentication process is not completed correctly, the transaction may be rejected by the issuing bank, sometimes without the consumer being clear about the reason.
Recommendations for paying without problems
To minimize incidents, it is key that the user has keep your mobile phone nearby during payment And, preferably, have your bank's app installed with notifications enabled. Many banks are migrating from traditional SMS to systems like... confirmation via appwhere the customer receives a notification and validates with biometrics or their own code.
In case of failures, the recommendation is to check that the phone number is correctly associated to the account, ensuring that the card details are entered correctly and that the received code is entered without errors, respecting uppercase letters, lowercase letters, and numbers. If the problem persists, the appropriate channel for resolving it is the bank customer servicewhich can indicate the current authentication method and how to configure it.
How access to online banking has changed
SCA doesn't just affect payments; it has also transformed the way we... access online banking and mobile appsPreviously, a username and password were usually sufficient. Now, it's common practice to require a username, password, or other form of authentication, at least on the first login or periodically. second authentication factor.
In many banks, the usual scheme is to combine the usual credentials (username, tax ID, password, fingerprint, or facial recognition) with a temporary code received via SMS or with the approval of a notification in the app. Some entities are taking advantage of this change to permanently eliminate the coordinates card and replace it with dynamic keys.
Furthermore, the regulation allows banks to apply Strong Customer Authentication (SCA) only at certain times to make things easier for users. For example, many institutions have chosen to require access to the overall account statement. enhanced authentication every 90 daysso that during that period, one can enter with a single factor without repeating the entire process.
This approach has led to some entities, such as ING or Targobank, a mobile app is practically mandatory to operate normally. In these cases, when accessing from the computer, a notification is sent to the smartphone to verify identity and authorize both the login and sensitive operations.
Open banking: how banks, apps and businesses connect
PSD2 is also the main driver of open bankingUnder this concept, the user can authorize third parties (TPPs) to access their accounts to make payments on their behalf (PISP) or to consult and add financial information (AISP), always under a strong security and privacy framework.
In technical terms, this relies on Standardized banking APIswhich allow an online store, management software or financial app to connect with one or more banks to execute payments or download transactions without using customer credentials or resorting to insecure practices.
For businesses and e-commerce sites, this translates into new players such as PISP (Payment Initiation Service Providers), who act as intermediaries between the merchant and the customer's bank, and the AISP (Account Information Service Providers), which focus on grouping information on financial products and services on a single platform.
Automated banking management for businesses
Based on this, advanced banking integration solutions emerge, such as PSD2 certified APIs that allow an ERP or management software to connect directly with banks. Tools like IQ Banking Core are an example of a platform that It automates the import of transactions and the issuance of payments. without needing to manually access each online banking account.
These types of solutions, integrated with systems like Business Central and recognized by technology manufacturers, make it easier for companies manage your treasury from a single environmentreduce errors, speed up reconciliations and ensure that their flows comply with European payment regulations.
Impact on security, accountability and the fight against fraud
One of the key objectives of PSD2 is Drastically reduce fraud in online payments and in access to financial products. SCA, the use of secure APIs, and the regulation of TPPs are part of a broader framework that also relates to other frameworks such as eIDASAML and KYC.
In this context, strong authentication becomes inseparable from the identity verification processesThe classic KYC (Know Your Customer) is reinforced with the concept of SCA to ensure that the operator is really who they claim to be, both when starting a relationship (opening an account, registering for a service) and when making sensitive payments.
Facial biometrics and advanced verification
Within the range of SCA methods, the face biometrics It is gaining importance as an inherent factor. Advanced facial recognition systems can generate a unique biometric pattern associated with the user's identity and verify in real time that there is a live person behind the camera, preventing fraud by photo, video or deepfake.
Video identification solutions like VideoID combine in real time dozens of checks using AI and machine learningFrom depth detection to dynamic gestures, these processes ensure that the customer is who they claim to be. They meet the PSD2 and eIDAS requirements for SCA, while methods based solely on static selfies or uploaded images do not. They do not offer the same level of security.
Changes in liability for fraud
PSD2 also adjusts the distribution of responsibilities when a unauthorized paymentNow, the user is only liable up to a maximum of 50 euros, compared to 150 euros under the previous regulations, unless there has been gross negligence or fraud on their part.
This forces banks, PSPs, and merchants to strengthen their authentication and fraud prevention controlsBecause the bulk of the economic risk from fraudulent transactions falls on them. Simply ticking a compliance box is not enough; it must be demonstrated that appropriate security measures have been implemented.
PSD2 for online stores and payment providers
For e-commerce businesses, PSD2 means adapting to an environment where many transactions are subject to SCA and where issuing banks They can reject transactions that do not comply with the standard.However, the directive also includes exemptions (for low amounts, recurring transactions, low-risk payments, etc.) that can be applied through payment providers.
The businesses that already had strong authentication methods (such as 3D Secure) have required fewer structural changes, although they did need to be updated to newer, more advanced versions. Those who did not have these systems have had to coordinate with their payment gateway provider. migration to PSD2 compliant solutions.
3D Secure 2.0 and automatic compliance
One of the key tools for complying with PSD2 in card payments is 3D Secure 2.0This protocol adds a layer of verification between the cardholder, issuing bank, and merchant. PSPs like Adyen and MONEI integrate this system and handle the process. route transactions that fall within the scope of PSD2 towards 3D Secure when appropriate.
Among the advantages of 3D Secure 2.0, the following stand out: fraud risk reduction, greater protection against chargebacks and the possibility of expanding international business with a high level of security. Furthermore, the protocol has been designed to improve user experience compared to older versions, allowing "frictionless" flows when the risk of the operation is low.
In many cases, simply using a modern payment gateway that supports PSD2 compliant authentication and authorizationThe trade already covers a good part of the obligations, without needing to develop its own SCA logic.
Which operations are included and excluded from the scope of PSD2?
PSD2 applies to a wide range of Electronic payments in the European Economic AreaHowever, there are scenarios that fall outside its scope or that benefit from exemptions. For example, transactions initiated by phone or email or certain payments with anonymous prepaid cards may not require SCA.
Furthermore, the directive expands the geographic scopeIf one party to the transaction (the bank or the customer) is in the EU, the regulations apply to both parties. This affects both the authentication method and aspects such as... prohibition of additional charges in certain payment methods in countries like Spain.
Relationship with other regulations: eIDAS, AML and KYC
PSD2 does not exist in isolation. It is part of a regulatory ecosystem that includes eIDAS (identity and trust services)the rules of prevention of money laundering (AML) and the processes of Know Your Customer (KYC)Together, these regulations aim to ensure that the digital economy develops on safe, traceable and reliable processes.
Specialized providers, such as Signicat and other RegTech companies, offer “compliant” solutions that combine digital identity, electronic signature, SCA, KYC and AML so that banks, fintechs, and organizations can operate across the EU with legal safeguards and a seamless user experience. Many of these solutions include practical guides, such as Tutorials for installing digital certificates, which facilitate implementation.
For financial companies, this presents both a challenge and an opportunity: who automate these processes well You will be able to scale your business, reduce fraud and friction, and gain customer trust across multiple markets.
Ultimately, PSD2 and open banking have shaped an ecosystem where banking apps, online stores, fintech, and large platforms They cooperate on secure and regulated infrastructures, offering more options and control to the user.
Understanding how strong authentication, PIS/AIS services, banking APIs, and the new division of responsibilities work is no longer just for technicians or lawyers: it's key for any business that wants to offer reliable digital payments and for any user who wants to navigate today's online banking with confidence. Share the information so that more users know about the topic.