PSD2 Explained: What UK Businesses Need To Know About The Payment Services Directive And Compliance

If you offer online checkouts, process card payments, or run any digital-first business, you’ve probably heard the term PSD2 floating around. But what does PSD2 really mean for your UK business-and do you actually need to do anything about it?

Whether you’re launching a fresh ecommerce site, thinking about new payment options, or already established and want to futureproof your compliance, understanding the Payment Services Directive 2 (PSD2) is now crucial. Get it wrong, and you risk failed payments, angry customers, and even fines or enforcement action from regulators.

But don’t worry-getting your legal and compliance foundations in place can be simpler than it sounds. In this guide, we’ll walk you through exactly what PSD2 means for UK businesses, what changes it’s brought in, and practical steps to make sure you’re on the right side of the law. If you want to keep your payments secure, build customer trust, and stay competitive, keep reading.

What Is PSD2? Why Does It Matter For UK Businesses?

PSD2 stands for the Second Payment Services Directive, a major piece of European legislation that shapes how payments work across the UK and EU.

Even though the UK has left the EU, PSD2 was written into UK law and still governs British payment services. You’ll hear it referenced in relation to “open banking”, new fraud rules, and card payment security.

In short, PSD2 regulates payment services-everything from credit card processing, e-wallets, and online checkouts to fintech apps and bank-to-bank transfers. If your business accepts digital payments in almost any form, it’s likely you’re affected.

The main aims of PSD2 are to:

• Encourage competition and innovation in financial services (think fintechs and challenger banks).
• Make payments safer, especially online and mobile payments.
• Strengthen consumer rights and protect users against fraud or payment errors.
• Enable “open banking” by letting customers share data between banks and other providers.

If you work with ecommerce, digital platforms, or handle card payments, some or all of PSD2’s rules will apply to you. Not sure? It’s always a good idea to get expert legal advice for your business model before you launch new payment services.

How Does PSD2 Work? What’s Actually Changed?

PSD2 built upon the original Payment Services Directive, introducing tougher rules especially around online and mobile payments. Some of the most notable (and business-critical) changes are:

1. Strong Customer Authentication (SCA)

Arguably the most important update is the requirement for Strong Customer Authentication (SCA). This means that, for most card and online transactions, customers must complete an extra security step-think OTP codes, fingerprint/face scans, or authenticating via their banking app.

This is why your payment provider now asks customers for more than just a card number and CVV at checkout. SCA aims to cut fraud, but it does mean tighter (and sometimes more complex) payment flows.

2. Open Banking & Account Information Access

PSD2 introduced the concept of open banking, legally requiring banks to let customers share their data and authorise third-party providers to initiate payments for them.

This has allowed platforms and fintechs to build new services-like apps that let users move money from different bank accounts, budgeting tools, or alternative lending solutions. If your business is using (or planning to use) open banking APIs, you’ll need to take PSD2 compliance seriously.

3. Expanded Scope and Definitions

PSD2 broadened the types of businesses that fall under “payment service providers”, meaning that not just traditional banks and payment processors are regulated. This now covers online marketplaces, fintech startups, and platforms that “sit in the middle” of payments (like holding funds for customers, or merchant aggregators).

If you’re unsure if you’re a payment service provider under UK law, you should check your contracts, service descriptions, and business model or get legal guidance.

Who Does PSD2 Apply To? Does My UK Business Fall Under The Rules?

PSD2 applies to any business in the UK that provides payment services, including:

• Merchants accepting card payments online or via card machines
• Ecommerce sites and online stores
• Marketplaces and platforms where customers pay sellers (e.g., Etsy, Airbnb)
• Mobile apps with in-app payments
• Fintechs providing payment accounts, wallets, or money transfers
• Payment gateways and service providers handling customer funds

If you’re trading online or processing non-cash payments, PSD2 is almost certainly relevant. Even if you use a third-party payment provider (like Stripe, PayPal, or Worldpay), you are still expected to understand and comply with PSD2 requirements-for example, by checking your customer journeys meet the legal standards and updating your Privacy Policy to reflect open banking data sharing.

It’s especially important to check if PSD2 applies if you:

• Want to offer buy now, pay later or instant credit solutions
• Aggregate payments on behalf of other businesses/individuals
• Enable customers to pay using their bank credentials (not just debit/credit cards)
• Operate in the fintech, SaaS, or marketplace space

What Are The Core Compliance Requirements Of PSD2?

Getting your business compliant with PSD2 might sound intimidating, but it’s all about making payments secure, transparent, and fair for your customers. Here are the major requirements you need to know:

Strong Customer Authentication (SCA) For Most Payments

• Card payments and digital bank transfers now require two-factor authentication (e.g., PIN plus fingerprint, or a texted code plus password).
• Some exemptions exist for low-value, recurring, or mail order/phone payments, but these are limited.
• Your payment provider should handle most technical aspects, but you need to “build SCA” into your checkout flow and inform customers about authentication steps.

If you fail to implement SCA, card issuers and banks may decline your customers’ transactions-a fast way to lose sales and damage your brand.

For more steps on building compliance into your online journeys, check out our guide on UK ecommerce legal requirements.

Clear Customer Rights & Dispute Handling

• PSD2 enforces strong refund and dispute rights for consumers (building on the Consumer Rights Act 2015).
• You must have clear, accessible terms for payment errors, refunds, and cancellation-these should be in your Terms & Conditions and Refund Policy.
• Customers must be able to challenge unauthorised transactions and get prompt resolution.

Open Banking-Data Sharing & Consent

• If your services access bank account data or move customer money between accounts, you must get clear, informed consent from users.
• Open banking activities require transparency-your Privacy Policy must spell out exactly what data you’re accessing and how it’s used or shared.
• You may need FCA authorisation if you are acting as an account information service provider (AISP) or payment initiation service provider (PISP).

If you’re not sure whether your product needs to be FCA authorised, speak to a specialist about payment regulation and licensing.

Security & Data Protection Requirements

• You must keep payment data (like card details) and bank account info secure, in line with the UK GDPR and Data Protection Act 2018.
• Be ready to handle subject access requests and data breach notifications as per data law requirements-you can find more detail in our guide to data protection and GDPR compliance for businesses.

Non-compliance with payment security rules can mean data breaches, fines, and loss of customer trust.

Do I Need To Update My Legal Documents For PSD2 Compliance?

Yes-one of the most common compliance mistakes is failing to update your business’ legal documents when PSD2 affects your payments process. Here are the key documents to review:

• Terms & Conditions / Terms of Sale: These should explain your payment methods, authentication steps, refund processes, and how disputes or chargebacks are handled.
• Privacy Policy: Must set out what payment data you collect, how (and with whom) it’s shared (including with payment processors and open banking APIs), and how users can control their data.
• Cookie Policy: If you track payment preferences or use analytics to pre-fill payment info, your Cookie Policy should explain this and offer opt-out controls.
• Supplier/Provider Agreements: If you use a third-party to process payments, check your contracts cover PSD2 and protect your business if your provider fails to comply.

It’s a good idea to have your contracts and customer-facing terms professionally reviewed to spot any PSD2 gaps early.

What Happens If I Don’t Comply With PSD2?

Ignoring these rules isn’t just risky-it can be costly. If you don’t follow PSD2 compliance requirements, you could face:

• Transaction declines (meaning lost sales and frustrated customers)
• Refund, chargeback, and compensation claims (often with added admin headaches)
• Investigations or fines from the Financial Conduct Authority (FCA)
• Loss of payment service providers-they may refuse to work with non-compliant businesses
• Brand damage if you can’t guarantee safe, reliable payments

Ultimately, businesses that get PSD2 compliance right are more trusted, more competitive, and better protected against dispute or fraud complaints.

Step-By-Step Guide To PSD2 Compliance For UK Businesses

If you’re just starting out, or want to upgrade your legal protection, here’s a straightforward roadmap:

1. Check if your business falls under PSD2-does your offering process payments, hold funds, or use open banking APIs?
2. Contact your payment service provider and confirm how they handle SCA, security, and open banking. Ask if you need to update your website or app.
3. Review and, if needed, update your customer journey-build SCA into your checkout, and show customers what to expect.
4. Update your legal documents:
   • Terms & Conditions
   • Privacy Policy
   • Cookie Policy
   • Supplier/Payment Provider Agreements
5. Train your team on new payment flows and handling disputes or data requests-especially if you handle customer service in-house.
6. Monitor for ongoing changes-keep up with FCA guidance and payment industry news to adapt quickly.

If you’re unclear, don’t try to patch things together yourself-a lawyer with payment and consumer law experience can identify your exact requirements in one quick review.

How Does PSD2 Interact With GDPR, Consumer Rights, And Other UK Laws?

PSD2 doesn’t work in isolation-it overlaps with several other laws including:

• GDPR/Data Protection Act 2018: If you handle payment data or use APIs to access customer banking information, you’re also subject to strict data processing and breach notification rules. Check out our GDPR essentials for business guide for more.
• Consumer Rights Act 2015: You must offer refunds, resolve disputes, and provide clear contract terms for all online payments-failure to do so breaches both PSD2 and consumer law.
• FCA Regulation: If you want to act as a payment provider or open banking service, you’ll often need FCA authorisation. Non-compliance can mean not just fines, but loss of permission to operate.

It can be overwhelming to navigate how all the different rules line up-but remember, the overlap is there to protect both your business and your customers. Seeking tailored legal advice is always a smart move if you’re unsure.

Key Takeaways: PSD2 Compliance For UK Businesses

• PSD2 applies to most UK businesses handling online or non-cash payments-including ecommerce, fintech, and online marketplaces.
• The landmark changes include mandatory Strong Customer Authentication (SCA) for most payments, open banking rules, and broader definitions of payment services.
• To comply, you need to update your payment flows and legal documents (Terms & Conditions, Privacy Policy, Cookie Policy), and make sure your payment provider meets PSD2 requirements.
• Failing to do so risks transaction declines, brand damage, compensation claims, and regulatory fines.
• PSD2 compliance overlaps with data protection law (GDPR), consumer rights, and FCA rules-review all your obligations together.
• If you’re unsure where to start, speak to a legal expert who can review your processes and set up a compliance strategy that works for your business.

Setting up your legal foundations early can save you headaches (and money) down the road. Don’t leave compliance to chance-get protected from day one.

---

If you’d like tailored advice on PSD2 compliance, payment law, or updating your business’ legal documents, get in touch at team@sprintlaw.co.uk or call us on 08081347754 for a free, no-obligations chat with our friendly team of legal experts.