What is PSD2 & how does it impact authentication requirements?

Q: What is PSD2 & how does it impact authentication requirements?

The Revised Payment Services Directive (PSD2) is a European regulation requiring Strong Customer Authentication (SCA) for online payments. It mandates at least two independent authentication factors from knowledge (passwords), possession (devices), or inherence (biometrics). PSD2 also enforces dynamic linking for secure payment approvals. Enterprises must comply to avoid fraud liability, and passkeys provide an SCA-compliant solution with phishing resistance and biometric authentication.

Banking Passkeys Report (+90 pages). Trusted by JPMC, UBS & QNB.

Get Report

What is PSD2?#

The Revised Payment Services Directive (PSD2), formally known as Directive (EU) 2015/2366, is a European regulation designed to enhance security in digital payments. It mandates Strong Customer Authentication (SCA) to reduce fraud and ensure secure transactions.

PSD2 was implemented by the European Parliament and further specified through regulatory technical standards (RTS) set by the European Commission. The European Banking Authority (EBA) provides guidance on its application.

How does PSD2 impact authentication requirements?#

Under PSD2, SCA is required for online payments and certain account access scenarios. This means that users must authenticate transactions using at least two independent authentication factors from different categories:

Something the user knows – e.g., a password or PIN
Something the user has – e.g., a mobile device, security token, or smart card
Something the user is – e.g., a fingerprint, facial recognition, or other biometrics

For a payment or login to comply with PSD2, authentication must include two of these elements, ensuring that if one factor is compromised, the others remain secure.

Additional Requirements: Dynamic Linking#

Beyond authentication factors, PSD2 mandates dynamic linking for payment approvals. This means:

Each transaction must be uniquely linked to a specific amount and recipient.
If any details change, a new authentication is required.

Why is PSD2 important for enterprises?#

For banks, fintechs, and online merchants, PSD2 compliance is crucial to avoid liability for fraudulent transactions. Organizations must:

Implement SCA-compliant authentication flows (e.g., passkeys, OTPs, or device-based authentication).
Ensure regulatory compliance to avoid penalties.
Improve customer experience by balancing security and usability.

Enterprise Passkey Whitepaper (+70 pages). How leaders get +80% adoption. Trusted by Rakuten, Klarna & Oracle.

Get Whitepaper

Are passkeys PSD2-compliant?#

Yes. Passkeys, based on WebAuthn and FIDO2 standards, meet PSD2's SCA requirements because they:

Use biometric authentication (something the user is).
Bind authentication to a specific device (something the user has).
Ensure phishing resistance and eliminate password-related risks.

With PSD3 on the horizon, passkeys provide a future-proof, user-friendly authentication method for enterprises looking to enhance security while maintaining compliance.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →