Back to Blog

PSD2 and 3D Secure 2 Explained

Under PSD2 regulation, all businesses that do online sales need to comply with this new law that is coming into effect on the 14th of September or else they will suffer a huge impact on sales.

Alex E. Pjetra (Product Marketing Executive) Written by Alex E. Pjetra (Product Marketing Executive) 9 Aug 2019 in B2B eCommerce

Regardless of what people may think, PSD2 and 3DS2 are, by all means, a good thing for both customers and merchants and are here to stay. 


With every new rule or regulation (think GDPR), there may be some uproar at the beginning. It may take some time for everyone to adjust to it. But, eventually, it will become the norm.


Let’s begin by looking at some of the benefits that both customers and merchants will have from using 3D Secure 2.


Benefits of 3DS2 for customers:

1.    Increased security & trust: Two-factor authentication will assure customers that they are secure from potential payment fraud.


2.    Speed & convenience: Checkout time will exponentially decrease by removing the redirect that was included in 3DS1.


3.    Customer choice & approach: Customers will have various methods of authentication to choose from which will allow them to pick the most convenient way that suits them.


Benefits of 3DS2 for merchants:

1.    Compliance: The most efficient way for merchants to meet the new industry standard and comply with the new EU laws for SCA is to enable 3DS2.


2.    Reduce cart abandonment: Customers are 70% more likely to fully complete an order because of the checkout process being easier, quicker, and less susceptible to errors. 


3.    Lower fraud risk: Enabling 3D Secure 2 payments means that no longer merchants will be liable for fraudulent transactions. On the contrary, payment providers and issuing banks will be primarily responsible for any chargebacks.



What is PSD2?


PSD2 is the new European legislation known as the Second Payment Service Directive that is coming into effect on the 14th September 2019. 


This new legislation was designed with one main objective in mind. This objective is to increase the security of card payments by implementing Strong Customer Authentication for transactions that the cardholder is not present, aka CNP Transactions. This new legislation tightens regulations and requirements around the handling of payments and card data and each and every business that does online sales needs to be aware of this.



What is Strong Customer Authentication?


Strong Customer Authentication, a.k.a as SCA, is a new European regulatory requirement that aims to make online payments more secure and reduce online fraud. 


To accept payments once SCA goes into effect, you will need to build additional authentication into your checkout flow that allows SCA a two-factor authentication method that consists of at least two of the following three elements.


1.    Something the customer knows i.e. a password, pin, passphrase, secret fact etc.

2.    Something the customer owns i.e. a phone, wearable device, smart card etc.

3.    Something the customer “is”. i.e. biometrics such as facial recognition, eye scanning, fingerprint reading, voice recognition etc.


Unless an exemption applies, two-factor authentication is going to be the default method for all transactions that a customer initiates but is not present, within Europe. 


As a result, all businesses that sell online need to upgrade their authentication system to allow two-factor authentication or else they will suffer declines.


When is Strong Customer Authentication required?


Strong Customer Authentication applies to one and only one case and that is when a customer initiates an online payment within Europe. 


This means that every time a customer is trying to make an online transaction, which means that the cardholder is not present, SCA will be required for most card payments and all bank transfers. With every rule though, there are also some exemptions. 


You can view here what the exemptions for SCA are.


It’s also worth noting that these requirements will apply only to transactions where both the cardholder’s and business’ bank are located within the European Economic Area. However, regardless of the outcome of Brexit, the UK will also be expected to follow the SCA regulation.



How to authenticate a payment?


Up until now, the default way of authenticating online card payments relied mostly on 3D Secure, an authentication standard which is supported by most of the major European cards.


3D Secure typically adds another layer of protection for the customer by redirecting them to a page where additional information, such as fingerprint authentication through their mobile

app or a one-time code sent to their phone, is required before the transaction is completed. 


With the enforcement of PSD2, 3D Secure 2 will become the default method of authentication of online card payments as it adds, yet again, another layer of protection and meets the SCA requirements. 


This new authentication method not only offers many benefits for both customers and merchants as mentioned above but also introduces a better user experience.