# Payment Compliance: GDPR and PSD2 Obligations for SaaS

> Understand how GDPR and PSD2 affect your SaaS payment flows. Covers data handling obligations, Strong Customer Authentication, and how a merchant of record simplifies compliance.
- **Author**: Ayush Agarwal
- **Published**: 2026-04-15
- **Category**: Compliance
- **URL**: https://dodopayments.com/blogs/payment-compliance-gdpr-psd2

---

If you sell to European customers, two regulations shape how you handle payments: GDPR and PSD2. GDPR governs how you collect, store, and process personal data - including payment data. PSD2 mandates Strong Customer Authentication for online payments in the European Economic Area.

Both carry significant penalties for non-compliance. GDPR fines can reach 4% of annual global turnover. PSD2 non-compliance means declined transactions and potential regulatory action.

For SaaS companies selling globally, understanding these regulations is not optional. This guide covers what you need to know and how to comply without building a legal department.

## GDPR and Payment Data

The General Data Protection Regulation treats payment information as personal data. Card numbers, billing addresses, transaction histories, and even payment behavior patterns all fall under GDPR protection.

### What GDPR Requires for Payment Data

- **Lawful basis for processing**: You need a legal justification for collecting payment data (contract fulfillment for purchases, legitimate interest for fraud prevention)
- **Data minimization**: Collect only the payment data you actually need
- **Purpose limitation**: Use payment data only for the stated purpose (processing the payment, not unrelated marketing)
- **Storage limitation**: Do not retain payment data longer than necessary
- **Right to erasure**: Customers can request deletion of their payment data (subject to legal retention requirements)
- **Data breach notification**: Report payment data breaches to authorities within 72 hours
- **Data Protection Impact Assessment**: Required for high-risk processing activities

```mermaid
flowchart TD
    A[Customer Makes Payment] --> B{What data do you collect?}
    B -->|"Card number, CVV"| C[High sensitivity - minimize storage]
    B -->|"Billing address, email"| D[Personal data - GDPR applies]
    B -->|"Transaction history"| E[Personal data - retention limits]
    C --> F[Use tokenization - never store raw card data]
    D --> G[Document lawful basis for processing]
    E --> H[Define retention period and auto-delete]
```

### Practical GDPR Compliance for Payments

**Use tokenization**: Never store raw card numbers. Use tokens from your payment provider. Tokens are not personal data under GDPR because they cannot identify an individual without the provider's decryption key.

**Minimize data collection**: Only collect what you need for the transaction. Do not store CVV codes. Do not retain full card numbers.

**Document your processing**: Maintain a Record of Processing Activities (ROPA) that includes payment data processing.

**Update your privacy policy**: Clearly describe what payment data you collect, why, how long you keep it, and who you share it with (payment processors, [merchant of record](https://dodopayments.com/blogs/what-is-a-merchant-of-record), etc.).

> The simplest GDPR strategy for payment data is to not hold it. When a merchant of record processes the payment, they are the data controller for card information. Your application only receives tokens and transaction confirmations - data that carries minimal GDPR risk.
>
> - Ayush Agarwal, Co-founder & CPTO at Dodo Payments

## PSD2 and Strong Customer Authentication

The Payment Services Directive 2 (PSD2) is an EU regulation that, among other things, mandates Strong Customer Authentication (SCA) for online payments.

### What Is Strong Customer Authentication?

SCA requires that online payments be authenticated using at least two of three factors:

- **Something the customer knows**: Password, PIN
- **Something the customer has**: Phone, hardware token
- **Something the customer is**: Fingerprint, face recognition

In practice, this usually means [3D Secure 2 (3DS2)](https://dodopayments.com/blogs/3d-secure-3ds-payment-authentication) authentication, where the customer's bank sends a push notification or SMS code to verify the transaction.

### When SCA Applies

SCA is required for:

- Customer-initiated online payments within the EEA
- Adding a card to a digital wallet
- First payment of a new subscription

### SCA Exemptions

Not every transaction requires SCA. Common exemptions:

| Exemption                       | Condition                                               |
| ------------------------------- | ------------------------------------------------------- |
| Low-value transactions          | Under 30 EUR                                            |
| Recurring payments              | After the first authenticated payment                   |
| Trusted beneficiaries           | Customer has whitelisted you                            |
| Low-risk transactions           | Transaction Risk Analysis (TRA) by the payment provider |
| Merchant-initiated transactions | Subscription renewals, usage-based charges              |

For [subscription businesses](https://dodopayments.com/blogs/subscription-pricing-models), SCA applies to the first payment. Subsequent renewals are merchant-initiated and exempt, as long as the initial payment was authenticated.

### SCA Impact on Conversion

SCA adds friction to checkout. The authentication step (opening a banking app, entering a code) causes drop-off. Studies show SCA reduces conversion by 5-15% for transactions where authentication is required.

To minimize impact:

- Use 3DS2 (smoother experience than 3DS1)
- Apply for exemptions where eligible
- Optimize your [checkout flow](https://dodopayments.com/blogs/checkout-optimization) to reduce other friction points
- Use a payment provider that handles exemption requests automatically

## How MoR Simplifies Compliance

A [merchant of record](https://dodopayments.com/blogs/merchant-of-record-for-saas) dramatically simplifies both GDPR and PSD2 compliance:

### GDPR

- The MoR is the data controller for payment data, not you
- Card data stays in the MoR's PCI-compliant infrastructure
- You receive only tokens and transaction confirmations
- The MoR handles data subject requests related to payment data
- The MoR maintains their own ROPA and DPIAs for payment processing

### PSD2/SCA

- The MoR implements 3DS2 and handles the authentication flow
- The MoR applies for SCA exemptions automatically
- The MoR manages recurring payment authentication
- You do not need to build or maintain SCA flows

[Dodo Payments](https://dodopayments.com) handles both GDPR-compliant data processing and PSD2/SCA authentication as part of the [merchant of record service](https://dodopayments.com/blogs/best-merchant-of-record-platforms).

## Beyond GDPR and PSD2: Other Payment Regulations

If you sell globally, other regulations apply:

- **[EU Digital Services Tax](https://dodopayments.com/blogs/eu-digital-services-tax)**: Tax obligations for digital services sold to EU consumers
- **RBI regulations (India)**: Restrictions on storing card data, requirements for [UPI](https://dodopayments.com/blogs/upi-payments-global-business) and domestic processing
- **PCI DSS**: Global standard for card data security (see our [PCI compliance checklist](https://dodopayments.com/blogs/pci-compliance-checklist-saas))
- **CCPA (California)**: Similar to GDPR for California residents
- **LGPD (Brazil)**: Brazil's data protection law affecting payment data

A merchant of record operating in [220+ countries](https://dodopayments.com/blogs/global-billing) manages compliance with local regulations in each market, saving you from tracking regulatory changes across dozens of jurisdictions.

## Compliance Checklist for SaaS Companies

### GDPR Payment Compliance

- [ ] Document lawful basis for processing payment data
- [ ] Implement data minimization (tokenize, do not store raw card data)
- [ ] Define and enforce data retention periods for payment records
- [ ] Include payment data processing in your privacy policy
- [ ] Ensure payment processors have adequate Data Processing Agreements
- [ ] Implement breach notification procedures for payment data
- [ ] Process data subject access and erasure requests for payment data
- [ ] Maintain Record of Processing Activities including payment flows

### PSD2/SCA Compliance

- [ ] Implement 3DS2 for EEA customer transactions
- [ ] Apply SCA exemptions where eligible to reduce checkout friction
- [ ] Authenticate first subscription payment, use merchant-initiated for renewals
- [ ] Test SCA flows with European test cards
- [ ] Monitor SCA-related decline rates and optimize

For related compliance topics, see our guides on [merchant of record legal compliance](https://dodopayments.com/blogs/merchant-of-record-legal-compliance), [e-commerce sales tax](https://dodopayments.com/blogs/ecommerce-sales-tax-compliance), and [cross-border tax challenges](https://dodopayments.com/blogs/top-sales-tax-challenges-for-cross-border-businesses).

## FAQ

### Does GDPR apply to payment data from non-EU customers?

GDPR applies when you process data of individuals in the EU/EEA, regardless of where your business is located. If you sell to EU customers, GDPR applies to their payment data. For non-EU customers, GDPR does not apply, but other privacy laws (CCPA, LGPD, etc.) may.

### Do I need a Data Processing Agreement with my payment provider?

Yes. Under GDPR, if your payment provider processes personal data on your behalf (as a data processor), you need a DPA in place. Most providers include this in their terms of service. If you use a merchant of record, they are typically a data controller for payment data, which changes the legal relationship but you should still verify.

### How does PSD2 affect subscription billing?

PSD2 requires SCA for the first payment of a subscription. Subsequent recurring charges are considered merchant-initiated transactions and are exempt from SCA as long as the initial payment was properly authenticated. If a card is reissued or the subscription amount changes significantly, re-authentication may be required.

### Can I store transaction history under GDPR?

Yes, with limitations. You have a lawful basis (legal obligation for tax and accounting records) to retain transaction records for the period required by tax law (typically 5-7 years). However, you should not retain more detail than necessary and should delete records when the retention period expires.

### What happens if I do not implement SCA for EU payments?

The customer's bank will decline the transaction. SCA is enforced by issuing banks, so non-compliant transactions are simply rejected. This leads to higher decline rates for EU customers, directly impacting your revenue from one of the largest digital markets.

## Final Thoughts

GDPR and PSD2 compliance is non-negotiable for SaaS companies selling to Europe. The simplest path is to use a merchant of record that handles payment data processing, SCA authentication, and regulatory compliance across all markets.

For payment infrastructure that includes GDPR-compliant processing, PSD2/SCA, and global tax compliance, visit [Dodo Payments](https://dodopayments.com) and check the [pricing](https://dodopayments.com/pricing).
---
- [More Compliance articles](https://dodopayments.com/blogs/category/compliance)
- [All articles](https://dodopayments.com/blogs)