What is PSD2 & how does it impact authentication requirements?

Q: What is PSD2 & how does it impact authentication requirements?

The Revised Payment Services Directive (PSD2) is a European regulation requiring Strong Customer Authentication (SCA) for online payments. It mandates at least two independent authentication factors from knowledge (passwords), possession (devices), or inherence (biometrics). PSD2 also enforces dynamic linking for secure payment approvals. Enterprises must comply to avoid fraud liability, and passkeys provide an SCA-compliant solution with phishing resistance and biometric authentication.

What is PSD2?#

The Revised Payment Services Directive (PSD2), formally known as Directive (EU) 2015/2366, is a European regulation designed to enhance security in digital payments. It mandates Strong Customer Authentication (SCA) to reduce fraud and ensure secure transactions.

PSD2 was implemented by the European Parliament and further specified through regulatory technical standards (RTS) set by the European Commission. The European Banking Authority (EBA) provides guidance on its application.

How does PSD2 impact authentication requirements?#

Under PSD2, SCA is required for online payments and certain account access scenarios. This means that users must authenticate transactions using at least two independent authentication factors from different categories:

Something the user knows – e.g., a password or PIN
Something the user has – e.g., a mobile device, security token, or smart card
Something the user is – e.g., a fingerprint, facial recognition, or other biometrics

For a payment or login to comply with PSD2, authentication must include two of these elements, ensuring that if one factor is compromised, the others remain secure.

Additional Requirements: Dynamic Linking#

Beyond authentication factors, PSD2 mandates dynamic linking for payment approvals. This means:

Each transaction must be uniquely linked to a specific amount and recipient.
If any details change, a new authentication is required.

Why is PSD2 important for enterprises?#

For banks, fintechs, and online merchants, PSD2 compliance is crucial to avoid liability for fraudulent transactions. Organizations must:

Implement SCA-compliant authentication flows (e.g., passkeys, OTPs, or device-based authentication).
Ensure regulatory compliance to avoid penalties.
Improve customer experience by balancing security and usability.

Get free passkey whitepaper for enterprises.

Get for free

Are passkeys PSD2-compliant?#

Yes. Passkeys, based on WebAuthn and FIDO2 standards, meet PSD2's SCA requirements because they:

Use biometric authentication (something the user is).
Bind authentication to a specific device (something the user has).
Ensure phishing resistance and eliminate password-related risks.

With PSD3 on the horizon, passkeys provide a future-proof, user-friendly authentication method for enterprises looking to enhance security while maintaining compliance.