---
url: 'https://www.corbado.com/faq/psd2-authentication-requirements'
title: 'What is PSD2 & how does it impact authentication requirements?'
description: 'PSD2 mandates Strong Customer Authentication (SCA) for online payments, requiring at least two independent authentication factors.'
lang: 'en'
---

# What is PSD2 & how does it impact authentication requirements?

## What is PSD2?

The **Revised Payment Services Directive (PSD2)**, formally known as Directive (EU)
2015/2366, is a European regulation designed to enhance security in digital
[payments](https://www.corbado.com/passkeys-for-payment). It mandates **Strong Customer Authentication (SCA)** to
reduce fraud and ensure secure transactions.

[PSD2](https://www.corbado.com/blog/psd2-passkeys) was implemented by the **European Parliament** and further
specified through regulatory technical standards (RTS) set by the **European Commission**.
The **European Banking Authority (EBA)** provides guidance on its application.

## How does PSD2 impact authentication requirements?

Under [PSD2](https://www.corbado.com/blog/psd2-passkeys), **SCA is required for online payments and certain
account access scenarios**. This means that users must authenticate transactions using at
least **two independent authentication factors** from different categories:

1. **Something the user knows** – e.g., a password or PIN
2. **Something the user has** – e.g., a mobile device, security token, or
   [smart card](https://www.corbado.com/glossary/smart-card)
3. **Something the user is** – e.g., a fingerprint, facial recognition, or other
   biometrics

For a [payment](https://www.corbado.com/passkeys-for-payment) or login to comply with
[PSD2](https://www.corbado.com/blog/psd2-passkeys), **authentication must include two of these elements**,
ensuring that if one factor is compromised, the others remain secure.

### Additional Requirements: Dynamic Linking

Beyond authentication factors, **PSD2 mandates dynamic linking for payment approvals**.
This means:

- Each transaction must be **uniquely linked** to a specific amount and recipient.
- If any details change, a new authentication is required.

## Why is PSD2 important for enterprises?

For **banks, fintechs, and online merchants**, PSD2 compliance is crucial to avoid
liability for fraudulent transactions. Organizations must:

- Implement **SCA-compliant authentication flows** (e.g., passkeys, OTPs, or device-based
  authentication).
- Ensure **regulatory compliance** to avoid penalties.
- Improve **customer experience** by balancing security and usability.

## Are passkeys PSD2-compliant?

Yes. **Passkeys**, based on **WebAuthn** and **FIDO2 standards**, meet
[PSD2's](https://www.corbado.com/blog/psd2-passkeys) SCA requirements because they:

- Use **biometric authentication** (something the user is).
- Bind authentication to a **specific device** (something the user has).
- Ensure **phishing resistance** and eliminate password-related risks.

With [PSD3](https://www.corbado.com/blog/psd3-psr-passkeys) on the horizon, **passkeys provide a future-proof,
user-friendly authentication method** for enterprises looking to enhance security while
maintaining compliance.

## Read the full article