PSD2 Compliance and Card Tokenization
PSD2 requires Strong Customer Authentication and strict card data security. PCI Proxy's European PCI DSS Level 1 vault stores card tokens for SCA-exempt MIT transactions and keeps raw card data entirely out of your infrastructure.
What is PSD2?
PSD2 (Directive 2015/2366/EU) modernized European payment regulation by introducing Strong Customer Authentication, opening payment accounts to licensed third parties, and tightening security obligations for all payment service providers operating in Europe.
Strong Customer Authentication
SCA requires two independent authentication factors for most electronic transactions. MIT and recurring payments following the initial SCA challenge are exempt when flagged correctly, enabling seamless subscription and on-file payment flows.
Open Banking Access
Licensed third-party providers (AISPs and PISPs) may access payment account data and initiate payments with customer consent. PSPs must provide secure, standardized API access to eligible third parties.
Security Obligations
PSPs must implement robust transaction risk management, data security, and incident reporting. Card data storage must comply with PCI DSS requirements to protect payment credentials throughout their lifecycle.
PSD2 and Tokenization Questions Answered
01 What is PSD2 and what does it require?
PSD2 is an EU directive governing payment services across Europe. Key requirements include Strong Customer Authentication for most online payments, open banking access for licensed third parties, and enhanced security obligations for all payment service providers.
02 How does tokenization help with PSD2 SCA?
Tokenization lets merchants store card references without retaining raw card data. For MIT and recurring payments following an initial SCA challenge, a stored token can be used without re-triggering SCA. PCI Proxy tokens work with any payment processor.
03 What is the difference between SCA and PCI DSS?
SCA mandates two independent authentication factors for most electronic payments. PCI DSS is a security standard for card data. They are complementary: PCI DSS governs how card data is secured, while SCA governs how the cardholder is authenticated.
04 Can I use PCI Proxy tokens for PSD2 MIT transactions?
Yes. PCI Proxy tokens map to the underlying card in our vault. On an MIT, you pass the token to your payment processor which securely retrieves the real card credentials. The initial SCA was performed at enrollment; subsequent MIT transactions are exempt under PSD2 when flagged correctly.
05 Does PSD3 change anything about card tokenization?
PSD3 and the Payment Services Regulation will further harmonize SCA rules in the EU. Tokenization remains central: by keeping card references in a certified vault, you can adapt to regulatory changes without restructuring your storage system.
PSD2-Compliant Card Storage for European Payments
Tell us about your payment flows and we will show how PCI Proxy tokens enable SCA-exempt recurring MIT transactions while keeping card data out of your environment.