Payment Services Directive 2 (PSD2) Explained For UK SMEs

If your business takes card payments online, runs subscriptions, or uses payment providers to collect money from customers, you’ve probably come across the term PSD2 (short for the Payment Services Directive 2).

Even if you don’t consider yourself a “financial services business”, PSD2 still matters because it changed how online payments are authenticated and how customer payment data is handled. In practice, it affects your checkout experience, your conversion rates, and how you manage fraud risk.

This guide breaks down what PSD2 means for UK SMEs in plain English, what you need to do (and what you don’t), and where the legal and compliance risks tend to show up in the real world. It’s general information only, not financial, regulatory or legal advice for your specific setup.

What Is PSD2, And Why Does It Matter To Small Businesses?

PSD2 is shorthand for the Second Payment Services Directive (PSD2). It was an EU directive introduced to:

• Reduce payment fraud (especially in online transactions)
• Improve consumer protection around payment services
• Increase competition and innovation in payments (including opening up bank account access to authorised providers)

From a small business perspective, the most visible PSD2 change has been the push for Strong Customer Authentication (SCA) for online payments.

Key PSD2 Concepts You’ll Hear A Lot

• Strong Customer Authentication (SCA): extra security steps to confirm the payer is who they say they are.
• 3-D Secure (3DS / 3DS2): a common technical method used by payment providers to implement SCA for card payments.
• Payment Initiation Services (PIS) and Account Information Services (AIS): services that can (with permission) initiate payments or access account information.

You don’t need to memorise the jargon. The practical point is this: PSD2 pushes more online payments to require a step-up verification (for example a one-time code, biometric authentication, or banking app approval).

Does PSD2 Still Apply In The UK After Brexit?

Yes, PSD2 principles still affect UK businesses.

Although PSD2 was an EU directive, the UK implemented it through domestic law, primarily via the Payment Services Regulations 2017 (as amended over time). After Brexit, the UK retained much of this framework, and UK regulators (including the FCA) continue to supervise payment services and SCA requirements.

So, as a UK SME, you should assume:

• SCA is still a real requirement for many online payments.
• Your payment provider (acquirer/PSP) will typically drive the technical compliance, but you may still need to adjust your checkout and customer messaging.
• If you sell into the EU (or use EU-based payment partners), you may have cross-border PSD2 expectations to meet as well.

One common trap is thinking “my payment provider handles compliance so I don’t need to think about it”. Your provider might handle the authentication flow, but you still control how your customers experience it (including checkout design, payment failure handling, refunds, and customer comms).

What Are The Key PSD2 Requirements UK SMEs Need To Understand?

Most SMEs won’t be “regulated payment service providers” themselves. But you still need to understand the rules because they directly affect your sales process and fraud exposure.

1) Strong Customer Authentication (SCA)

SCA generally requires authentication using at least two independent factors from the following categories:

• Knowledge (something the customer knows, like a password or PIN)
• Possession (something the customer has, like a phone or token)
• Inherence (something the customer is, like fingerprint/face ID)

In practice, SMEs most often encounter SCA when a customer is prompted to approve a card payment via their banking app or a verification screen.

2) When SCA Usually Applies (And When It Might Not)

SCA is most relevant for electronic payments where fraud risk is higher, particularly:

• Online card payments (e-commerce checkouts)
• In-app payments
• Some recurring payments (depending on how they’re set up)

There are also exemptions and low-risk scenarios (for example, low-value transactions or risk-based exemptions applied by the payment provider). But these exemptions are technical and fact-specific, and they’re usually applied by your PSP/acquirer.

From a business-owner standpoint, the key is to expect some percentage of customers to be “stepped up” and to make sure your checkout and customer support can handle it smoothly.

3) “Dynamic Linking” (Why Payment Details Matter)

PSD2 introduced the idea of “dynamic linking”, meaning the authentication should be linked to the specific amount and payee. Again, your payment provider will normally implement this, but it reinforces why you need clean, consistent payment descriptors and correct pricing logic.

If your customer sees unexpected payment descriptions or changing totals, you can expect more authentication failures and more chargebacks.

How PSD2 Affects Your Checkout, Subscriptions, And Customer Experience

For many SMEs, PSD2 isn’t just a compliance topic - it’s a revenue and conversion topic.

Online Checkout: Expect More “Failed” Payments (And Plan For It)

When SCA is triggered, some customers won’t complete the verification step. That can look like a failed payment, but the underlying issue is often:

• the customer didn’t receive the prompt in time
• the customer abandoned checkout due to friction
• the issuer/bank declined due to authentication not completed

Practical ways to reduce pain here include:

• Clear checkout messaging (tell customers they may need to approve the payment)
• Mobile-first design (many SCA steps happen on mobile banking apps)
• Good error handling (give customers a clear “try again” path rather than a dead end)

Subscriptions And Recurring Payments: “Merchant-Initiated” vs “Customer-Initiated”

Subscriptions are a common area of confusion under PSD2 because recurring payments can be treated differently depending on how they’re initiated.

As a general rule of thumb:

• The initial sign-up payment (where the customer is actively setting up the subscription) often requires SCA.
• Subsequent recurring charges may be processed as “merchant-initiated” (and may not require SCA each time), but the setup needs to be structured properly.

This isn’t just technical - it also affects how you document the subscription relationship and cancellation rights. If you sell subscriptions online, having clear Subscription Terms and Conditions can reduce disputes when customers claim they didn’t authorise a charge or didn’t understand what they signed up to.

Refunds, Chargebacks, And Disputes

PSD2 was designed to reduce unauthorised payments, but disputes still happen. If customers don’t recognise a transaction (or feel they didn’t approve it), they may go straight to a chargeback.

To protect your business:

• Make sure your trading name and payment descriptor are consistent
• Have a clear refunds process, and follow it consistently
• Keep good records of order confirmations, delivery, and customer communications

Your checkout and post-purchase journey should also tie back to contract formation basics - if you’re relying on online terms, you want to be confident the customer has actually agreed to them in a legally enforceable way. (If you’re tightening up your flow, it can help to understand What makes a contract legally binding in the UK context.)

PSD2, Data Protection, And Security: Where SMEs Often Slip Up

While PSD2 focuses on payment security, it sits alongside broader UK obligations around privacy and data protection - particularly the UK GDPR and the Data Protection Act 2018.

Even if your payment provider processes card details for you, your business will still handle personal data like names, emails, billing addresses, IP addresses, order histories, and potentially device identifiers.

What You Should Be Doing From A UK GDPR Perspective

• Be transparent about what personal data you collect and why
• Secure customer data with appropriate technical and organisational measures
• Only share data with payment and fraud-prevention providers where you have a lawful basis and appropriate contracts in place
• Set retention periods and avoid keeping data “just in case”

For most SMEs selling online, a properly tailored Privacy Policy is essential, because payments touch personal data at multiple stages (checkout, fraud screening, billing, refunds, customer support).

Supplier Contracts: Don’t Forget Your Data Terms

If your payment partners or fraud tools process personal data on your behalf, you may need a contract that covers required UK GDPR points (like processing instructions, security obligations, and sub-processor controls).

In many cases, that means putting a Data Processing Agreement in place (or at least ensuring your provider’s terms adequately cover these requirements).

If you’re scaling quickly, collecting more customer data, or handling any higher-risk categories of data, it may be worth getting your overall compliance reviewed as part of a GDPR package rather than patching things together ad hoc.

Legal Documents And Policies To Update If PSD2 Impacts Your Payments

When PSD2 changes how customers authenticate payments, it can also change the kinds of queries and disputes you receive. This is where your legal documents and policies start doing real work for you.

The goal isn’t to “lawyer up” every customer interaction - it’s to make sure your processes are clear, consistent, and enforceable if something goes wrong.

Website Terms And Online Sales Terms

If you take orders through a website or app, your terms should clearly explain things like:

• how orders are placed and accepted
• pricing, payment timing, and what happens if payment authentication fails
• delivery timelines and customer responsibilities
• refunds, cancellations, and dispute handling
• limitations of liability (where appropriate and legally permitted)

For many SMEs, that means having fit-for-purpose Website Terms and Conditions and, if you run an e-commerce store, clear Online Shop Terms and Conditions.

These documents won’t “solve” SCA or payment declines, but they can reduce confusion and strengthen your position if a customer later claims they didn’t authorise a transaction or insists they’re entitled to a refund outside your stated policy (subject to consumer law).

Customer Communications And Internal Processes

PSD2-related issues often show up as support tickets like:

• “My payment didn’t go through but money is pending.”
• “I was charged twice.”
• “I didn’t approve this payment.”
• “Your site keeps declining my card.”

You’ll want internal processes for:

• how your team identifies whether a transaction is authorised, pending, or failed
• how and when you retry payments
• how you handle suspected fraud and chargebacks
• what records you keep to evidence customer consent

If your team uses workplace systems to handle these issues, make sure staff access and handling rules are written down and aligned with privacy obligations. An Acceptable Use Policy can help set expectations around secure handling of customer data and internal systems.

When You Might Need Specific Legal Advice

It’s worth getting tailored advice if:

• you’re building your own payment flow (rather than using a hosted checkout)
• you’re launching subscriptions with complex billing cycles
• you’re selling internationally (especially UK + EU)
• you’re seeing high fraud or chargeback rates
• you’re onboarding multiple processors, fraud tools, or analytics providers

These are the scenarios where small wording choices, checkout design decisions, and contract terms can meaningfully change your risk profile.

Key Takeaways

• PSD2 still matters in the UK because the UK implemented PSD2 through domestic regulations, and SCA continues to shape online payment requirements.
• SCA is the key practical impact for SMEs, often delivered through 3-D Secure verification steps that can affect conversion and customer experience.
• Subscriptions can be PSD2-sensitive because the first payment often requires SCA and the recurring payment setup needs to be structured properly to avoid disputes.
• PSD2 and UK GDPR overlap in practice because payment journeys involve personal data, meaning you should have privacy compliance and supplier data terms in place.
• Your terms and policies should match your payment reality, including what happens if authentication fails, how refunds work, and how disputes are handled.
• Getting your legal foundations right early will reduce chargebacks, improve customer trust, and help you scale without messy payment disputes later.

If you’d like help reviewing your payment flow, tightening up your online terms, or making sure your privacy compliance is sorted, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.