If a beneficiary receives a payment too late, the responsible payment service providers are required to provide compensation.

When logging in to online banking or making payments online, two-factor or strong customer authentication is mandatory. This requires two of a possible three independent factors: knowledge (e.g. PIN), possession (e.g. smartphone) or inherence (e.g. fingerprint). The PSD2 stipulates that this procedure is also to be used for other actions where there is a risk of abuse, such as when changing a standing order.

The use of two-factor authentication increases the security of online banking and making payments online. A fraudster has to have both factors in order to access the account. When initiating a payment, one factor is coupled to the payment amount and recipient; this security element can only be used to approve this particular payment.

The PSD2 stipulates that, as of 14 September 2019, payment service providers must use strong customer authentication for online credit transfers, amongst other things. The iTAN procedure no longer fulfils these prerequisites and thus may no longer be used as of this date. Further information about the changes as of 14 September 2019 and the revocation of the iTAN procedure can be found in an article published by BaFin, which is summarised below:

"If the electronic payment to be initiated is a remote payment, for instance an online credit transfer or an online credit card payment, strong customer authentication is to be extended to include a dynamic link to the recipient and amount. This can best be explained with an example. When sending a TAN via SMS, the user must be informed of the amount and recipient for which this TAN is valid; if any of the payment details change, the TAN becomes invalid. iTAN lists, which are still used in some cases, no longer fulfil this requirement as the TANs in these lists can be used for any payment. Furthermore, it is easy to copy these lists. There is a risk of fraudsters gaining hold of these TANs and using them for payments for their own benefit."

For security reasons, payment service providers must terminate a customer’s online access to their payment account at the latest five minutes after customer authentication if there is no customer activity. This measure is in place to prevent an unauthorised third party gaining access to the account because, for instance, the customer has forgotten to log off.

The PSD2 contains several requirements of providers of payment initiation and account information services put in place to protect customers’ privacy. These providers are also subject to the general data protection requirements.

A payment initiation service provider may only provide a beneficiary with information about you if you have given your express permission. It is not permitted to save sensitive payment data (e.g. data that could be misused for fraudulent purposes; name of the account holder and account number are not deemed sensitive payment data). Neither may such a provider request more information from you than is absolutely necessary for it to render its services. A payment initiation service provider may not access your data, use them or save them for any purpose other than the specific service for which you have given your permission.

An account information service provider may only access the account or accounts that you have specified, and only with your express permission. It may not request sensitive payment data (e.g. data that could be misused for fraudulent purposes; name of the account holder and account number are not deemed sensitive payment data). It may not access, use or save your data for any purpose other than the specific service for which you have given your permission.