A PISP will be able to initiate payments on behalf of a customer from the customer's account with a bank (the ASPSP).
For example, someone making a purchase online can initiate a credit transfer via a PISP instead of using a debit or credit card. When customers choose this option, they agree to share their bank credentials with the PISP. The PISP then initiates a payment for the customer and the ASPSP will then execute the payment and debit the customer's account.
Under PSD2, a PISP must:
- Have a PISP licence in their home country, and get passporting rights to operate in other European host countries.
- Not hold the payer's funds at any time, but only initiate payments in connection with the provision of the payment initiation service.
- Ensure that the personalised security credentials of the customer are not accessible to any other parties, and that they are transmitted by the PISP through safe and efficient channels.
- Ensure that any other information about the customer, obtained when providing payment initiation service, is only provided to the payee and only with the customer's explicit consent.
- Ensure that every time a payment is initiated, communications between all parties are conducted in a secure way.
- Not store sensitive payment data of the customer. Not request from the customer any data other than that which is necessary to provide the payment initiation service.
- Not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer.
- Not modify the amount, the recipient or any other feature of the transaction.
Every time a payment is initiated, communications between all parties must be conducted in a secure way.