verified_user
Standardful
Homechevron_rightStandardschevron_rightPSD2
ActiveInternational Standardupdate Standard Updated: September 2019fact_check Fact checked: Jun 28, 2026

PSD2

Revised Payment Services Directive — Directive (EU) 2015/2366

apartmentPublishing Organization:European Union

Standard Introduction

PSD2 is an active standard published by European Union. It is commonly used across Finance & Banking, Technology, Services, Retail and applies in European Union, European Economic Area.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with PSD2.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define EU payment services compliance scope

Identify the products, services, systems, entities, jurisdictions, teams, vendors, data flows, and stakeholders covered by PSD2. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for payment service authorization, strong customer authentication, secure communication, open banking interfaces, operational and security risk, incident reporting, safeguarding, customer information, complaints, liability, outsourcing, and regulatory reporting.

2
Phase 2schedule Duration: 4-10 weeks

Assess obligations and gaps

Compare current practices with the expected EU payment services compliance approach. Review licensing governance, SCA implementation, API security, consent management, fraud monitoring, incident reporting, safeguarding controls, customer disclosure, complaint handling, outsourcing oversight, operational risk controls, and regulator communications, then prioritize gaps by legal exposure, user or safety impact, customer commitments, operational dependency, reporting deadlines, and assurance readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and evidence

Deploy required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain authorization files, policies, SCA test results, API logs, consent records, fraud alerts, incident reports, safeguarding reconciliations, customer communications, complaint logs, outsourcing files, risk reports, and supervisory correspondence as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, report, and improve

Run management reviews, internal checks, technical testing or independent assessments where applicable, corrective actions, and change reviews. Refresh the program when products, vendors, laws, incidents, reporting cycles, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and assurance

Frequently Asked Questions

Who needs PSD2?

expand_more

PSD2 is most relevant to payment institutions, electronic money institutions, account servicing payment service providers, third-party providers, banks, fintechs, and payment platforms operating in the EU/EEA. The exact scope depends on products, services, jurisdictions, reporting duties, customer commitments, technical requirements, and the organization's role in the relevant ecosystem.

Is PSD2 certifiable?

expand_more

PSD2 is an EU legal framework implemented through national law and regulatory technical standards, not a certification. Payment service providers need authorization, governance, security, customer rights, and reporting controls.

What should implementation focus on first?

expand_more

Start by defining scope, obligations, accountable owners, and the evidence expected by regulators, customers, auditors, assurance providers, or governance bodies. Then perform a gap assessment against current controls and prioritize remediation by risk and deadline.

What evidence is useful for PSD2?

expand_more

Useful evidence includes authorization files, policies, SCA test results, API logs, consent records, fraud alerts, incident reports, safeguarding reconciliations, customer communications, complaint logs, outsourcing files, risk reports, and supervisory correspondence. Evidence should be version-controlled, attributable to owners, linked to obligations and controls, and retained for the required review or audit period.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever laws, products, vendors, incidents, reporting cycles, customer commitments, technical standards, or assurance expectations change. Higher-risk obligations should have more frequent monitoring and management reporting.

Official Documentation

View All

Related Categories