What does the European Payment Directive PSD2 mean for you?

12 September 2019 - 6 min Reading time

Consumers and businesses themselves play a crucial role in secure payment transactions


New payment services that make your life easier: just think of an overview of all your payment accounts in one and the same app. More competition in European payments. And better consumer protection. The European payment directive PSD2 (Payment Services Directive) takes care of it all.


But what does that mean for you?

Strong customer authentication


From September 14, 2019, strong customer authentication will gradually become mandatory across Europe. What exactly will change for consumers and businesses? If you buy and pay online, you must identify yourself by two of the following three characteristics:

  • with something you know (e.g. your PIN code)
  • with something you own (e.g. your smartphone)
  • with something specific to you (e.g. your fingerprint)

This is not new for many Belgian consumers and companies: with internet and mobile banking you often have to log in to your bank in exactly the same way.

What is new is that from September 14, every player in the European payment landscape must gradually implement strong customer authentication. If you book a hotel room on a Dutch travel site or buy a gift on a French web shop, then simply entering a credit card number (and the CVC code on the back of your payment card) for payment will increasingly not be sufficient. You will always have to “sign” the payment. Today this means that from now on you will have to have a card reader or your smartphone at hand.

Although the deadline for applying strong customer authentication is September 14, 2019, it became clear a few months ago that the e-commerce ecosystem is not yet ready for a strict application of it. In Belgium, this would lead to a rejection of an important part of all e-commerce transactions because not all players in the market have already been able to adapt their systems. That is why the National Bank of Belgium announced a transition period on 28 August. In doing so, she follows the trend that we see today throughout Europe. A concrete migration plan will be developed together with the Belgian (and European) industry. The goal? Migrate the entire ecosystem to strict application of strong customer authentication within a reasonable and realistic time frame.

Although the legislation also provides for exceptions to this principle in order to find the right balance between safety and customer experience. For example, strong customer authentication may not be necessary for:

  • contactless payments in the physical store
  • payments to parking and toll machines
  • payments to trusted beneficiaries or to own accounts within the same bank
  • online transactions for small amounts

Opening your account to third parties


The new payment directive also ensures that a consumer or company can open its payment accounts to third parties. In order to increase competition in European payment traffic, your bank is obliged to share this information with third parties, if that third player has received explicit permission to do so from you, holder of the account. These third parties can be other Belgian (or European) banks, but also a fintech that brings a new service to the market.

Why you would do this? If your bank or a third party gets permission from you to consult your payment accounts with all banks where you are a customer, they can put that information into a handy app. For example, consider an app that helps you with your budget planning. Or an app that shows you at a glance what you spend the most money on (groceries, clothing, subscriptions…). What is also possible: one app in which you immediately have an overview of your financial situation. Some Belgian banks already offer this today.

Attention: With this type of service, some attention and caution is always welcome. There may also be service providers with bad intentions.

A check of the three "W's" is always smart: who asks permission?, what data does the service provider request? and for what (for what purpose) does he ask permission?

Volgende signalen kunnen wijzen op een onbetrouwbare dienstverlener:

  • You have to download the third party app outside of an official app store (App Store, Samsung Galaxy Store, …);
  • The third party does not clearly indicate what it is asking for your permission for;
  • The third party website does not contain any contact information such as an address, a telephone number or an e-mail address;
  • You will find little or no information about the third party on the internet if you enter its name in a search engine;
  • You will find no or only limited reviews about the third party or its app.

A healthy dose of caution is also necessary with regard to third parties that can be trusted at first glance. If you are not sure whether the third party can be trusted, it is best to check this on the website of the EBA (European Banking Authority). All licensed third parties, non-financial parties, are listed there. Is a certain party not listed? Don't take any chances and quit.

Please note: this list does not provide an overview of the banks that are allowed to offer such services. For this, it is best to take a look at the website of the National Bank of Belgium.

Very important within the new payment directive: consumers and companies are always and everywhere in control. They decide whether to allow a service provider to access their account. In this way, they themselves play a crucial role in the security of their payments.