PSD2 Compliance Checklist for UK Merchants: Key Steps for 2025
Written by Lee Hart
UK merchants dealing with online payments need to understand how PSD2 affects their business. Following a clear PSD2 compliance checklist helps them keep payments secure, avoid penalties, and deliver safe customer experiences. Strong Customer Authentication (SCA) is a key part of PSD2, and failing to meet the rules could result in blocked payments or lost revenue for merchants.
Staying up to date on compliance requirements ensures smoother operations and builds trust with customers. Knowing which technical steps matter and what to expect when working with payment providers allows merchants to adapt with confidence.
Key Takeaways
- Clear compliance steps help UK merchants meet PSD2 requirements.
- Strong Customer Authentication reduces risks for customers and businesses.
- Ongoing attention to changes in regulation keeps payment systems secure.
Understanding PSD2 and Its Impact on UK Merchants
PSD2 has changed the way payment services work in the UK. Merchants face new security requirements and rules about how they handle customer data and payments.
Key Objectives of PSD2
The main goals of PSD2 are to improve payment security, increase competition in the banking sector, and protect consumers. The directive pushes for stronger customer authentication, which aims to reduce fraud and unauthorised transactions.
PSD2 also allows new businesses, such as fintechs, to provide payment services once only offered by banks. This encourages more innovation in the industry. At the same time, it ensures that consumers are better informed and can confidently use different payment service providers.
To meet these goals, PSD2 sets clear guidelines for how companies must treat sensitive data and verify users. These steps help prevent scams and give customers peace of mind.
Changes in Payment Regulations
UK merchants must now follow stricter rules on how online payments are processed. A key part of these changes is Strong Customer Authentication (SCA), which requires verifying a customer’s identity using at least two different methods. These methods can include a password, a mobile device, or biometric authentication data, such as a fingerprint or facial recognition.
If a transaction does not meet the SCA requirements, banks may decline it. This means merchants can lose revenue if their checkout process does not support these checks. Recent data shows that merchants can lose over 20% of transactions when 3D Secure is applied, and only 79% of these transactions finish successfully, lowering overall revenue. Find more details in the analysis on PSD2 impact on fraud and revenue.
The rules apply both online and for in-person payments, although most changes affect e-commerce. Compliance with these measures is now mandatory for anyone processing electronic payments in the UK.
Scope of Merchants Affected
PSD2 affects a wide range of UK merchants. Any business that takes electronic payments—whether online shops, physical stores using card machines, or companies working with third-party payment providers—falls under PSD2.
Traditional banks, fintech companies, and online marketplaces must all comply with the new rules. Even small merchants are not excluded if they accept card payments or work with payment processors.
The regulations apply to both domestic and cross-border transactions within the European Economic Area. Any merchant that wants to accept European or UK customers' payments must follow PSD2 standards. See more about which businesses are affected at the FCA guidance page.
Essential Compliance Requirements
UK merchants must meet specific standards under PSD2. These regulations help protect payments, increase trust, and keep payment systems safe for both businesses and customers.
Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a key part of PSD2. Merchants must use at least two of the following: something the customer knows (like a PIN), something the customer has (such as a phone or card), or something the customer is (fingerprint or facial recognition).
Without SCA, payments can be declined by banks or payment providers. SCA is required for most online and in-person transactions in the UK and across Europe. It applies mainly to electronic payments and limits the risk of fraud by verifying the identity of the user making the payment.
Businesses should use secure solutions like 3-D Secure 2 for online transactions. SCA exemptions exist for some low-risk and low-value payments, but these must meet strict criteria. For a practical checklist and further details, see this SCA compliance guide.
Transaction Risk Analysis
Transaction Risk Analysis (TRA) allows merchants to exempt certain payments from Strong Customer Authentication (SCA) if strict risk controls and fraud detection mechanisms are in place. When a transaction meets specific security thresholds—such as low fraud rates, real-time fraud monitoring, and strong authentication factors (e.g., device ID, customer behavior patterns, or biometric data)—it may be classified as low-risk. In such cases, the payment can bypass additional two-factor authentication steps while still complying with PSD2 regulations.
Merchants must work with their payment service providers to monitor transaction risk levels. TRA covers things like monitoring transaction size, customer behaviour, and payment history. Statistical fraud rates are required to stay below regulated thresholds to keep the exemption.
Frequent reviews, real-time monitoring, and effective reporting tools help ensure that merchants keep control over risk. TRA makes customer payments faster while keeping security measures strong. Merchants should stay updated on rules, as thresholds and accepted monitoring techniques can change.
Customer Data Protection
Protecting customer payment and personal data is central to PSD2 compliance. Merchants must follow robust data protection standards, ensuring that sensitive data is encrypted and stored securely at all times. Data must be processed following rules set by the General Data Protection Regulation (GDPR).
Key requirements include:
- Keeping personal and payment data private
- Only collecting details necessary to complete a transaction
- Informing customers about how their data is used and stored
Regular staff training, clear privacy policies, and strict access controls are required. Any third parties used by the merchant must also meet the same data protection rules. Breaches must be reported quickly, and companies must have a plan in place to handle them.
Access to Payment Account Information
PSD2 gives third-party providers (TPPs) access to customer payment account information through secure APIs, but only with explicit customer consent. Merchants must ensure their platforms can connect with TPPs in a safe and compliant way.
Open APIs allow financial data to be shared between banks, merchants, and regulated providers. This supports payment innovation but also requires strict security controls. Customer consent is required every time account data is accessed or payment is initiated by a TPP.
Merchants must use secure API standards and maintain strong monitoring to detect unauthorised access. For more on open APIs and compliance, see this guide for merchants. Regular audits and testing are needed to ensure that only authorised access is allowed and data privacy is maintained.
Technical Measures for PSD2 Compliance
UK merchants must adopt specific technical changes to meet PSD2 requirements. These include implementing strong security on payments, using modern APIs, and keeping detailed records of all transactions.
Implementing 3D Secure 2.0
3D Secure 2.0 is a key feature for strong customer authentication (SCA) under PSD2. Merchants need to upgrade from older versions to ensure smoother online payments. 3D Secure 2.0 collects more data elements, such as device information and transaction history, to check for risks during the transaction.
This system often supports biometric and two-factor authentication, making transactions safer for customers. It also reduces step-ups and extra friction during the checkout process. UK merchants benefit from faster authorisations and fewer cart abandons.
Merchants should work with their payment service provider to confirm full adoption of 3D Secure 2.0. Following these steps helps lower fraud and meets the SCA requirements set by PSD2.
Checklist:
- Use 3D Secure 2.0 for all card payments.
- Enable biometric or multi-factor authentication.
- Regularly test the customer experience for smooth operation.
Integrating Secure APIs
PSD2 requires banks and third-party providers to connect systems using open and secure APIs. This allows secure sharing of payment and account data between approved providers. Merchants must ensure their APIs are both accessible and well-protected.
An API should use strong encryption, secure authentication and authorisation, and protect against common attacks like injection or data leaks. Regular security reviews and penetration tests help find and fix weaknesses. API documentation needs to be clear and up-to-date for all users.
Open banking relies on these secure connections. By following a PSD2 compliance checklist, merchants can keep payment data safe and fulfil regulatory duties.
Essential points:
- Enforce TLS/SSL encryption on all API calls.
- Use secure authentication (OAuth 2.0 is common).
- Review and update API endpoints as needed.
Monitoring and Logging Transactions
PSD2 expects payment providers to monitor payment activities closely. This helps find odd or suspicious activity and can stop payment fraud early.
Merchants need to set up tools that track and log every transaction. Logs should include who made the payment, the method used, the location, and any changes to the payment flow. These records must be kept secure and easy to retrieve for audits or investigations.
Real-time monitoring systems can alert staff to high-risk transactions as they happen. This makes it easier to react to threats quickly and keeps customer data safe. Adopting best practices found in SCA optimisation guides supports full compliance.
Checklist:
- Log all payment-related activities.
- Store logs securely and for the required period.
- Use real-time alerts for suspicious transactions.
Working With Third Parties
When handling online payments, UK merchants often rely on different third-party companies. These companies help process transactions, manage security requirements, and handle sensitive customer data.
Roles of Payment Service Providers
Payment service providers, known as PSPs, are central to any online retail business. They manage the movement of money between customers and merchants during purchases. Trusted PSPs help merchants meet security rules by offering robust transaction processing, fraud monitoring, and technical support.
PSPs must comply with regulations like PSD2 and Strong Customer Authentication (SCA). This includes multi-factor authentication, secure communication, and data protection. Many PSPs also support updated protocols such as EMV 3DS 2.2 for e-commerce transactions, which ensure that businesses meet authentication requirements.
Key responsibilities of a PSP:
- Processing payments securely
- Preventing fraud through screening tools
- Communicating with banks and card networks
- Supporting merchants during disputes
It is important for merchants to choose PSPs with proven compliance records and up-to-date technology.
Ensuring Third-Party Compliance
UK merchants must ensure that every third party they partner with also meets PSD2 requirements. This applies to payment gateways, technology platforms, and other vendors with access to financial data.
A practical approach includes using a checklist to verify compliance status. Merchants should confirm that partners have measures for certificate validation, support PSD2-compliant APIs, and keep documentation current. Monitoring and auditing are required to guarantee continuing adherence to rules.
Banks and merchants should also track whether third-party systems are up to date with registry listings and are included in regular compliance checks. For reference, detailed checklists on third-party compliance tasks and technical API requirements help make sure all areas are covered. This reduces the risk of breaches or penalties for non-compliance.
Operational Best Practices
Staff need clear training on PSD2 rules and merchant processes to avoid costly mistakes and make sure all transactions are handled correctly. Regular checks help find and fix compliance gaps before they become bigger problems.
Employee Training and Awareness
Regular training sessions help staff understand core PSD2 requirements and spot high-risk situations during customer payments. New staff should get focused onboarding about strong customer authentication (SCA) and data handling rules to reduce errors and delays.
It is vital that all team members know how to respond if a payment is flagged for suspicious activity. They should receive clear guides on when SCA is required or exempt. Ongoing updates, such as email bulletins or role-based checklists, ensure staff keep up with regulatory changes.
Optional quizzes or scenario-based reviews can test understanding and highlight areas that need more attention. Investing in up-to-date employee training lowers the risk of non-compliance fines and lost revenue.
Ongoing Compliance Audits
Merchants should schedule regular compliance audits to review how well their payment systems meet PSD2 and SCA rules. An audit covers system security, transaction logs, authentication records, and exception handling. These reviews help merchants spot and fix weak points fast.
Documenting audit results helps prove compliance if inspected by regulators. Merchants can also use audits to find areas where extra staff training or process updates are needed to keep up with evolving regulations.
Managing Customer Experience Under PSD2
Merchants now face new challenges balancing Strong Customer Authentication (SCA) requirements with smooth and efficient shopping. Customers expect both high security and a fast, simple checkout process.
Minimising Checkout Friction
Strong Customer Authentication (SCA), mandated by the PSD2 regulation, introduces extra steps for online payments, such as entering a one-time authentication code sent via SMS or using biometric methods like fingerprint or facial recognition. If not implemented smoothly, this process can lead to customer frustration. To reduce friction, retailers should adopt payment methods that support fast, seamless authentication on compatible devices.
Extended verification can be avoided by using SCA exemptions for low-value transactions or re-authenticating trusted customers less often. Many payment providers offer built-in SCA solutions to reduce manual steps. For example, tokenisation and saved card details speed up repeat purchases and create a more familiar experience.
Some retailers clearly display progress bars or simple step-by-step guides at checkout. This helps customers know what to expect next, making the process less confusing.
For more information on SCA requirements and strategies, visit the Signifyd checklist on customer experience and the Riskified PSD2 compliance guide.
Communicating Security Changes
Customers can feel uneasy with new checkout steps. Merchants should explain why new authentication steps are in place and how this helps secure their payment information. This reassures customers and builds trust.
Notices on checkout pages should use clear, friendly language. Consider short banners or pop-up messages. Example: “You may be asked to confirm your identity for added payment security.”
Staff training on PSD2 changes can help with both online support and in-store questions. A list of key benefits—such as protection against fraud and privacy—helps customers understand the reason for changes.
For a PSD2 checklist that emphasises communication, merchants can review the Solidgate guide for PSD2 compliance for more tips.
Addressing Common Compliance Challenges
UK merchants often face difficulties in keeping payments secure while ensuring a smooth experience for customers. They also must stay alert to frequent changes in regulations, which can require quick adaptation and new processes.
Balancing Security and Usability
Strong Customer Authentication (SCA) is now a key part of PSD2, but if applied poorly, it can cause cart abandonment and customer frustration. Merchants must use SCA solutions that keep payment steps simple without lowering security standards.
Popular tools, such as 3D Secure 2, help reduce fraud by adding extra verification layers. However, merchants should offer clear instructions and error messages during checkout to support customers who face issues.
It is crucial to find the right balance by using exemptions allowed under PSD2 when appropriate. For example, transaction risk analysis may allow low-risk payments to bypass extra authentication, keeping the process fast and secure. This balance is highlighted as a main challenge in PSD2 compliance guides.
Adapting to Future Regulatory Changes
PSD2 rules and SCA requirements have changed over time, and more updates can be expected. Merchants need solid processes to track updates from regulators and payment providers in the UK and Europe.
A dedicated team or regular staff training can help merchants stay ahead of new mandates. Some payment service providers offer updates or compliance support, which can also be a useful resource.
Documenting compliance steps and keeping system logs make reviews and audits faster. Staying adaptable helps merchants respond quickly to new deadlines and maintain payment system reliability as outlined in guidance for UK businesses.
Record-Keeping and Reporting Obligations
UK merchants under PSD2 must keep detailed records of payment transactions and customer identification. These records should be stored securely and be available for regulatory review when needed.
Payment service providers are required to submit regular reports to the regulator. This includes data on payment volumes, incidents, and fraud cases. Merchants should ensure their systems capture this information accurately.
Key record-keeping requirements include:
- Names and account details of parties involved
- Amounts and currencies of transactions
- Dates and times of transactions
- Evidence of customer authentication
Reporting obligations cover several areas. Notably:
- Payment fraud statistics
- Major operational or security incidents
- Compliance with strong customer authentication
The FCA’s specific guidance outlines what information must be included in reports, and how it should be prepared. For full guidelines, see the FCA reporting requirements page.
Below is a summary for common obligations:
Record-keeping - Store payment and customer data securely
Fraud reporting - Submit data on detected and prevented fraud
Major incident reporting - Notify regulators of incidents impacting payment services
Timeliness - Submit required reports by regulator deadlines
Failure to follow these rules may result in regulatory action. For further reference, see the FCA’s guidance on payments fraud reports and incident notification and the EBA’s major incident reporting guidelines.
Staying Updated With Regulatory Developments
Regulations around PSD2 can change, and it’s important for UK merchants to keep up with the latest updates. Being aware of new rules or guidance helps businesses stay compliant and avoid potential risks.
One way to stay informed is by regularly checking updates from the Financial Conduct Authority (FCA). The FCA offers a PSD2 Navigator to help businesses understand how new developments affect them.
Merchants should also subscribe to official newsletters or industry alerts. These sources often highlight essential changes quickly and in straightforward language.
Building a relationship with a compliance professional or consulting with payment service providers can be helpful. They often provide up-to-date advice and clarify regulatory changes.
Key actions for staying updated:
- Monitor FCA updates and guidance
- Join relevant webinars and training
- Follow trusted payments industry blogs
- Use tools like the PSD2 Navigator
Paying attention to regulatory updates is not just about avoiding fines. It also protects customer trust and maintains smooth payment operations.
Conclusion
Meeting PSD2 compliance requirements helps UK merchants protect customer data and reduce fraud. Careful attention to each step of the compliance checklist limits the risk of penalties and keeps operations smooth.
Key benefits of PSD2 compliance include:
- Lower risk of unauthorised transactions
- Improved customer trust
- Fewer chargebacks
- Better regulatory alignment
To stay compliant, merchants should:
- Regularly review the rules and adjust business practices
- Update teams with ongoing training
- Work closely with payment providers and review systems for PSD2 and SCA requirements
- Use secure payment methods that support 3D Secure 2
Staying proactive is key. Merchants who keep up with guidelines are better prepared for future changes in payment regulations.
Adopting best practices leads to safer transactions and stronger customer relationships.
Frequently Asked Questions
UK merchants must meet strict requirements under PSD2, including strong security steps and clear rules for managing customer information. Missing deadlines or non-compliance can lead to direct financial and legal consequences.
What are the essential steps a UK merchant must take to ensure full compliance with PSD2?
UK merchants need to set up secure payment processes. This includes using strong customer authentication for online payments, updating payment gateways, and ensuring technical systems support PSD2 standards. Reviewing all customer touchpoints for compliance is also important. Extra checks should be made for exemptions and special payment types, such as phone ordes.
Which specific requirements of Strong Customer Authentication must UK merchants meet?
Strong Customer Authentication (SCA) asks for at least two types of customer verification. These must come from three categories: something the customer knows (like a password), something the customer has (like a phone or card), or something the customer is (like a fingerprint). Without SCA, many card transactions may be declined by issuers in the UK and EEA, as outlined in this overview of PSD2 compliance impacts.
How does PSD2 affect the handling of customer data for UK-based businesses?
PSD2 requires merchants to manage customer data more carefully. Data must be protected from unauthorised access and only shared with regulated third parties, such as payment providers with customer consent. This keeps payment services secure and helps ensure privacy is respected under UK law.
What are the key deadlines for PSD2 implementation that UK merchants need not overlook?
The final deadline for full PSD2 compliance in the UK was set after extensions due to the pandemic. Most firms had to comply by 2020, but those affected by Covid-19 had a final deadline of September 14th, 2021. Delays in meeting these dates increase risks of penalties and failed payments, as stated in this PSD2 FAQ.
What penalties can UK merchants face if they fail to comply with PSD2 regulations?
Non-compliance can lead to large fines or other penalties from regulatory authorities. Merchants may also suffer damaged reputations, lose customer trust, or face legal action. Payment providers can even refuse to process non-compliant transactions, as explained in this no-nonsense guide to PSD2 compliance.
What are the roles and responsibilities of UK merchants under the PSD2 directive?
UK merchants must make sure all payment systems and customer interactions follow PSD2 requirements. This includes offering secure payment methods, using reliable technology, and training staff on compliance practices. Merchants are also responsible for keeping up to date with regulatory changes.
About The Author
Lee Hart
