Back to Blog
testimonials
procurement
psd2
payment-services-directive
open-banking

Testimonial from Customer Procurement Supplier PSD2 Payment Services Directive Attestation Conversation — How to Convert the Procurement-Led PSD2 Strong-Customer-Authentication-and-Open-Banking-API Attestation Readout Into the Quote Package That Closes Prospects Whose Vendor Selection Requires PSD2-Verified Payment-Services-Provider Evidence

ProofShow Team··14 min read

A procurement PSD2 Payment Services Directive attestation conversation is the structured customer reflection produced after the customer's procurement organization has completed the PSD2-attestation cycle in which the vendor's PSD2 strong-customer-authentication-and-open-banking-API posture under Directive (EU) 2015/2366 and Commission Delegated Regulation (EU) 2018/389 was evaluated, validated, and confirmed against the customer's payment-services-provider governance — the payment-services-provider-classification-against-Article-4-and-Annex-I mapping, the strong-customer-authentication-against-Article-97-and-RTS-Article-4-and-Article-5 review, the dynamic-linking-against-RTS-Article-5 evaluation, the transaction-risk-analysis-exemption-against-RTS-Article-18 analysis, the open-banking-API-access-against-Article-66-and-Article-67 review, the third-party-provider-TPP-onboarding-and-eIDAS-QWAC-and-QSealC review, the account-information-service-AIS-and-payment-initiation-service-PIS interface evaluation, the fallback-mechanism-and-contingency-against-RTS-Article-33 analysis, the incident-reporting-against-EBA-Guidelines-on-major-incident-reporting, and the per-vendor PSD2-compliance-posture definition that the customer's procurement organization applies on each major PSD2-attestation cycle. The procurement sponsor — typically the procurement-compliance-officer or the third-party-risk-and-payment-services-program owner who led the PSD2 attestation and consolidated the payment-services-provider-posture conclusions with the payment-services-and-procurement-leadership stakeholders — articulates how the vendor's PSD2 posture was evaluated against the customer's payment-services-provider rubric, what PSD2-evaluation frictions surfaced, how the vendor's SCA-and-open-banking-API-and-TPP-interface posture was confirmed against the customer's PSD2-attestation criteria, and what the PSD2-attestation outcomes imply for the vendor's positioning against the PSD2-verified-payment-services-provider-evaluation rubrics that the customer's procurement organization and the prospect's analogous procurement organizations apply on a strategic-supplier-engagement basis.

The procurement PSD2 attestation conversation is the structurally unique moment in the customer relationship at which the customer is producing PSD2-verified payment-services-provider evidence grounded in the customer's actual PSD2-attestation governance rather than in vendor-asserted payment-compliance claims. The prospect whose vendor selection requires PSD2-verified payment-services-provider evidence — the prospect whose procurement organization requires PSD2-attestation validation before approving payment-services-provider supplier engagements, the prospect whose EU-payment-services-and-open-banking obligations require PSD2-grade attestation evidence to justify vendor selection within the prospect's own payment-services-and-procurement framework, the prospect whose payment-services-leadership review requires documented PSD2-posture grounded in customer-validated evidence rather than vendor-produced compliance-narrative content — requires PSD2-attestation-cycle-tested evidence grounded in a customer PSD2-attestation-cycle rather than vendor-produced PSD2-claim content to advance the vendor through the prospect's own EU-payment-services-procurement gate. The procurement PSD2 attestation testimonial is the highest-fidelity source for this evidence the customer's vendor relationship produces.

This is the playbook for the procurement PSD2 attestation testimonial — when to schedule the testimonial-extraction conversation relative to the PSD2-attestation-cycle completion, the question sequence that converts the readout's PSD2-attestation-tested content into a structured PSD2-verified-payment-services-provider-evidence quote package, the editorial protocol that preserves the PSD2-attestation specificity while making the content deployable across prospect contexts whose own PSD2-attestation rubrics differ from the customer's, and the deployment strategy that turns the testimonial into a PSD2-verified-payment-services-validation evidence vehicle for prospects whose vendor selection requires the specific PSD2-attestation-tested content the readout produces.

Why the procurement PSD2 attestation testimonial is structurally different from the standard payment-compliance testimonial

Most payment-compliance-themed testimonials are extracted from generic-PCI-DSS-or-card-network-compliance contexts in which the customer's reflection on the vendor's payment-compliance posture was captured against the vendor's own PCI-DSS-or-card-brand-narrative frame rather than against the customer's PSD2-specific payment-services-provider frame. The standard payment-compliance testimonial captures the customer's positive characterization of the vendor's card-data-handling maturity but typically does not capture the PSD2-attestation-cycle-tested evidence the PSD2-verified-EU-payment-gated prospect's defense requirement specifically demands. These PCI-DSS-or-card-brand-narrative-grounded testimonials are valuable for general-payment-compliance-positioning purposes but operate in a structurally different mode from the procurement PSD2 attestation readout testimonial, and the PSD2-verified-EU-payment-gated prospect's evaluation often specifically requires the PSD2-attestation-cycle-tested content the PSD2-attestation readout produces.

Three structural properties make the procurement PSD2 attestation readout testimonial uniquely valuable for the PSD2-verified-EU-payment-gated prospect evaluation use case compared to standard payment-compliance testimonials.

First, the customer at the PSD2-attestation completion is operating against the PSD2-specific-directive-grounded vendor-evaluation observation register rather than against the generic-payment-compliance-narrative-grounded vendor-evaluation observation register. The PSD2-specific-rubric register produces content that addresses the dimensions the PSD2-verified-EU-payment-gated prospect's evaluation requires — the Article-4-and-Annex-I payment-services-provider-classification outcomes, the Article-97-and-RTS-Article-4-and-Article-5 strong-customer-authentication findings, the RTS-Article-5 dynamic-linking evaluation results, the RTS-Article-18 transaction-risk-analysis-exemption analysis, the Article-66-and-Article-67 open-banking-API-access review, the eIDAS-QWAC-and-QSealC third-party-provider-TPP-onboarding findings, the account-information-service-AIS-and-payment-initiation-service-PIS interface evaluation, the RTS-Article-33 fallback-mechanism-and-contingency analysis, the EBA-Guidelines-on-major-incident-reporting incident-reporting findings, and the per-vendor PSD2-compliance-posture conclusion. The generic-payment-compliance-narrative register addresses the customer's positive characterization of the vendor's card-data-handling maturity but does not produce the PSD2-regulatory-rubric-tested content the PSD2-verified-EU-payment-gated prospect's own evaluation will apply to the vendor's payment-services-provider posture.

Second, the customer at the PSD2-attestation completion has produced positions that have been validated against the customer's procurement-organization PSD2-attestation rubric rather than against the customer's user-organization payment-compliance-perception alone. The procurement-PSD2-rubric-validation property carries PSD2-attestation-credibility weight that user-payment-compliance-perception-validation does not — the prospect's payment-services-and-procurement organization can rely on the PSD2-attestation-validated positions as evidence that the customer's PSD2-posture has been tested against formal PSD2-regulatory-attestation criteria rather than relying on user-payment-compliance-perception claims that may not have been exposed to formal-PSD2-attestation scrutiny. The validation asymmetry means that standard payment-compliance testimonials, however user-grounded, do not substitute for PSD2-attestation-rubric-validated readouts in the PSD2-verified-EU-payment-gated evaluation context where PSD2-grade payment-services-provider evidence is decisive.

Third, the customer at the PSD2-attestation completion has formed an explicit account of which vendor-property dimensions produced the PSD2-attestation-cycle's compliance outcomes against the customer's PSD2-regulatory rubric. The vendor-property-dimension attribution is uniquely valuable for the PSD2-verified-EU-payment-gated evaluation because it isolates the dimensions the prospect's own PSD2-attestation cycle is likely to apply to the vendor evaluation and supports the prospect's preparation against the same PSD2-regulatory-scrutiny dimensions the customer's payment-services-and-procurement team applied. The PSD2-verified-EU-payment-gated prospect's evaluation requires this transparency to project the vendor's behavior under the prospect's own PSD2-attestation scrutiny, and the PSD2-attestation readout testimonial is the highest-fidelity source for the vendor-property-dimension-attribution content the evaluation requires.

For related coverage of EU-payment-services-and-open-banking-attestation testimonial extraction, see procurement supplier DORA digital operational resilience attestation conversation, procurement supplier GDPR data processor attestation conversation, procurement supplier PCI DSS attestation conversation, and procurement supplier EU AI Act attestation testimonial playbook.

Scheduling the procurement PSD2 attestation testimonial-extraction conversation

The procurement PSD2 attestation testimonial-extraction conversation must be scheduled in the window between the PSD2-attestation ratification and the cycle's natural regulatory-watch attenuation. The window opens when the customer has settled the PSD2-attestation through the payment-services-and-procurement-leadership ratification phase and closes when subsequent EBA-RTS-update activities or PSD3-and-PSR-transition activities have begun to overlay the original attestation analytical state and dilute the attestation-cycle-specific recall. The optimal scheduling window is typically three to eight weeks after the PSD2-attestation concludes.

Scheduling earlier — during the PSD2-attestation itself or in the weeks immediately following ratification — produces incomplete content because the customer's positions have not yet stabilized against the cycle's post-ratification outcomes. The post-ratification phase may produce follow-up SCA-exemption discussions, fallback-mechanism-and-contingency discussions, or open-banking-API-performance refinements that revise initial PSD2-posture assessments, and a testimonial extracted before stabilization risks containing positions the customer will not stand behind in subsequent payment-services-leadership reviews. The earliest scheduling threshold is the customer's confirmation that the PSD2-attestation has formally concluded with payment-services-and-procurement-leadership ratification and the post-ratification activities have reached the steady-state phase.

Scheduling later — beyond the eight-week window — produces diluted content because subsequent EBA-RTS-update activities or PSD3-and-PSR-transition activities have overlaid the attestation analytical state and the customer's recall of attestation-cycle-specific reasoning has begun to attenuate. The customer may produce general characterizations of the vendor's PSD2-posture rather than the specific cycle-grounded PSD2-attestation content the testimonial's evidentiary value depends on. The latest scheduling threshold is the point at which the customer's recall begins producing PSD2-summary characterizations rather than specific cycle-grounded PSD2-regulatory-attestation observations.

The scheduling-window principle: schedule the procurement PSD2 attestation testimonial extraction in the three-to-eight-week window after the PSD2-attestation has formally concluded with payment-services-and-procurement-leadership ratification, when the customer's positions have stabilized but the attestation-cycle-specific regulatory-evaluation recall remains specific and rubric-grounded.

The question sequence

The procurement PSD2 attestation testimonial-extraction question sequence has eight segments. The sequence is structured to elicit the cycle-grounded PSD2-attestation content the testimonial's evidentiary value depends on and to capture the per-regulatory-dimension scrutiny the prospect's own PSD2-attestation cycle will apply to the vendor.

Segment 1 — Payment-services-provider-classification-against-Article-4-and-Annex-I mapping

The first segment establishes the payment-services-provider-classification mapping the attestation produced. The questions surface the classification methodology — the credit-institution-versus-payment-institution-versus-electronic-money-institution distinction under Article 4, the Annex-I payment-services-scope analysis, the per-service-line classification — and capture the per-dimension scrutiny the customer's procurement organization applied.

Representative questions:

  • What Article-4-and-Annex-I payment-services-provider-classification methodology did the attestation cycle apply, and which payment-services-and-procurement-leadership stakeholders approved the classification scope?
  • Which credit-institution-versus-payment-institution-versus-electronic-money-institution distinctions emerged from the classification, and how did the vendor's institutional positioning map against the distinction?
  • What Annex-I payment-services-scope analysis accompanied the classification, and how did the vendor's per-service-line positioning shape the classification conclusion?
  • Where did the classification surface PSD2-specific service-categorization ambiguity, and how did the per-feature observations shape the attestation's per-vendor positioning conclusion?

Segment 2 — Article-97-and-RTS-Article-4-and-Article-5 strong-customer-authentication review

The second segment captures the strong-customer-authentication-SCA review the attestation produced. The questions surface the SCA methodology — the two-factor-authentication-from-three-categories evaluation under RTS Article 4, the inherence-and-possession-and-knowledge-factor analysis, the per-transaction SCA-application — and capture the per-dimension scrutiny.

Representative questions:

  • What Article-97-and-RTS-Article-4-and-Article-5 strong-customer-authentication review methodology did the cycle apply, and what per-factor evaluation criteria did the customer's procurement organization use?
  • Which two-factor-authentication-from-three-categories features did the review surface, and how did the vendor's factor-selection posture shape the conclusion?
  • Which inherence-and-possession-and-knowledge-factor independence features did the review evaluate, and how did the vendor's factor-independence posture shape the SCA-compliance conclusion?
  • Where did the review surface PSD2-specific SCA-compliance gaps, and how did the per-gap observations shape the attestation's conclusion?

Segment 3 — RTS-Article-5 dynamic-linking evaluation

The third segment captures the RTS-Article-5 dynamic-linking evaluation. The questions surface the dynamic-linking methodology — the authentication-code-binding-to-amount-and-payee evaluation, the cryptographic-binding-and-tamper-resistance review, the per-transaction dynamic-linking — and capture the per-dimension scrutiny.

Representative questions:

  • What RTS-Article-5 dynamic-linking evaluation methodology did the cycle apply, and what dynamic-linking criteria did the customer's procurement organization use?
  • Which authentication-code-binding-to-amount-and-payee outcomes did the evaluation surface, and how did the vendor's binding-mechanism posture shape the conclusion?
  • Which cryptographic-binding-and-tamper-resistance patterns did the evaluation establish, and how did the vendor's tamper-resistance posture shape the conclusion?
  • Where did the dynamic-linking evaluation surface PSD2-specific binding-architecture features, and how did the per-feature observations shape the conclusion?

Segment 4 — RTS-Article-18 transaction-risk-analysis-exemption analysis

The fourth segment captures the transaction-risk-analysis-exemption analysis. The questions surface the exemption-application methodology — the fraud-rate-threshold-and-amount-threshold evaluation under RTS Article 18, the per-payment-category exemption-routing, the per-PSP exemption-eligibility — and capture the per-dimension scrutiny.

Representative questions:

  • What RTS-Article-18 transaction-risk-analysis-exemption analysis methodology did the cycle apply, and what exemption-application criteria did the customer's procurement organization use?
  • Which fraud-rate-threshold-and-amount-threshold outcomes did the analysis surface, and how did the vendor's fraud-rate posture shape the exemption-eligibility conclusion?
  • Which per-payment-category exemption-routing features did the analysis evaluate, and how did the vendor's per-category routing shape the conclusion?
  • Where did the exemption analysis surface PSD2-specific TRA-engine features, and how did the per-feature observations shape the conclusion?

Segment 5 — Article-66-and-Article-67 open-banking-API-access review

The fifth segment captures the Article-66-and-Article-67 open-banking-API-access review. The questions surface the API-access methodology — the dedicated-interface-versus-modified-customer-interface evaluation, the API-performance-and-availability review, the per-third-party-provider access-management — and capture the per-dimension scrutiny.

Representative questions:

  • What Article-66-and-Article-67 open-banking-API-access review methodology did the cycle apply, and which leadership stakeholders approved the API-architecture scope?
  • Which dedicated-interface-versus-modified-customer-interface features did the review surface, and how did the vendor's interface-architecture composition shape the conclusion?
  • Which API-performance-and-availability features did the review evaluate, and how did the vendor's API-uptime-and-latency posture shape the conclusion?
  • Where did the review surface PSD2-specific API-design features, and how did the per-feature observations shape the conclusion?

Segment 6 — eIDAS-QWAC-and-QSealC third-party-provider-TPP-onboarding assessment

The sixth segment captures the eIDAS-QWAC-and-QSealC TPP-onboarding assessment. The questions surface the TPP-onboarding methodology — the qualified-website-authentication-certificate-QWAC review, the qualified-electronic-seal-certificate-QSealC evaluation, the per-TPP-identity verification — and capture the per-dimension scrutiny.

Representative questions:

  • What eIDAS-QWAC-and-QSealC TPP-onboarding assessment methodology did the cycle apply, and what TPP-identity-verification criteria did the customer's procurement organization use?
  • Which qualified-website-authentication-certificate-QWAC features did the assessment surface, and how did the vendor's certificate-handling posture shape the conclusion?
  • Which qualified-electronic-seal-certificate-QSealC features did the assessment evaluate, and how did the vendor's QSealC-architecture choice shape the conclusion?
  • Where did the assessment surface PSD2-specific TPP-onboarding-and-trust-list features, and how did the per-feature observations shape the conclusion?

Segment 7 — AIS-and-PIS-interface-and-fallback evaluation

The seventh segment captures the AIS-and-PIS-interface-and-fallback evaluation. The questions surface the AIS-and-PIS methodology — the account-information-service-AIS-flow evaluation, the payment-initiation-service-PIS-flow review, the RTS-Article-33 fallback-mechanism-and-contingency analysis — and capture the per-dimension scrutiny.

Representative questions:

  • What AIS-and-PIS-interface-and-fallback evaluation methodology did the cycle apply, and what AIS-and-PIS-and-fallback criteria did the customer's procurement organization use?
  • Which account-information-service-AIS-flow features did the evaluation surface, and how did the vendor's AIS-publication posture shape the conclusion?
  • Which payment-initiation-service-PIS-flow features did the evaluation review, and how did the vendor's PIS-flow-design posture shape the conclusion?
  • Where did the RTS-Article-33 fallback-mechanism evaluation surface PSD2-specific contingency features, and how did the per-feature observations shape the conclusion?

Segment 8 — Per-vendor PSD2-compliance-posture-conclusion synthesis

The eighth segment captures the per-vendor PSD2-compliance-posture-conclusion synthesis the cycle produced. The questions surface the posture-conclusion methodology — the aggregate-across-segments rollup, the per-vendor risk-rating, the procurement-leadership-ratification record — and capture the synthesizing observation the customer's procurement organization registered against the vendor's PSD2-compliance posture.

Representative questions:

  • What per-vendor PSD2-compliance-posture-conclusion methodology did the cycle apply, and what aggregate-conclusion criteria did the customer's procurement organization use?
  • Which aggregate-across-segments features did the synthesis surface, and how did the vendor's per-segment posture shape the rollup conclusion?
  • Which per-vendor risk-rating features did the synthesis register, and how did the rating shape the procurement-leadership ratification?
  • Where did the synthesis surface PSD2-specific cross-segment-coherence features, and how did the per-feature observations shape the final per-vendor positioning conclusion?

Editorial protocol — preserving PSD2-attestation specificity while enabling cross-prospect deployment

The PSD2-attestation testimonial's deployment value depends on preserving the cycle-grounded PSD2-regulatory specificity that makes the readout credible while making the content deployable across prospect contexts whose own PSD2-attestation rubrics differ. The editorial protocol balances two competing requirements.

Preserve the per-segment-grounded specificity. Each segment's content must remain anchored in the customer's PSD2-statutory-evaluation against the cycle's actual regulatory dimensions — not summarized into generic payment-compliance-posture characterizations. Generic summary characterizations forfeit the evidentiary value the PSD2-attestation testimonial uniquely produces. The editorial rule: keep at least one PSD2-regulatory-dimension-specific phrase per quote (Article-4, Article-97, RTS-Article-5, RTS-Article-18, Article-66, eIDAS-QWAC, AIS-PIS, RTS-Article-33, etc.).

Generalize the customer-specific procurement-rubric framing. The customer's procurement organization's specific PSD2-attestation rubric should not appear in the published quote in ways that create the impression that the prospect must apply the identical rubric. The rubric framing should be generalized into the regulation-bound rubric framing the prospect's organization is likely to recognize — "the strong-customer-authentication review" rather than "our procurement organization's eight-segment strong-customer-authentication review". The editorial rule: anchor in PSD2-statutory dimensions, not in customer-procurement-organization-specific rubric language.

Preserve the per-segment-attribution sentence. The single highest-leverage editorial choice is to preserve at least one sentence per major segment that explicitly attributes a PSD2-compliance outcome to a specific vendor-property dimension — "the vendor's open-banking-API performance met the Article-66-and-Article-67 dedicated-interface requirement against the customer's PSD2-attestation rubric". The per-segment-attribution sentence is the editorial unit that prospects evaluating against analogous PSD2-attestation rubrics will lift and reapply against their own evaluations.

Deployment — turning the PSD2-attestation testimonial into a closing evidence vehicle

The procurement PSD2 attestation testimonial is deployed against three audiences.

First, the prospect whose EU-payment-services-and-open-banking obligations require PSD2-attestation validation before approving payment-services-provider supplier engagements. The testimonial is deployed in the early-stage technical-evaluation phase against the prospect's payment-services-and-procurement-organization evaluation, paired with the vendor's own PSD2-statement-of-conformity content. The PSD2-attestation testimonial is the customer-validated complement to the vendor's compliance-narrative content and is the highest-fidelity evidence the prospect's payment-services-and-procurement-organization is likely to require.

Second, the prospect whose open-banking-API-and-TPP-interface obligations require PSD2-grade attestation evidence to justify vendor selection within the prospect's own payment-services-and-procurement framework. The testimonial is deployed against the prospect's per-API-interface review, paired with the vendor's per-API-performance-and-availability content. The PSD2-attestation testimonial supports the prospect's per-API-interface evaluation by providing customer-validated evidence the prospect's payment-services review can lift into its per-API-interface decision record.

Third, the prospect whose payment-services-leadership-review requires documented PSD2-posture grounded in customer-validated evidence rather than vendor-produced compliance-narrative content. The testimonial is deployed against the prospect's payment-services-leadership-review escalation, paired with the vendor's own PSD2-compliance-narrative content. The PSD2-attestation testimonial provides the customer-validation layer the leadership review requires to ratify the vendor's selection against the prospect's own payment-services-leadership-review standard.

The deployment principle: the procurement PSD2 attestation testimonial is deployed in the highest-stakes phases of the prospect's PSD2-verified-EU-payment-services-procurement evaluation — the technical-evaluation, the per-API-interface review, and the payment-services-leadership-review ratification — where customer-validated PSD2-attestation evidence is decisive and vendor-produced PSD2-compliance-narrative content alone is insufficient.

The procurement PSD2 attestation conversation is the single highest-fidelity testimonial-extraction opportunity the customer's vendor relationship produces against the PSD2-verified-EU-payment-services-gated prospect evaluation. Run the eight-segment question sequence in the three-to-eight-week scheduling window, preserve the per-PSD2-regulatory-dimension specificity through the editorial protocol, and deploy against the prospect's technical-evaluation, per-API-interface-review, and payment-services-leadership-review phases. The PSD2-attestation testimonial is the evidence vehicle that closes prospects whose vendor selection requires PSD2-verified payment-services-provider evidence the standard payment-compliance testimonial cannot produce.

Ready to get started?

Start collecting and showcasing testimonials in under 5 minutes.

Start Free