Open banking and PCI DSS is one of the most misunderstood topics in the European digital payments landscape. Many companies assume that adopting account-to-account payments automatically excludes them from PCI DSS obligations, but the reality is more nuanced. PSD2 and PCI DSS operate on different regulatory planes, with concrete overlaps that every merchant and PSP must understand before designing their payment architecture.
Open banking and PCI DSS: when each framework applies
PCI DSS applies to any entity that stores, processes or transmits payment card data - namely PAN, CVV, PIN and equivalent data. Open banking, by contrast, operates on payments initiated directly from a bank account via APIs regulated by PSD2: no card data flows through this channel, so PCI DSS does not strictly apply to the A2A flow.
However, the distinction is rarely so clear-cut in practice. Companies offering open banking as an additional payment method almost always continue to accept cards as well. This is where the problem arises: maintaining two parallel channels means a CDE (Cardholder Data Environment) exists regardless, with all associated PCI obligations. The logic of "I have open banking, I don't need PCI DSS" is correct only if the company has definitively stopped accepting cards - an extremely rare scenario.
A2A and account-to-account payments: reduced but non-zero PCI scope
Account-to-account (A2A) payments eliminate the PAN from the transactional flow. This concretely reduces PCI scope: if a merchant processes exclusively instant transfer payments or via a PISP (Payment Initiation Service Provider), there is technically no active CDE for that channel. The required compliance level decreases, and in some cases an SAQ A can be completed for the residual portion of the business.
However, non-trivial operational obligations remain. IBAN data and current account information do not fall within the PCI DSS perimeter, but do fall under GDPR and the API security rules required by PSD2. A data breach on A2A bank data can result in GDPR penalties of up to 4% of global turnover, regardless of PCI DSS. Reducing the PCI scope does not equate to reducing overall risk.
Hybrid stack: when you use both cards and open banking
The most common scenario for European merchants and PSPs in 2025 is a hybrid stack: credit and debit cards for the majority of retail transactions, open banking for B2B payments or for merchants seeking to reduce interchange fees. In this case the CDE still exists, and PCI DSS compliance concerns the entire infrastructure handling card data, including shared components such as firewalls, logs and authentication systems.
The optimal solution for a hybrid stack is to centralise card data management on a single externally certified PCI DSS Level 1 vault, such as PCI Proxy EU's, and maintain open banking payments on a separate technical path. This keeps the PCI perimeter contained, reduces audit complexity and allows the two channels to evolve independently without changes to one impacting the compliance of the other.
Frequently asked questions
Does a company using only open banking need to be PCI compliant?
If the company does not touch payment card data in any flow, PCI DSS does not apply. This only holds if all accepted payment methods are A2A or via a PSD2-regulated PISP. In practice, almost no European merchant is in this situation: the vast majority still accept cards, which keeps the PCI DSS obligation active.
Does PSD2 eliminate PCI DSS obligations for banks?
No. PSD2 regulates access to accounts and payment services, while PCI DSS is a card data security standard managed by PCI SSC. Banks are subject to both: PSD2 for open banking APIs, PCI DSS for all services handling card data. The two frameworks complement each other, not replace each other.
Does PCI Proxy EU support open banking payments?
PCI Proxy EU focuses on tokenization and secure card data management. For hybrid card and open banking stacks, the solution is to integrate PCI Proxy EU for the card channel and maintain a separate path for A2A payments. This minimises the PCI perimeter without compromising the flexibility of offered payment methods.
Do you manage a hybrid card and open banking stack and want to understand exactly what falls within your PCI perimeter? Discover PCI Proxy EU.