PSD2

PSD2 is the EU payments directive that mandates Strong Customer Authentication and opens bank data access to licensed third parties.

PSD2 (the second Payment Services Directive) is the European Union regulation that governs electronic payments across the EEA. Its two headline effects are mandating Strong Customer Authentication on most online card payments and requiring banks to open account access, through APIs, to licensed third-party providers — the foundation of open banking.

What PSD2 requires

  • Strong Customer Authentication — many online and contactless payments must be verified with two independent factors, enforced by the customer's issuer.
  • Open banking access — banks must let authorized providers initiate payments and read account data with the customer's consent.
  • Consumer protections — clearer rules on liability, refunds, and surcharging.

The SCA rules took full effect across the EEA over 2020–2021, and the €30 low-value exemption and risk-based exemptions have remained the working standard since.

Who it affects

PSD2 applies to payments where both the customer's bank and the merchant's acquirer are inside the EEA. A US business selling to European customers isn't directly regulated by it, but the customer's European issuer may still demand authentication — so the practical reach is wider than the legal scope.

Why it matters for subscriptions

For recurring revenue, the key is that PSD2 treats a background subscription renewal as a merchant-initiated transaction, which is generally exempt from a live SCA challenge — but only if the customer authenticated the card when they first subscribed. Setting up authentication correctly at signup is what keeps renewals from failing later.

Related terms

Updated July 6, 2026