Payment Services Regulations 2017 (PSD2)

The Payment Services Regulations 2017 protect you if you're the victim of card fraud. They place legal requirements on your bank and establish your rights to a refund
Which?Editorial team

The Payment Services Regulations

The Payment Service Regulations 2017 (the 'Regulations') replaced the Payment Services Regulations 2009 and set out the rules relating to all 'payment services' including the services provided by banks, building societies and debit card providers. 

It brings the European payments law, known as the second Payment Services Directive - or PSD2 - into UK law.

The Regulations also outline what consumers can expect their bank to do if there has been unauthorised use of their account details or their debit cards. 

The principles in the Regulations sets out the rules that all service providers (including banks, building societies and card providers) must follow. 

Key Information

What do the Payment Service Regulations 2017 allow me to claim?

The Payment Service Regulations 2017 set out what payment service providers must do if there has been unauthorised or fraudulent activity on your account. 

Subject to the exceptions noted in this guide, you should be able to get your money back as long as your provider can't prove that you hadn't taken reasonable steps to keep your card or account information secure. 

Lost or stolen debit card

If your debit card is lost or stolen and then used to buy something, and you report the unauthorised transactions without undue delay, your debit card provider should refund you immediately. 

However this is subject to the following exceptions:

  • If your debit card provider can show that you failed to take reasonable steps to protect your security features (e.g. your PIN), then it can make a £50 deduction from any refund it pays to you
  • If your debit card provider can show that you acted fraudulently, it can refuse to give you a refund
  • If it can show you were grossly negligent in not taking reasonable care of your card's security features (e.g.  your PIN), your card provider would have grounds to refuse to refund any of the sum disputed - except where the card or card details were used to make a distance contract under the Consumer Contracts Regulations (e.g. online or on the phone)

However, your debit card provider can't make any deduction or refuse to refund you if the disputed transaction was made after you had reported the card lost or stolen. 

If the unauthorised payment(s) caused you to incur interest or any other charges (such as an overdraft fee, for example), your debit card provider must also refund those charges so that you are in the position you would have been in if the unauthorised payment had not taken place.

Credit cards

These provisions don't apply to credit cards as the Consumer Credit Act 1974 already sets out rules that apply to credit cards.

The Consumer Credit Act says that if your credit card is lost or stolen and used without your consent, the most you should be responsible for is the first £50 of any unauthorised transactions made before you reported the card missing. 

Unauthorised debit transactions

The  Regulations can also help if there is a transaction on from your debit account that you didn't authorise.

For example, if your debit card has not been lost or stolen and someone else uses the card details to buy something (for example if a card is cloned, your account data is lost in a data breach, or someone uses details you gave to a retailer when buying an item over the phone or online), then the Regulations mean you should be refunded in full as long as your report the unauthorised transaction promptly. 

The Regulations treat unauthorised card usage the same as they do lost or stolen cards. As outlined above, if your provider can show that you hadn't taken reasonable steps to protect the security of your card (i.e. your PIN or online security details) you could be liable for the first £35 of any loss you incur. 

And if your provider can show that you acted fraudulently, you won't be entitled to any refund. 

As with lost or stolen cards, if you were grossly negligent, then the service provider can refuse to credit any money back to you - except where your card or account details were used to enter into a distance contract under the Consumer Contracts Regulations

Card payment surcharges banned

Retailers and traders are no longer allowed to charge you a surcharge for using your credit or debit card when making a purchase. See our guide to complain about an excessive surcharge for more information.

Increased security 

The regulations require stronger customer authentication to reduce the risk of fraud. 

This means that in order to access your data or accounts, you'll have to take two or more independent actions in order to log in. This could include:

  • Knowledge – something only you know (password, PIN, etc.)
  • Possession – something only you possess (card or other material)
  • Inherence – something the you are (fingerprint, voice or facial recognition)
  • For remote transactions - internet, mobile - a unique authentication code will dynamically link transactions to the respective amount and payee

Related articles