Embedded payments compliance in Europe: What merchants need to know

Embedded payments are reshaping commerce in Europe. From marketplaces and ride-hailing platforms to SaaS products and retail apps, more businesses are building payment experiences directly into their workflows. Customers pay inside the app without being redirected. For merchants, this means higher conversion and tighter control of the customer journey.

But embedding payments also creates new responsibilities. Once a platform facilitates transactions between buyers and sellers, regulators may view it as taking on roles that go beyond standard merchant acceptance. This brings requirements tied to payment services, data handling, and customer verification. For merchants expanding in Europe, compliance is not optional. It is central to growth.

What are embedded payments?

Embedded payments integrate payment functionality directly into a non-financial product or service. Examples include:

• A marketplace that enables customers to pay sellers within the platform.
• A ride-hailing app that processes fares without redirecting to an external gateway.
• A SaaS product that allows users to pay for subscriptions inside the platform.
• Retail apps that support one-click checkout tied to stored cards or wallets.
  

The appeal is clear: seamless experience, reduced friction, and more control for the merchant. But with control comes regulatory exposure.

Core compliance requirements in Europe

Merchants offering embedded payments must consider multiple layers of European compliance.

PSD2 and Strong Customer Authentication (SCA)

The revised Payment Services Directive requires strong authentication for online payments. Platforms embedding payments must ensure transactions meet SCA standards. This often means integrating biometric or two-factor authentication through their PSPs.

PCI DSS

Handling card data requires compliance with the Payment Card Industry Data Security Standard. Merchants embedding payments need to ensure cardholder data is stored, processed, and transmitted securely. Tokenization and vaulting reduce exposure, but responsibility remains.

AML and KYC

When platforms facilitate payments between third parties, regulators may require them to perform anti-money laundering checks and know-your-customer verification. This is especially relevant for marketplaces and gig platforms where multiple sellers operate under one umbrella.

GDPR and data privacy

Payment data is personal data. Platforms embedding payments must follow GDPR rules on collection, storage, and cross-border transfers. Customers must have visibility and control over their data.

National regulators

Beyond EU-level rules, countries have their own oversight. Germany’s BaFin, France’s ACPR, and the UK’s FCA all supervise payment activity. A platform expanding across borders may need to comply with each.

Risks of non-compliance

Failure to meet compliance standards has consequences:

• Regulatory fines can reach millions of euros under GDPR and PSD2 violations.
• Loss of license or access to payment services can halt business operations.
• Reputational damage undermines customer trust.
• Operational costs rise when remediation is needed after an audit or investigation.
  

Embedded payments open doors to new revenue, but without a compliance framework they expose merchants to risks that can outweigh the benefits.

How embedded payments intersect with regulation

Embedded payments blur the line between merchants and financial institutions. Platforms that only used to list products or connect users are now also handling funds. Regulators treat this differently.

Marketplaces, SaaS platforms, and gig-economy apps may fall under payment services rules when they facilitate transfers between buyers and sellers. This means they must either:

• Obtain their own payment license, or
• Partner with licensed PSPs or orchestration platforms that cover regulatory requirements.
  

The shared-responsibility model is becoming common. Licensed partners hold compliance responsibility for settlement, fraud prevention, and reporting. Merchants remain responsible for the customer experience and ensuring their providers align with PSD2, AML, and GDPR.

Why orchestration helps with compliance

Payment orchestration adds a structured layer that reduces compliance risk for embedded payments.

• Centralized control: Merchants manage payment data, routing, and reporting in one place. This simplifies audits.
• PCI DSS readiness: Orchestration platforms provide tokenization and secure vaulting to reduce exposure to sensitive data.
• Multi-PSP strategy: Orchestration connects to multiple PSPs, ensuring compliance coverage in each market without multiple direct contracts.
• Dynamic routing: Transactions can be sent through providers that meet specific compliance or regulatory requirements in different jurisdictions.
• Resilience: Failover to backup providers reduces downtime, keeping services available during audits or provider issues.
  

For context on why orchestration is a stronger model for European growth, see our guide on payment orchestration vs PSPs in Europe.

Strategic guidance for merchants

Merchants planning to embed payments across Europe should take a structured approach:

1. Map regulatory exposure: Identify where your business model makes you responsible for PSD2, AML, or local financial rules.
2. Partner strategically: Use PSPs and orchestration platforms that already hold licenses and meet local requirements.
3. Prioritize data protection: Align embedded payment systems with GDPR and PCI DSS from the start.
4. Plan for scale: Compliance requirements expand as you enter new markets. Build flexibility into your payment stack now.
5. Monitor regulation: New rules such as the EU Instant Payments Regulation will change settlement norms. Merchants must stay ahead.
   

For more detail on how consumer adoption and compliance go hand in hand, see our report on European retail payment trends in 2025.

FAQ

What compliance rules apply to embedded payments in Europe?

PSD2, GDPR, AML directives, and PCI DSS apply, along with local supervision by regulators such as BaFin, ACPR, and the FCA.

Do platforms need a financial license?

Sometimes. Marketplaces and apps that handle funds between third parties may need a license or must work with licensed PSPs.

How does orchestration reduce compliance complexity?

It centralizes tokenization, reporting, and routing. This reduces the merchant’s exposure to sensitive data and simplifies audits.

What is the role of KYC in embedded payments?

KYC is critical when onboarding sellers, drivers, or freelancers in platforms. Regulators require checks to prevent fraud and money laundering.

How do GDPR and PCI DSS overlap in embedded payments?

Both deal with data security. GDPR covers all personal data, while PCI DSS focuses on cardholder data. Together, they require strict controls on storage and access.

Embedded payments are transforming commerce in Europe. They create frictionless experiences for customers and new revenue streams for merchants. But they also come with regulatory obligations that cannot be ignored.

Merchants expanding in Europe must address PSD2, GDPR, PCI DSS, and AML requirements while adapting to national rules. Without a strategy, compliance risks can outweigh growth opportunities.

Payment orchestration provides the structure to manage these challenges. It simplifies compliance, centralizes data, and reduces reliance on any single provider. For merchants embedding payments into their platforms, orchestration is not an add-on — it is the foundation for compliance and growth.

Contact Gr4vy to prepare your embedded payments strategy for European compliance.