Making sense of PSD2: Strong Customer Authentication and 3D Secure 2.0

a lock in the middle of the EU flag to depict how online payments in the EU are being made safer through PSD2, SCA and 3DS2
Le Raine Hendrik
Le Raine Hendrik

Content Writer

The final pieces of the Revised Payment Services Directive (PSD2) are coming together. With it brings a host of change for e-commerce businesses and online consumers, particularly when it comes to the new Strong Customer Authentication (SCA) requirements and 3D Secure 2.0.

Now more than ever, it’s crucial for retailers and merchants to understand the practical implications these regulations will have on their businesses and customer relationships.

That’s why we’ve waded through the important stuff to bring you all the essentials you need to know, about how SCA fits into PSD2 and how to make 3D Secure 2.0 work to your advantage.

So let’s start with the basics first.

What is PSD2 and why is it necessary?

PSD2 are laws and regulations covering payment services in the European Union (EU) and the European Economic Area (EEA). It was passed in 2015, but fully came into effect on September 14, 2019.

The first directive (PSD1) started in 2007 to establish a modern and coherent legal framework for payment services in the EU1, but so much has happened since then – mobile payments were introduced, facial recognition could authenticate transactions, physical wallets were made redundant, while neobanks2 became a thing.

PSD1, in short, didn’t cover enough of the immense digital advancement we experienced in the last decade – the decade which gave rise to new products and solutions that challenged the existing framework or fell outside the scope of the old directive. According to the European Commission3, resulted in "legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas."

As payment technology became more technical, complex and embedded into our lives, PSD2 was introduced to:

  • Enhance digital security and make the EU payments market more integrated and efficient
  • Promote competition and level the playing field for payment service providers, and those new to the market
  • Protect consumers from rising levels of fraud, facilitate innovation in the industry and enhance customer convenience

Part of the key changes PSD2 brings includes what is known as Strong Customer Authentication, or SCA. Let’s look at what this means and how it affects your business.

image showing the conditions for complying with Strong Customer Authentication (SCA) under the Revised Payments Service Directive (PSD2): something you know, something you own and something you are

What is Strong Customer Authentication (SCA)?

Also called “two-factor authentication”, SCA was introduced to reduce payment fraud and make online payments more secure. SCA is part of the changes rolling out under PSD2, and the European Commission defines it as authentication that uses two or more elements of the following:

  • Something you know – like a password, PIN, or secret answer
  • Something you own – like a mobile phone, wearable device, or smart card
  • Something you are – like your fingerprint, facial features or voice patterns.

PSD2 mandates that SCA is required for all electronic payments, with exemptions for certain transactions. These are the key aspects you need to know:

  • What SCA mainly applies to: all customer-initiated online payments within Europe, including most card payments and bank transfers. For online card payments, these requirements apply to transactions where both the business and the cardholder’s bank are located in the EEA.
  • What SCA doesn’t affect: recurring direct debits, which are considered “merchant-initiated,” as well as in-person card payments (with the exception of contactless payments).

For more details on SCA exemptions, check out our integrations guide here.

The European Banking Authority (EBA) set a deadline for e-commerce card-based payment transactions to fully incorporate SCA under PSD2 on December 31, 20204. Once the deadline kicks in, in-scope transactions that do not have SCA performed will be declined.

This means you’ll need to ensure your business is SCA-compliant by the end of the year. The good news? It’s not that complicated, and the world is already somewhat used to it by now.

How 3D Secure 2.0 helps merchants comply with SCA

You clicked on “checkout,” entered your card details and address, but your transaction doesn’t go through unless you’ve entered a code that’s been sent to your phone or banking app to verify your identity.

That’s 3D Secure 1.0 (3DS 1.0) doing its work to help merchants fight fraud through SCA. But... it restricts online shoppers, adding extra steps during payments, creating false declines that contribute to a negative buying experience, or is tricky to use on a mobile device.

Did you know? A report by Aite Group found that losses due to false declines will grow to USD 443 billion by 2021 – far outstripping the losses caused by the original issue of fraud5.

3D Secure 2.0 (3DS2) is the improved version of this authentication protocol. It promises to support new payment channels like mobile, in-app and digital wallets, and improve declining conversion rates (that happened when online shoppers had to deal with 3DS1).

Here's the difference between 3DS1 and 3DS2:

  • 3DS1 prompts you to insert a code sent by text message onto a static webpage, blocking the purchase until this step is complete.
  • 3DS2 facilitates rich data exchange between merchants, cardholders and issuers to achieve accurate authentication. Instead of having to remember a PIN or getting redirected off the shopping site, a customer’s issuing bank can verify transactions from merchants, resulting in a more seamless payment experience.

If a transaction is believed to be high-risk, 3DS2 might issue a challenge to verify a user’s identity, including via:

  • A one-time password (OTP), delivered through a token with time-limited usage
  • Biometrics, such as with fingerprints
  • Out of Band authentication, such as authentication through an external voice channel, or codes sent to a mobile app in push notifications

In general though, 3DS2 lets you add extra security into your checkout processes and comply with the new SCA regulations, without sacrificing the customer experience.

What’s definitely worth noting is that mobile payment methods such as Apple Pay or Google Pay already have a built-in layer of authentication for customers (using biometrics or a password). This is a great way to offer a frictionless checkout experience while also meeting the new SCA requirements.

icon depicting that 3D Secure 2.0 increases payment security for online transactions

Why 3DS2 is beneficial for e-commerce merchants

Research by the European Central Bank (ECB) found that in 2017, Europe collectively lost €1.8 billion in card fraud cases, 73% of which encompassed online, or card-not-present (CNP) payments6.

CNP fraud also increased 66% from 2012 to 2016, and was the main driver for the 35% rise in overall fraud over this five-year period.

3D Secure 2.0 promises to provide robust fraud protection7 for your organization, along with many benefits, including:

  • Complying with SCA – as we mentioned above, once the EBA’s deadline kicks in, most of your online transactions will be declined unless SCA has been applied.
  • Shifting the liability away from you – the issuing bank assumes the risk of fraud even if it doesn’t take part in either 3DS1 or 3DS2.
  • A better customer experience – 3DS2 is designed to work whether a buyer is interacting with your website via a web browser or mobile app. Frictionless customer identification will make for a shortened checkout process. This will go a long way towards reducing cart abandonment.
  • Fewer false declines – 3DS2 sends much more transaction data to issuers to help them make better risk decisions and reduce false declines. This also works to create more trust between issuers and merchants.
  • Easy adjustments to your e-commerce site – 3DS2 allows you to effortlessly build authentication flows natively into proprietary apps or websites.

What does your business need to do to get ready for PSD2 and SCA?

Chat with your payment processor and bank:

If your business uses a payment service provider (PSP) like Payvision, you should reach out and ask them how they can support you in complying with SCA under PSD2. For instance, we offer our merchants the option to turn on 3DS2 to authenticate their transactions.

If your business handles payments directly on your website, you may need to update the payment integration in your checkout process to ensure the card issuer can perform SCA checks.

Minimize the impact on your customers:

Consider how these changes will impact your customer journey through your website’s checkout process. As with any digital change, big or small, there’s always a brief period at the start where things don’t always work right. Be prepared for this.

Developing a communications plan to tell customers about how you’re complying with SCA will help to assure your buyers that you’re on top of everything. You can also fill them in on any website updates they can expect, and who to reach out to in case they have questions.

Let’s quickly recap

  • The revised Payment Services Directive (PSD2) came into full effect on September 14, 2019.
  • Strong Customer Authentication (SCA) sits under PSD2, and is enabled by 3D Secure 2.0 (3DS2).
  • The EBA’s deadline for e-commerce card-based payment transactions to fully incorporate SCA is December 31, 2020.
  • 3DS2 allows for rich data exchanges between key authorities to achieve accurate authentication, resulting in a more seamless payment experience.
  • 3DS2 helps to reduce online fraud and create better shopping experiences while improving overall online security.
  • Checking with your PSP and bank is the first step you should take to ensure compliance.
  • Communicate with customers to instill confidence, and to manage expectations of any changes you’re making that could impact their shopping experience.

PSD2 is now just part of the payments landscape. It’s more imperative than ever to ensure your online business stays thriving throughout digital change. If you want the confidence of knowing your payment flows are fully compliant, we’d love to help.

Comply with PSD2 SCA easily

Want to find out more about how 3D Secure 2.0 can work for your business? Just reach out to our Payment Experts for a no-strings-attached chat today.

Get in touch
Jamil Johnson,
Jamil Johnson, VP Sales EMEA at Payvision, smiling on a green background