By designing the revised Payment Service Directive PSD2, which the member states have transposed into national law, the EU legislator intends to accommodate the increasing digitization of payment transactions in Europe by enhancing consumer protection, promoting the introduction of technical innovations, and increasing legal certainty.
Strong Customer Authentication (SCA)
One of the main elements of the PSD2 is the obligation to apply Strong Customer Authentication (SCA) which stipulates the use of two independent elements when accessing accounts, making electronic payments, or involving third-party service providers.
This means that all online and card payments must be confirmed by independent elements in two of the three categories: knowledge (e.g., password or PIN), possession (e.g., smartphone), and inherence (biometric identification, e.g., via a fingerprint). Referred to as two-factor authentication, or 2FA, the procedure enables card-issuing institutions (issuers) to verify a payer’s identity before authorizing a transaction.
The SCA requirements are detailed in the Commission Delegated Directive 2018/389 (SCA RTS).
General scope of the PSD2
Basicly, the PSD2 applies to all payment services rendered in the EU by service providers residing in the EU. One Leg Out transactions, which involve acquirers or issuers residing outside the EU, are exempt from the PSD2.
Exemptions for corporate payment
Pursuant to the RTS, under certain specified circumstances some corporate payment products are exempt from the obligation to apply two-factor authentication to ensure reasonable application of SCA and prevent complications in B2B payment transactions.