Understanding PSD2 Compliance: What UK Businesses Need to Know About the Payment Services Directive

If you run a business in the UK that deals with online payments, e-commerce sales, or even app-based transactions, you’ve likely heard about “PSD2” - the revised Payment Services Directive. But what exactly does it mean for your business, and how do you make sure you’re compliant with the latest payment rules? The good news is you don’t need to be a finance or legal expert to understand the essentials. In fact, getting to grips with PSD2 can help you protect your business, offer a better experience to your customers, and avoid hefty fines down the line.

In this guide, we’ll break down what PSD2 is, who needs to comply, and the key legal and operational changes it introduces. Most importantly, you’ll get practical tips on how to update your processes and contracts to stay on the right side of the law - and support your business growth with confidence. Let’s dive into what every UK business owner should know.

What Is PSD2 and Why Should UK Businesses Care?

PSD2 stands for the Second Payment Services Directive. It’s an EU regulation (Directive (EU) 2015/2366) that took effect in January 2018, replacing the original PSD1 rules and aiming to create a safer, more competitive, and innovative payment market across Europe. While the UK has left the EU, PSD2 was transposed into UK law - so the rules still apply.

In simple terms, PSD2 regulates how payments are made and processed across borders and within the UK. Its key goals are:

• To make online payments more secure for consumers and businesses
• To encourage innovation and competition in the payments industry
• To set clear legal responsibilities for payment service providers (PSPs) and merchants
• To give consumers enhanced rights and protection in case of payment errors or fraud

For UK businesses, understanding PSD2 is essential if you:

• Accept card payments online, via app, or in person
• Sell goods or services through an e-commerce site or digital platform
• Use third-party payment providers (like Stripe, PayPal, or similar fintech services)
• Provide your own payment services (for example, as a fintech startup or app developer)

Ignoring PSD2 compliance isn’t an option. Non-compliance can result in disrupted payments, lost customer trust, and enforcement action from the Financial Conduct Authority (FCA).

Who Must Comply With PSD2 Rules in the UK?

PSD2 doesn’t just apply to giant banks and fintech unicorns - it covers a wide range of UK businesses, including:

• Merchants and retailers who accept online card payments
• SaaS platforms, digital marketplaces, and apps selling goods or services
• Payment service providers (PSPs) and e-money institutions
• Startups developing payment initiation or account information services

If your business falls into one of these categories, you should review your legal obligations under PSD2 and ensure your contracts, systems, and customer journey all comply. Even if you don’t process payments directly (for example, you rely on a payment gateway or e-commerce platform), you’re likely required to make certain disclosures and support strong customer authentication (SCA) as part of your obligations.

It’s wise to consult a legal expert to check your exact PSD2 exposure - the rules aren’t always straightforward, and your obligations can depend on factors like whether you “hold” customer funds, act as an intermediary, or process recurring payments.

What Are the Core Requirements of PSD2 for UK Businesses?

PSD2 introduces several new and enhanced requirements. Here are the essentials you should know about - and what practical steps you need to take to comply:

1. Strong Customer Authentication (SCA)

One of the most significant changes under PSD2 is the introduction of “Strong Customer Authentication” for most electronic payments. SCA is, in short, two-factor authentication for payments. You must verify your customer’s identity using at least two of the following:

• Something they know (like a password or PIN)
• Something they have (such as a smartphone or token)
• Something they are (biometric features - fingerprint, facial recognition, etc.)

SCA applies to most online card payments and bank transfers, with a few exceptions (like low-value purchases or certain recurring payments).

What does this mean for your business? You’ll likely need to:

• Update your website, checkout, or app payment flow to support SCA (often with your payment provider’s tools)
• Communicate clearly to customers about why you’re asking for extra verification - and make the process as smooth as possible
• Check your contracts and terms of service to make sure they explain how payments and authentication work

If you’re unsure how to do this, it’s best to contact your payment platform or a specialist legal adviser for help. For more on making your website compliant, check out this guide to compliant e-commerce websites.

2. Open Banking and Access to Account Data

PSD2 kickstarted the “Open Banking” movement in the UK. It gives customers the right to allow third-party providers (TPPs) access to their account information or to initiate payments on their behalf. If your business provides these services - or relies on open banking providers - you need to make sure:

• You obtain explicit consent from customers before accessing their data or accounts
• Your privacy policy and contracts clearly explain what data is collected, how it’s used, and the customer’s rights
• You have robust data protection and cyber security measures in place to guard against breaches

Open Banking changes the landscape for payments, but it also introduces new compliance and contract requirements. For guidance on data protection strategies, see our article on cybersecurity policies for UK businesses.

3. Transparency and Disclosure to Customers

PSD2 mandates that businesses provide clear, upfront information to customers about payment terms, fees, exchange rates, and customer rights. This means:

• Listing all fees and charges before the customer completes a purchase
• Providing a full summary of the payment in your confirmation message or email
• Making your refund, cancellation, and dispute policies easy to find and understand

It’s essential to review and update your Terms and Conditions and consumer law compliance practices to reflect these obligations. Avoid hidden charges or unclear contract language - it’s a top trigger for FCA investigations.

4. Handling Data Securely and Lawfully

Under PSD2, you must make sure all personal and payment data is handled in compliance with both PSD2 rules and the UK GDPR/Data Protection Act 2018. This means:

• Having a clear, user-friendly Privacy Policy explaining how you process payment and personal data
• Ensuring payment data is encrypted and securely handled at all stages
• Not sharing data with third parties unless the customer has consented
• Letting users easily opt out or request erasure in line with their data rights

For steps on GDPR compliance, our GDPR checklist for small businesses is a helpful place to start.

5. Dispute Resolution and Liability

One of the customer-friendly features of PSD2 is its approach to fraud and disputed transactions. Under PSD2, unless a customer has been “grossly negligent” with their details, they’re usually only liable for up to £35 for unauthorised transactions once notified. The rest falls to the payment provider (and sometimes the merchant).

As a business, it’s vital to:

• Have clear internal procedures for dealing with chargebacks and customer complaints
• Respond promptly to disputes, and keep detailed payment records
• Update your contracts with payment suppliers and customers to allocate liability in line with PSD2 rules

If you don’t handle these disputes properly, you risk reputational damage and falling foul of the FCA’s enforcement process.

How Do You Make Your Contracts and Policies PSD2-Compliant?

Getting the technical side of PSD2 right (like updating your payment gateway or checkout flow) is only half the challenge. You also need to update your legal agreements, terms, and policies to support compliance and protect your business. Here are the documents to focus on:

• Terms & Conditions: Spell out your payment process, refund/cancellation rights, SCA requirements, and dispute procedures. Make sure these match your actual business practices.
• Privacy Policy: Explain how you use, store, and share payment data. Be clear and concise to build trust with customers and meet both PSD2 and GDPR requirements.
• Contracts with Payment Providers: Review these to ensure SCA and liability terms are clear and align with legal obligations.
• SaaS or App Terms: If you operate a marketplace or offer payments through an app, tailor your app terms and conditions so that users know their rights and your obligations.

Using generic templates or trying a “DIY” update is risky - PSD2 brings in industry-specific rules that often require custom drafting. Having your policies reviewed by a legal professional not only mitigates risk but ensures your business is ready for FCA scrutiny if the regulator asks questions.

What Are the Penalties for Non-Compliance With PSD2?

The FCA is empowered to investigate and enforce PSD2 compliance in the UK. The main risks for businesses that ignore or mishandle compliance are:

• Heavy fines, especially for data breaches or processing payments without SCA
• Being ordered to reimburse customers for unauthorised or mishandled payments
• Potential loss of ability to process payments or deal with payment providers (if your contracts are suspended)
• Damage to reputation and loss of customer trust

It’s always cheaper and easier to take preventive steps than to deal with the fallout after a problem. Address these requirements before you get audited or receive a customer complaint.

Step-By-Step Guide: Making Your UK Business PSD2-Compliant

If you’re worried about compliance, here’s a practical roadmap you can follow:

1. Assess Your Payment Flows: Map out every way you take payments (online, in-person, recurring, via third-party platforms). Spot any areas where you directly or indirectly “process” payments.
2. Review Your Payment Provider Agreements: Contact your payment gateway, e-commerce platform, or app provider. Check they are PSD2-compliant, and ask for guidance on SCA integration and Open Banking support.
3. Update Your Customer Journey: Work with your tech or marketing teams to ensure SCA is clearly explained and as frictionless as possible. Communicate why it’s required.
4. Rewrite Key Legal Documents: Update your website terms and conditions, privacy notices, and all payment-related contracts to match PSD2 requirements. Seek professional help for any complex payment or fintech arrangements.
5. Train Your Team: Make sure everyone involved in payments, refunds, or customer service understands PSD2 principles, SCA, and dispute resolution rules.
6. Put a Compliance and Review System in Place: Assign responsibility for regular reviews of payment security, documentation, and compliance updates. The regulatory landscape can change, so don’t set and forget.

Common Issues and “Grey Areas” Around PSD2

As with many regulations, not everything is black and white. Grey areas where business owners often need extra help include:

• When SCA exemptions apply (for example, to subscription payments, corporate cards, or “trusted beneficiaries”)
• Whether you’re a “payment service provider” under FCA rules
• Handling cross-border payments, especially with EU customers post-Brexit
• How to allocate liability in custom fintech partnerships or marketplaces

It can be overwhelming to know exactly which requirements are relevant to your business. Chatting to a legal expert about your situation is a smart move - getting this wrong can have expensive consequences.

Does PSD2 Apply to Your Business If You Use a Third-Party Provider?

Even if you don’t process or store card details yourself - for example, your website uses Stripe, Square, or another payment gateway - you still have compliance duties. The key points are:

• You’re responsible for ensuring your sales process enables SCA and gives customers the necessary PSD2 disclosures
• Your business contracts and privacy documentation must match what actually happens at checkout, not just what the platform does
• If your provider isn’t compliant, you risk your payments being declined or facing customer complaints

If you’re unsure, it’s worth asking for written confirmation of compliance from your provider and getting a legal review of your customer-facing processes.

What Other UK Laws Interact With PSD2?

PSD2 sits alongside several other legal frameworks that you need to be aware of, including:

• The Consumer Rights Act 2015 - sets the standard for sales and refund terms
• UK GDPR & Data Protection Act 2018 - governs how you handle customer data in all payment processes
• The E-commerce Regulations - regulate online sales, including mandatory disclosures
• The Proceeds of Crime Act & Money Laundering Regulations - apply to some high-value payment services

This is a lot to take in, so you might want to read our broader guide to UK business laws and compliance for more context and links to detailed advice.

Key Takeaways

• PSD2 is a major payment law that affects most UK businesses taking online payments, not just banks or fintech firms.
• You must enable Strong Customer Authentication (SCA), support open banking rights, and provide clear payment disclosures to your customers.
• Compliance isn’t only technical - you need to update your legal documents, policies, and contracts to support payments, data handling, and dispute resolution in line with PSD2 rules.
• Failing to comply can result in disrupted payments, loss of customer trust, FCA fines, and legal claims.
• It’s always worth getting legal advice about your unique situation - don’t risk DIY or generic templates when the rules get complex.
• Staying proactive and reviewing compliance regularly will keep your business protected and ready for growth.

If you’d like tailored help making your business PSD2-compliant or reviewing your contracts and procedures, get in touch with Sprintlaw UK at team@sprintlaw.co.uk or call us on 08081347754 for a free, no-obligations chat. Our expert team is here to help you stay protected from day one.