Payment Service Directive 2 (PSD2) -
we inform.

After the first stage of the Payment Service Directive 2 (PSD2) came into force in January 2018, the second stage of PSD2 will now also become mandatory of September 14, 2019.

On this page you can find out what will change as a result of the PSD2 and what you as a merchant need to consider.

ask experts  
Start > Company 

Payment Service Directive 2


PSD2 is an EU directive for the regulation of payment services and payment service providers. It applies to payments in EU / European Economic Area (EEA) currencies between payment service providers located in the EU/EEA. It also applies to payments in non-EU/EEA currencies (e.g. US dollars or British pounds) and if a payment service provider is located outside the EU/EEA (e.g. Switzerland or USA).


  • Making payments more convenient, cheaper and secure for consumers
  • Promoting competition between banks and financial service providers (Open Banking)
  • Fostering innovation

In order to achieve these targets, the regulation introduces a number of key innovations:

  • Payment institutions, like heidelpay, have access to bank data and bank accounts. This decision is based on the consideration that data and accounts are rather in the possession of the account holders and not in the possession of the banks. However, in order for payment institutions to have access to the bank account, an explicit authorisation from the account holder is required.
  • Access to bank accounts is intended to create a network of new and existing solution providers. The new solution providers are mainly Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
  • Payment fees will also be newly regulated. This means that companies such as tour operators or airlines can no longer charge extra credit card fees.
  • Customer protection will also be strengthened. Strong Customer Authentication (SCA) - also known as two-factor authentication - is intended to make the misuse of data considerably more difficult.

PSD2 and 3D Secure

To meet the requirements of PSD2, there is a new version of 3D Secure for processing credit card payments - called Verified by Visa or MasterCard Identity Check for card networks, for example.

heidelpay has integrated the future service in such a way that technically no difference to the current 3D Secure can be determined.

Your ToDo

What you as a merchant need to consider now


If you don't use 3D Secure yet, it depends on how you have connected us, whether there is a ToDo for you until September 14th.


If you use a module from heidelpay, you are basically well prepared. However, we recommend the following for safety reasons:


If you do not use an iFrame but integrate as follows:

  • Charges or reservations are submitted via XML (requires current PCI certificate)
  • Charges or reservations are submitted via SGW POST (requires current PCI certificate)
  • Charges or reservations are submitted via NGW POST without frontend parameter (requires current PCI certificate)

we recommend an integration of our iFrame (hPF = heidelpay Payment Frame). Further information can be found here:
heidelpay Developer Guide Chapter 5


If you use a direct integration and do not yet use 3D Secure, we recommend that you test on our test system whether the current integration already works with 3D Secure.

  • If you are using an iFrame (NGW), there will be no effect if we enable 3D Secure


If you use referenced bookings that refer to an initial registration (REG) (this is the case with subscription models, but also with recognition in the shop), then use the following integration for referencing POST requests:

ask experts  

3D Secure Mandatory Fields

In future, more information will be passed on to card issuers via the interfaces. However, this information is already mandatory in our interfaces, so that you will not have to worry about any additional effort here.


Presentation Group


Account Group


Name Group

NAME.GIVEN Mandatory

Address Group


Contact Group