PSD2 Compliance Checklist for Online Businesses

The Revised Payment Services Directive (PSD2) is a regulatory framework introduced by the European Union to enhance security, innovation, and competition in the payments industry.

With PSD2, businesses offering payment services—including online businesses—are required to comply with stricter security standards, particularly around customer authentication.For online businesses, especially those involved in e-commerce or providing payment services, understanding and adhering to PSD2 compliance is crucial to avoid fines, protect customer data, and ensure smooth transaction processes.

In this article, we present a comprehensive PSD2 compliance checklist for online businesses. Following this checklist will help you meet regulatory requirements and secure your online transactions.

What is PSD2 Compliance?

The Payment Services Directive 2 (PSD2) came into effect in January 2018, aiming to improve the security of online payments, enhance consumer protection, and promote innovation in payment services across the EU. PSD2 requires businesses involved in online payments to implement enhanced security measures, including Strong Customer Authentication (SCA), and ensure that third-party providers have secure access to payment accounts.

Key objectives of PSD2 include:

  • Enhanced security for online payments.
  • Consumer protection, especially for online shoppers.
  • Access to payment accounts by third-party payment service providers.
  • Improved fraud prevention across payment channels.

For online businesses, complying with PSD2 ensures they are legally operating in the EU market and that their payment systems are secure.

Key PSD2 Requirements for Online Businesses

Before we dive into the checklist, let’s review the key PSD2 compliance requirements that online businesses need to follow:

1. Strong Customer Authentication (SCA)

SCA requires businesses to authenticate online payments using at least two of the following factors:

  • Something the customer knows (e.g., a password or PIN).
  • Something the customer has (e.g., a phone or security token).
  • Something the customer is (e.g., biometric verification like a fingerprint).

2. Third-Party Payment Providers (TPPs)

PSD2 allows third-party providers to access payment accounts with customer consent. This includes:

  • Payment initiation services (PIS): Facilitating payments on behalf of a customer.
  • Account information services (AIS): Aggregating account information from different providers.

3. Transparent Fees and Conditions

Businesses must clearly inform customers about payment-related fees, the exchange rates used, and any other applicable charges.

4. Security of Payment Data

Online businesses must implement measures to protect payment data and ensure its integrity during the transaction process. This includes protecting data during transmission and storing it securely.

PSD2 Compliance Checklist for Online Businesses

Below is a PSD2 compliance checklist for online businesses to ensure you meet all the necessary requirements and safeguard your online payment systems.

1. Implement Strong Customer Authentication (SCA)

One of the most important aspects of PSD2 is the implementation of Strong Customer Authentication (SCA). To comply with PSD2, you must ensure that payments are authenticated using two or more of the following:

  • Knowledge Factor: Something the customer knows, such as a password or PIN.
  • Possession Factor: Something the customer has, such as a mobile phone or security token.
  • Inherence Factor: Something the customer is, such as a fingerprint, facial recognition, or voice recognition.

Action Steps:

  • Review your payment system to ensure SCA is integrated.
  • Make sure your payment gateway supports multi-factor authentication.
  • Work with your payment service provider (PSP) to implement SCA for all online transactions.
  • Test the SCA features to ensure they work smoothly for your customers.

2. Secure Customer Payment Data

PSD2 requires online businesses to ensure the security of payment data during all transactions. This includes adopting practices like end-to-end encryption, tokenisation, and ensuring that customer data is securely stored.

Action Steps:

  • Implement encryption protocols (e.g., SSL/TLS) for secure data transmission.
  • Store sensitive payment data using tokenisation to avoid storing real card details.
  • Regularly audit and update your security infrastructure to address vulnerabilities.

3. Provide Transparent Pricing and Terms

Under PSD2, businesses must clearly inform customers about any payment fees, exchange rates, or terms that apply to their transactions. Failure to do so can result in fines and customer dissatisfaction.

Action Steps:

  • Clearly display fees for your products or services, including processing charges, delivery fees, and currency conversion charges.
  • Include a clear, accessible statement of your payment terms and conditions, outlining how and when payments are taken, any potential delays, and what customers should expect.

4. Comply with Third-Party Provider (TPP) Access Rules

PSD2 introduces the concept of Third-Party Providers (TPPs), such as Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), which can access customer accounts with consent. You must ensure that these third-party providers meet regulatory standards to protect both you and your customers.

Action Steps:

  • Ensure that any TPPs you work with are properly licensed and regulated by the relevant authorities.
  • Provide clear instructions for customers on how to grant consent for third-party access to their accounts.
  • Set up secure channels to share payment information with authorised third parties, ensuring full compliance with data protection laws.

5. Monitor and Prevent Fraud

To comply with PSD2, your online business must actively monitor fraud and put systems in place to detect and prevent fraudulent activity during payment processes. This can include using tools like 3D Secure 2.0 and implementing machine learning algorithms for fraud detection.

Action Steps:

  • Implement 3D Secure 2.0 to enhance the security of online transactions.
  • Use fraud prevention systems that monitor transaction patterns and detect suspicious behaviour.
  • Regularly review and update your fraud prevention policies.

6. Regularly Review and Update Your Security Measures

Security is an ongoing process, and as the threat landscape evolves, your security measures need to evolve with it. Regularly updating your systems and procedures is critical to staying compliant with PSD2.

Action Steps:

  • Conduct regular security audits to identify and address vulnerabilities.
  • Stay informed about changes to PSD2 regulations and adjust your compliance strategies accordingly.
  • Implement automated tools to monitor compliance in real-time.

Conclusion: Staying Compliant with PSD2

Compliance with PSD2 is critical for online businesses offering payment services or selling products and services online. By following the PSD2 compliance checklist outlined above, you can ensure that your online payment processes meet the regulatory standards, protect customer data, and provide a secure environment for your customers.

Staying on top of compliance isn’t just about avoiding fines—it’s about protecting your business and building trust with your customers. Ensuring a secure payment process not only meets regulatory requirements but also enhances the user experience, driving more customers to your website and fostering long-term loyalty.

Need help implementing PSD2 compliance?
Contact Authorised Compliance today to get expert guidance on navigating PSD2 regulations and implementing robust security measures for your online business.

Contact us now!

Authorised Compliance Ltd is a company incorporated in England & Wales, with company registration number: 15833435.Our registered address is: The Motorworks, Chestergate, Macclesfield, England, SK11 6DU.We are not currently authorised or regulated by the Financial Conduct Authority (FCA).We are registered with the Information Commissioner’s Office under registration reference C1588780.

© 2025, Authorised Compliance Ltd.

Created by Sakura Creative