Subscribe to the Non-Human & AI Identity Journal

How do you know if PSD2 controls are actually working?

Look for evidence across the whole payment path, not just approval rates. A healthy programme can show low soft-decline noise, stable fraud outcomes, documented exemption use, and consistent SCA decisions across checkout, wallet, and open banking flows. If any one channel behaves differently, the control model is uneven.

Why This Matters for Security Teams

PSD2 controls are only meaningful if they improve assurance without breaking legitimate payments. That means security, fraud, payments, and customer experience teams need a shared view of control performance, not separate success metrics. Approval rate alone can hide weak Strong Customer Authentication, while excessive friction can push users into abandonment or repeated retries. Current guidance suggests measuring the control outcome across the full transaction journey, including SCA prompts, exemptions, challenge failures, and post-transaction fraud. The control question is operational, not just regulatory.

For payment platforms, the practical risk is uneven enforcement across channels. Card checkout, wallet payments, and open banking journeys often use different decision logic, so a programme can appear healthy in one flow and fail in another. That is why control evidence should be reviewed alongside logging, exception handling, and incident data, consistent with the control-testing mindset in NIST SP 800-53 Rev 5 Security and Privacy Controls. In practice, many security teams discover PSD2 control gaps only after fraud patterns or abandonment spikes have already exposed inconsistent enforcement.

How It Works in Practice

A working PSD2 control model should produce evidence that is both measurable and explainable. Start by defining which journeys fall under SCA, which qualify for exemptions, and how the policy is enforced by channel. Then verify that the decision engine, authentication flow, and downstream logging all agree on the same transaction outcome. Good control evidence usually comes from a mix of operational telemetry, fraud analytics, and audit records rather than one dashboard.

Teams should test the following areas together:

  • SCA decision logic: whether the right transactions trigger challenge, exemption, or step-up.

  • Channel consistency: whether checkout, app, wallet, and API-driven flows apply the same policy.

  • Exception handling: whether soft declines, retries, and fallback paths are logged and reviewed.

  • Fraud and loss outcomes: whether control changes correlate with lower fraud without material customer harm.

  • Operational traceability: whether each authentication event can be tied back to a policy rule and a business reason.

For identity assurance, the strongest evidence comes from knowing that the authentication step is both proportionate and defensible. That is where payment security starts to intersect with identity governance, especially when higher-risk journeys use device signals, biometrics, or delegated authentication. Where digital identity proofing or session assurance is part of the control model, NIST SP 800-63B Digital Identity Guidelines is useful for thinking about authenticators and assurance levels, even though PSD2 itself is not an identity standard. These controls tend to break down when exemption logic is hard-coded differently across payment channels because policy drift makes the same customer journey behave inconsistently.

Common Variations and Edge Cases

Tighter PSD2 enforcement often increases friction and support overhead, so organisations have to balance conversion against stronger authentication and better fraud resistance. That tradeoff is normal, but it needs to be managed with evidence rather than intuition. Best practice is evolving on how much exemption usage is acceptable, because the right answer depends on merchant risk, geography, customer segment, and fraud profile.

There are a few common edge cases. Merchant-initiated transactions and recurring payments may follow different rule sets from one-off card-not-present purchases. Open banking flows can show different behaviour from card payment flows even when they share the same front-end experience. Delegated or embedded authentication may also make the control chain harder to interpret, so audit teams need to confirm which party made the SCA decision and which party retained the evidence.

Where payments run through complex cloud and API estates, control validation should also reflect resilience and monitoring expectations in NIST Cybersecurity Framework 2.0 and the transaction monitoring guidance in MITRE ATT&CK. In practice, the hardest failures appear when business rules are updated faster than logging, reconciliation, and fraud review processes can keep up.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, and DORA define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Risk outcomes need shared metrics across payment channels and control owners.
NIST SP 800-53 Rev 5 AU-2 Authentication and exemption decisions must be logged for verification and audit.
NIST SP 800-63 AAL2 Step-up and assurance design matter when identity evidence supports payment authentication.
MITRE ATT&CK T1110 Repeated retries and challenge abuse can indicate authentication pressure or automation.
DORA Payment control performance depends on resilience, traceability, and incident readiness.

Log each SCA, exemption, and fallback decision with enough detail to reconstruct the transaction path.