PSD 2 relates to the payment’s legislation in Europe, which introduced new payment handling principles and was transposed into law within each EEA country. The Payment Service Directive currently only applies to payment in EEA currencies between accounts located with the EEA. The directive essentially deals with the following three issues:

  • Establishes a new authorization regime for payment institutions
  • Establishes transparency requirements to ensure that payment service providers give the required information to their customers relating to payments
  • Sets out the rights and obligations of Payments service Providers and users, laying down rules on the movement of funds from the origin of payment through its execution, including dealing with disputes between users and providers. PSD2 controls relate to the following areas:
  • Governance-Operational and security risk management framework
  • Risk management and control models
  • Outsourcing (Third Party Services)
  • Risk assessments-Identification of functions, processes and assets
  • Classification of functions, processes and assets
  • Protection-Preventive security measures against identified operational and security risks
  • Data and systems integrity and confidentiality
  • Physical Access
  • Access Control
  • Detection-Continuous monitoring and detection of operations
  • Monitoring and reporting of operational or security incidents
  • Business continuity
  • Scenario-based business continuity planning
  • Testing of business continuity plans
  • Crisis communication
  • Testing of security measures
  • Situational awareness and continuous learning – Threat landscape and situational awareness
  • Training and security awareness programs
  • Payment service user relationship management-Payment service user awareness on security risks and risk-mitigating actions

The service Kyte provides to its clients is to review their IT related controls or planned controls and see if adherence with the PSD2 regulations is in place.


Q:What changes does PSD2 introduce that may impact you?

– Expand the payments covered by the Directive, to include:
– Intra-EEA Payments (payments made between PSPs located in the EEA) in any currency, not just EEA currencies; and
– One Leg Out (OLO) transactions from or into the EEA in any currency (where one of the PSPs is located inside the EEA and the other PSP is located outside the EEA)
– Enhance customer protection and security for on-line payment services by defining strong customer authentication (SCA) requirements and technical standards (defined in the Regulatory Technical Standards or RTS) for third party access.
– Add new types of payment services into scope by creating new third-party access rules enabling non-bank organizations to provide payment initiation and account information services (known as XS2A or Access to Accounts).

Q:When did the PSD2 come into effect?

European Economic Area (EEA) countries were required to implement and transpose PSD2 requirements into local law by no later than January 13, 2018.

Q:Which countries are in the EEA?

PSD2 applies to all EEA countries. The country scope of the Directive is based on the country location of the servicing PSP. The current list of EEA countries is: Austria; Belgium; Bulgaria; Croatia; Cyprus; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Iceland; Italy; Latvia; Lichtenstein; Lithuania; Luxembourg; Malta; Norway; Poland; Portugal; Republic of Ireland; Romania; Slovakia; Slovenia; Spain; Sweden; Netherlands and United Kingdom.