The Second Payment Services Directive

PSD2 is not just a regulation but introduces new business opportunities by breaking down the bank’s monopoly on their client’s account data. It allows PSPs (such as merchants) to retrieve account data from the bank, naturally, with the client’s permission. This eases the online payment process as PSPs shall be able to make a payment in customers name, without having to redirect them to another service (like PayPal or Visa).

New players in the payments ecosystem

The second Payment Services Directive applies to all entities which provide payment services within the European Union;

  • Account servicing payment service provider (ASPSPs): a payment service provider providing and maintaining a payment account for a payer, e.g. banks, card processors.
  • Account Information Service Providers (AISPs): online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider; e.g. banks or 3rd parties.
  • Payment Initiation Service Providers (PISPs): initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider;
  • Payment service providers (PSPs): credit institutions (banks) or electronic money institutions, post offices entitled to provide payments under national law, central banks & ECB (non-authoritative role), payment institutions.



PSD2 directive applies to all payment services provided within the European Union and the European Economic Area (EEA). As explained by the commission, the aim of the legislation is to improve innovation, reinforce consumer protection and improve the security of Internet payments and account access within the EU and EEA.

Who and what

Banks are mandated to provide the PSPs access to their customers’ accounts through opening their APIs allowing them to build customised payment services on top of banks’ data and infrastructure.

PSPs will have to comply with the regulatory requirements under PSD2 and potentially apply for a license under the PSD2 in order to keep their business compliant. The PSD2 licensee is allowed to passport this licence to other EU/EEA member states (single licence regime), which allows them to provide their services in those countries.


Without the licence, as of January 13th, 2018 parties qualifying as a PSPs are prohibited to offer their services.


The European Banking Authority (EBA) has developed draft Regulatory Technical Standards (RTS) specifying the requirements for strong customer authentication (SCA), the exemptions from the application of SCA, the requirements related to the confidentiality and the integrity of the payment service users’ personalised security credentials, and the requirements for common and secure open standards of communication (CSC) between various parties in the payment process. These requirements will be applicable 18 months after entry into force, which would suggest an application date of the RTS in November 2018 at the earliest.

PSD2 Advisory Services

The aim of PSD2 advisory services is to help our clients overcome strict requirements posed by PSD2 enabling compliance and lawfulness of their business. We already have a vast experience in addressing compliance security challenges in various industry fields, especially banking and finance, and doing so against different standards.


As a lead company dealing with IT Security, IT Audit and Risk and Compliance we have established partnerships with experienced legal advisory companies who specialise in legal aspects of the legislation on the EU level. This enables us to provide a wide range of services to our clients which cover:
  • Interpretation of PSD2 legal implications specific to client´ technical s business
  • Business activities analysis on liability under the PSD2
  • Analysis and advisory of related business payment processes
  • Assurance audits covering processes, operations, policies and procedures assessments
  • Mitigation guidance on any found issues and operational support
  • Supporting IT security audits and consultancy

Governance & Risk Management Framework

PSD2 compliance is an ongoing process and requires PSPs to establish a formal governance process by introducing an effective operational and security risk management framework for the provision of payment services. Identification and control of risks is of essence and in this context, Article 95 of the PSD2 requires PSPs to conduct an updated and comprehensive assessment of operational and security risks and the adequacy of the mitigation measures at least on a yearly basis.

We will help PSPs in establishing this framework and propose security measures to mitigate operational and security risks which should be fully integrated into the Third Party Provider’s (TPP) overall risk management processes which includes setting up comprehensive security policies setting the risk appetite of the TPP, its security objectives and measures; risk management policies and procedures, as well as the necessary procedures and systems to identify, measure, monitor and manage the range of risks.


To mitigate any issues related to business supporting IT services, and as required by Article 3 of the PSD2 RTS, we shall perform in-depth security audits against the RTS. For this purpose, we have developed a technical guidance framework which enables us to easily assess the any system and pinpoint exact technical gaps in your IT environment.

Our technical consultancy and advisory services provide straightforward PSD2 scoping, testing the required security controls, such as penetration tests, vulnerability scans, application security tests, up to providing technical guidance on mitigating any found issues on any part of the payment transaction processing system, may it be back-end, authorisation, fraud monitoring, web application or mobile application frontend.