What is PSD2 Compliance? Key requirements for businesses in 2025

If you're running a Dutch business that takes payments online – processing subscriptions, selling products, or charging for services – you're operating under PSD2 regulations.

PSD2 shapes how electronic payments work across Europe, from the two-factor authentication your customers encounter at checkout to how payment providers handle transaction data. But many businesses struggle with the details.

Which transactions need two-factor authentication? When can you skip additional security steps? How do you balance regulatory requirements with conversion rates?

This guide will explore what PSD2 compliance means for your operations, which requirements apply, and how to implement them without disrupting your customer experience.

What is PSD2 and why does it matter?

PSD2 stands for the revised Payment Services Directive – European legislation governing how electronic payments work across the EU. It was implemented in 2019 to update the original 2007 directive, addressing modern payment technology and security threats.

The directive focuses on four key areas:

• Stronger security

• Open banking

• Enhanced consumer protection

• Market competition

For Dutch businesses, compliance is mandatory and has practical implications.

PSD2 vs PSD1: what's changed?

PSD1 addressed a fractured European payment landscape by creating a unified payment market across the EU and establishing basic consumer protection. But it was designed for a world where cheques were still common, mobile payments were virtually non-existent, and most transactions happened with cash or cards in physical stores.

By 2015, the payment world had evolved dramatically. Smartphone adoption had created entirely new payment ecosystems, fintech companies were challenging traditional banks, and online fraud had evolved beyond simple card theft into sophisticated social engineering attacks. PSD1's framework was inadequate for this new landscape, prompting a comprehensive update in 2018/19.

PSD2 introduced three major changes that directly affect how businesses process payments:

Mandatory two-factor authentication

Two-factor authentication has become mandatory for online card payments over €30. Instead of just entering card details and a password, customers now need to provide two independent forms of verification.

Third-party payment access

Banks must provide secure APIs allowing licensed Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) to access customer data and process payments. New services can aggregate account information or initiate bank transfers directly, bypassing traditional card networks.

Enhanced consumer protection

Payment providers now bear greater liability for security. Customers should receive refunds within 24 hours for unauthorised transactions, liability for lost cards is capped at €50, and surcharges on major payment methods are banned.

Who needs to comply with PSD2?

If you're a local Amsterdam café accepting contactless payments, a Utrecht-based SaaS company charging monthly subscriptions, or a Rotterdam retailer processing online orders, PSD2 applies to your business, and you must ensure your payment provider complies with PSD2.

Here's how it breaks down by business type:

• eCommerce and online retailers must ensure their checkout process offers Strong Customer Authentication for transactions over €30. This means understanding when customers face additional verification steps and optimising payment flows accordingly.

• Subscription and SaaS businesses face unique challenges with recurring payments, so authentication requirements need to balance security with user experience. Failed authentications can lead to involuntary churn when customers can't complete payments.

• Payment service providers, including banks, payment processors, and fintech companies, must implement the technical infrastructure that enables compliance.

• Physical retailers accepting card payments through terminals or contactless systems also need PSD2-compliant payment processing. Transaction limits and authentication requirements can also impact in-store experiences.

PSD2 applies to any electronic payment where both the customer's bank and the merchant's payment provider are located within the European Economic Area.

Key PSD2 compliance requirements for businesses

The directive creates a comprehensive compliance framework that touches everything from customer communications to security frameworks.

• Customer consent and communication standards: You must obtain explicit consent if you use third-party services that access customer payment data. This means clear, specific language explaining exactly what data you're accessing, why you need it, and how it will be used.

• Open banking and secure communication: PSD2 requires banks to provide secure APIs for licensed third-party providers. Understanding open banking may help you evaluate payment solutions using account-to-account transfers or aggregation services.

• Strong Customer Authentication (SCA) requirements: Your payment setup must support two-factor authentication for transactions over €30 and account access. We'll explore the specific requirements and exemptions in detail in the next section.

• Payment service provider obligations: If you operate as a licensed payment service provider, you have direct obligations including reporting major operational or security incidents to your central bank and regulator (i.e. De Nederlandsche Bank) without undue delay.

When choosing payment infrastructure that handles these compliance requirements automatically, our guide to the best payment solutions for Dutch businesses compares providers' compliance features.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is PSD2's answer to rising payment fraud. Instead of relying on easily compromised passwords, SCA requires customers to prove their identity using two independent methods whenever they access payment accounts online or make transactions over €30.

It’s like upgrading from a basic door lock to a security system with multiple checkpoints. You might use your fingerprint plus a code sent to your phone, or enter your PIN on your mobile banking app.

However, businesses can skip SCA for:

• Transactions under €30

• Payments to whitelisted trusted merchants

• Recurring subscriptions after initial setup

• Low-risk transactions flagged by fraud analysis

Well-designed SCA feels as seamless as Apple Pay's Touch ID. Poor implementation can create checkout friction that kills conversions. The key is choosing a payment provider that optimises authentication flows and applies exemptions strategically.

How PSD2 impacts Dutch businesses

If you're running a Dutch business, you might be operating in one of Europe's most PSD2-friendly environments.

iDEAL, the Netherlands' dominant payment method, was PSD2-ready from day one, unlike credit card systems that required extensive retrofitting. This gives Dutch businesses a significant compliance advantage.

The Dutch Payments Association coordinated a ‘managed roll-out’ for SCA, bringing together De Nederlandsche Bank, issuers, acquirers, and business representatives to minimise unintended consequences.

Common compliance challenges Dutch businesses face

• Payment decline rates: Some merchants reported payment decline ratios at certain banks moving towards 30 to 40% due to SCA implementation issues.

• Hidden implementation costs: Businesses often face unexpected expenses like higher processing fees for 3D Secure transactions or increased customer service demands.

• SaaS subscription complications: When subscription amounts change, SCA must typically be applied again, and failed authentication can lead to involuntary customer churn.

• Technical integration demands: Businesses with custom billing solutions may need significant developer resources to enable SCA authentication flows.

Tools and platforms that help with PSD2 compliance

Managing PSD2 compliance doesn't have to mean building everything from scratch. Most Dutch businesses work with payment providers and compliance platforms that handle the technical complexity.

Payment gateways

• Mollie: Offers native EU compliance with transparent SCA handling and strong local support.

• Stripe: Provides SCA handling via 3D Secure 2 and is widely adopted for its developer-friendly integration.

• Adyen: Delivers enterprise-grade SCA implementation via its Authentication Engine.

• Airwallex: Offers automatic SCA optimisation and intelligent exemption management.

API management platforms

• Axway AMPLIFY: An API management platform for PSD2 compliance and open banking.

• Yenlo: A Dutch company offering API management platforms and open banking solutions.

• Yapily: Provides open banking API infrastructure with coverage across 19 countries.

Identity verification and fraud prevention tools

• Jumio: Provides a suite of identity verification tools.

• Onfido: Offers identity verification, combining document and biometric checks.

• Sift: Uses machine learning for fraud detection that can support low-risk transaction exemptions.

How Airwallex supports PSD2 compliance for Dutch businesses

Airwallex handles 3D Secure 2.0 with automatic exemption optimisation across all payment types. When a Rotterdam customer pays via iDEAL, we process it through local Dutch rails. When an international customer uses a card, dynamic risk assessment applies appropriate SCA exemptions based on transaction risk and customer history – exactly the kind of intelligent compliance management that prevents legitimate customers from hitting unnecessary authentication walls.

Beyond solving your PSD2 headaches, Airwallex gives you the infrastructure to scale internationally. You can accept and hold funds in 23+ currencies, accept 160+ local payment methods across 180+ countries, and manage global treasury operations from one dashboard.

Conclusion

PSD2 compliance doesn't have to be a barrier to growth. Understanding the requirements, from SCA implementation to consumer communications, puts you ahead of businesses still struggling with authentication challenges and declining conversion rates.

With PSD3 expected around 2026-2027, establishing solid PSD2 compliance now creates the foundation for future regulatory changes. Your payment infrastructure should support your growth plans, not constrain them.

References

• https://eur-lex.europa.eu/eli/dir/2015/2366/oj/eng

• https://blog.2checkout.com/eu-sca-implementation-updates/

• https://help.mollie.com/hc/en-us/articles/360035609413-What-are-PSD2-and-Strong-Customer-Authentication

• https://stripe.com/en-nl/guides/3d-secure-2

• https://www.adyen.com/knowledge-hub/psd2-simplified-with-our-new-authentication-engine

• https://www.airwallex.com/eu-nl/platform/online-payments

• https://resources.axway.com/financial-services/whitepaper-psd2-compliance

• https://www.yenlo.com/solutions/open-banking-and-psd2/

• https://www.yapily.com/product/open-banking-platform

• https://www.jumio.com/

• https://www.entrust.com/products/identity-verification

• https://sift.com/psd2/