PSD2 SCA Exemption Calculator
Strong Customer Authentication Calculator
Calculate if your payment transaction requires Strong Customer Authentication under PSD2 rules. This tool helps you understand when exemptions apply to small payments. isrameds.com
Payment Authentication Result
What PSD2 Really Means for Your Money in Europe
Imagine being able to use an app from a company you’ve never heard of to pay your rent directly from your bank account - no card, no logins, no typing in your password. That’s not science fiction. It’s everyday life in Europe because of PSD2. This isn’t just another banking rule. It’s a legal shift that broke banks’ control over your financial data and handed it back to you - with strict safety rules attached.
PSD2 Isn’t Just About Open Banking - It’s About Control
PSD2, or the Revised Payment Services Directive, became law in January 2018. It was created by the European Union to fix a broken system. Before PSD2, your bank owned your transaction history. If you wanted to use a budgeting app, compare loan rates, or pay someone without your card, you had to give your bank login details to third-party apps. That’s like handing over your house key to a stranger so they can check your mailbox.
PSD2 changed that. Now, banks must give approved third-party providers (TPPs) secure, direct access to your account data - but only if you say yes. No more sharing passwords. No more risky screen scraping. You control who sees what, and when.
The Three Services PSD2 Made Possible
PSD2 didn’t just open doors - it created three new financial services that didn’t exist before:
- Account Information Services (AIS): Apps like Yolt or Snoop can pull all your bank accounts into one dashboard. See your spending across Revolut, Deutsche Bank, and your credit union - all in one place.
- Payment Initiation Services (PIS): You can pay for groceries at an online store using your bank account directly. No card details. No CVV. Just tap "Pay with your bank" and confirm in your banking app. This is how Klarna and iDEAL work across Europe.
- Confirmation of Funds (CofF): Before approving a loan or rental application, a service can check if you have enough money in your account - without seeing your full transaction history. It’s like showing your landlord your balance without revealing what you spent it on.
Strong Customer Authentication: The Safety Net
With great access comes great responsibility. PSD2 demands that every digital payment or data request goes through Strong Customer Authentication - or SCA. That means two out of three things:
- Something you know (like a PIN or password)
- Something you have (like your phone or a security token)
- Something you are (like your fingerprint or face scan)
For example: When you pay €45 for a flight using a PISP, you’ll get a push notification on your phone. You tap "Approve" and use your fingerprint. Done. No card number entered. No phishing risk.
But it’s not all strict. There are smart exceptions:
- Payments under €30 (but only up to €100 total or five transactions in a row)
- Recurring payments to the same person, like your Netflix subscription
- Transactions to people you’ve marked as "trusted" in your bank app
- Low-risk payments flagged by real-time fraud tools
These exemptions keep things smooth. But they’re not loopholes - they’re carefully tested. If a transaction looks suspicious, even a €10 payment will trigger full authentication.
PSD2 vs. UK Open Banking: What’s the Difference?
People often mix up PSD2 and Open Banking. They’re related, but not the same.
UK Open Banking was a local project led by the Competition and Markets Authority (CMA). It forced only nine big UK banks to share data using one fixed API standard. Think of it as a single, government-mandated blueprint.
PSD2 is broader. It applies to every bank, credit union, and payment provider in the entire European Economic Area - over 3,000 institutions. It doesn’t dictate how they build their APIs. They can use any secure method as long as it meets EBA security rules. That means some banks have clean, well-documented APIs. Others? Still messy.
Result? In Scandinavia, over 78% of banks have full PSD2 integration. In parts of Southern Europe, it’s closer to 45%. The EU didn’t want to force one way - it wanted competition to drive better tech.
Who’s Winning and Who’s Struggling?
Since 2018, over 5,000 third-party providers have gotten licensed across the EU. Of those, 3,200 are account info apps, and 1,800 are payment starters. Startups like Revolut, N26, and Monzo built their entire user experience on PSD2. Their apps are fast, secure, and loved - Trustpilot ratings average 4.3/5.
But not everyone thrived.
Traditional banks spent between €50 million and €200 million each to build compliant APIs. Many struggled with the rollout. In 2019, Deutsche Bank reported a 15-20% drop in payment approvals because SCA systems weren’t properly synced. Some small businesses saw cart abandonment spike by 30% when low-value transaction exemptions failed - customers got hit with unexpected authentication pop-ups.
Even today, 32% of API endpoints across the EU still don’t fully meet EBA technical standards. Cross-border payments? Still a headache. A German merchant trying to accept payments from a Spanish customer might face different authentication rules, different error codes, different documentation.
Why This Matters Outside Europe
PSD2 didn’t just change Europe. It changed the world.
Since 2018, 45 countries have launched their own open banking or open finance programs. Australia’s Consumer Data Right, Brazil’s Open Banking, Canada’s upcoming framework - they all borrowed from PSD2’s playbook. Even in the U.S., where there’s no federal mandate, companies like Plaid and Yodlee built their entire business model on the idea that customers should own their data - an idea PSD2 made legal.
And it’s not just fintech. Retailers, insurers, and even car rental companies now use PSD2 APIs to verify income, check creditworthiness, or auto-fill forms. It’s becoming infrastructure - like electricity or internet.
What’s Next? PSD3 and the Digital Euro
PSD2 isn’t static. In June 2023, the European Commission updated its technical rules to fix gaps in SCA exemptions and secure communication. Banks are now being pushed harder to fix their API reliability.
By 2025, Gartner predicts 85% of European banks will operate as platforms - not just banks. They’ll sell access to their systems to developers, startups, and even competitors. That’s the real win: banks becoming enablers, not gatekeepers.
The next big step? The Digital Euro. The European Central Bank is testing a central bank digital currency that will work alongside PSD2. Imagine paying with your phone, using your bank’s app, and having your budgeting tool automatically track it - all under one secure, EU-backed system.
Experts like Jane Thompson from Celent say: "PSD2 was a compliance cost. Now it’s a competitive advantage." The banks that resisted are fading. The ones that embraced it are growing.
What You Need to Do
If you live in the EU:
- Use apps that ask for consent via your bank’s official portal - never enter your login on a third-party site.
- Check your bank’s app for "Open Banking" or "Third-Party Access" settings. You can turn off any service you don’t trust.
- If you run a business, understand that PSD2 means lower payment fees - but you need to work with payment providers who support PIS, not just card processors.
If you’re outside Europe:
- Watch how PSD2 shapes your country’s financial rules. It’s already influencing policy from Japan to South Africa.
- If you use a fintech app that connects to your bank, ask: "Do they use PSD2-style APIs?" If not, they might still be screen-scraping - which is less secure and could be banned soon.
PSD2 didn’t just change how we pay. It changed who owns our money data. And that’s a shift that’s here to stay.
Is PSD2 only for banks?
No. PSD2 applies to all Account Servicing Payment Service Providers (ASPSPs) in the European Economic Area - that includes banks, credit unions, building societies, and even some fintech firms that hold customer payment accounts. It doesn’t apply to non-payment institutions like insurance companies or investment platforms - unless they also offer payment services.
Can I opt out of PSD2 completely?
You can’t opt out of the regulation itself - banks are legally required to offer access. But you can control who accesses your data. Every time a third-party app asks to connect to your account, your bank will show you a consent screen. You can deny access, revoke it later, or limit what data is shared. Your bank’s app will have a section called "Third-Party Access" or "Open Banking" where you can manage permissions.
Are PSD2 payments safer than using cards?
Yes - and here’s why. With cards, your number can be stolen, cloned, or used in fraud. With PSD2 payments, no card details are ever shared. You authenticate directly through your bank’s app using biometrics or a one-time code. Even if a merchant’s system is hacked, your bank account isn’t exposed. Plus, every payment triggers SCA, and the bank monitors for fraud in real time.
Why do I sometimes get asked to authenticate even for small payments?
PSD2 allows exemptions for payments under €30 - but only up to €100 total or five transactions in a row. If you’ve made five small payments in a day, the system resets and asks for authentication again. Also, if the bank’s fraud system flags a transaction as risky - even if it’s under €30 - it will trigger SCA. This is by design: convenience doesn’t override security.
Does PSD2 apply to me if I’m not in Europe?
If you’re outside the EU but use a service that processes payments to or from someone in the European Economic Area, PSD2 applies to that transaction. For example, if you buy from a German online store and pay with your U.S. card, PSD2 doesn’t apply. But if you pay using a PISP like Klarna that connects to a French bank account, then PSD2 rules kick in. It’s about where the payment is processed - not where you live.
What happens if a third-party app gets hacked?
Third-party providers (TPPs) must be licensed and insured under PSD2. If they’re hacked and your data is stolen, you’re protected by EU consumer law. You won’t lose money from your bank account unless you acted fraudulently. The TPP is legally liable, and your bank must refund you immediately. Plus, TPPs can’t access your account without your active consent - so they can’t just steal data in the background.
Julia Czinna
October 29, 2025 AT 23:34PSD2 is one of those rare regulations that actually improved daily life without making people hate it. I use Yolt to track all my accounts, and it’s saved me from so many overdrafts. No more logging into five different apps just to see if I can afford coffee. And the SCA? Honestly, I prefer it. My card got cloned last year - this way, my bank account stays locked down tight.
Laura W
October 30, 2025 AT 04:06Bro, PSD2 is the OG open finance play. Banks used to be walled gardens with password-sharing as the only bridge - total dumpster fire. Now? You got AIS, PIS, CofF - it’s like a fintech API buffet. And let’s be real, screen scraping was a security nightmare. TPPs are licensed, SCA’s baked in, and even the exemptions are smartly capped. This isn’t just compliance - it’s infrastructure reimagined. The US is still stuck in card-land while Europe’s already building the next layer. Digital Euro? Yeah, that’s the endgame.