Payment Service Directive 2

The Payment Service Directive (PSD2) aims to standardize the market, strengthen customer safety, and support technical innovation through increased competition. The new standard requires more robust identity controls, such as two-factor authentication for online payments.

Security requirements

PSD2 is an updated version of the current payment service directive, PSD. The most significant difference between the two is that banks will now be forced to make their API:s more open and accessible. A result of this is that third-party services can use the banks' customer data and infrastructure. If the client first authorized it, internet payments can be initiated directly from their bank account. The directive enables more companies to enter the market and compete with traditional banks.

The PSD2 directive imposes new safety requirements in terms of product and system development. Here are some of the requirements:

  • Continuous testing of processes and security systems.
  • Risk assessment – including identification and classification of functions, processes, and assets, as well as access control.
  • Processes and functions continuously monitor business functions, transactions, information assets with correlated measures to identify information leaks, vulnerable code, and generally known vulnerabilities.
  • The framework for dealing with operative risks and security risks should be integrated into the risk management process.
  • Continuity plans and ongoing continuity controls.