Hopes, Fears & Strong Customer Authentication: A Merchant Guide to this new Phase of PSD2

 September 16th, 2019

The second implementation phase of PSD2 is here. Ideally, it will usher in a new era of improved customer service with benefits for end users and payment parties.  

Don’t hold your breath: there is still much to accomplish before these lofty goals can be reached. 

First, we’ll clear up a few points about PSD2. Then we’ll speculate and provide some recommendations for this phase of implementation.   

The Facts You Need for PSD2 

The Revised Directive on Payment Services (PSD2) was implemented in 2018 to improve payment security and user experience.  

PSD2 applies to payments in EU currencies between payment providers in the EU. Further, it gives the European Banking Authority (EBA) the power to implement Regulatory Technical Standards (RTS) which require multi-factor authentication for transactions. Before diving in, keep in mind that the true level of RTS enforcement remains to be seen 

Let’s move to Strong Customer Authentication (SCA), a new standard of security and a key component to be enforced by RTS in this phase of PSD2. 

What is Strong Customer Authentication? 

SCA is a PSD2 requirement that ensures electronic payments are performed with multi- factor authentication.  

For SCA, a customer must provide at least two out of three identification factors. These factors can consist of knowledge in the form of passwords, secret questions, PIN codes, or authentication keys; possession in the form of mobile devices or smart chips; or inherence in the form of attributes such as biometrics.  

Strong Customer Authentication

However, not all transactions are subject to SCA. Luckily for merchants, there are some exemptions which can help them bypass SCA: 

  • Payments below 30 EUR ithe total sum of the previous payments is higher than 100 EUR or for every 6th transaction, SCA will be necessary;
  • Merchant-initiated transactions – this includes payments such as subscription or recurring card payments;
  • Low risk transactions – risk is determined based on the average levels of fraud for the card issuer or acquirer processing the transaction;
  • One-leg out transactions – if either transaction party is outside of the European Economic Area, then the SCA regulation does not apply;
  • PoS/Contactless payments – this applies to either individual payments below 50 EUR or five or more payments below 50 EUR. 

3DS vs 3DS2: Solutions For SCA 

3D Secure (3DS) is a messaging protocol which enables consumers to directly authenticate with credit card issuers while shopping online. Its successor, 3DS2, is a better SCA solution under PSD2 for credit cards.  

A big advantage of using 3DS2 over its predecessor is frictionless flow. This allows an issuer to authenticate transactions without additional input from customers.  

Another important attribute of 3DS2 is its liability shift: according to new regulations, liability for chargebacks is shifted from the merchants to the issuers.  

What are the Implications for this Phase of PSD2 Implementation?

A healthy amount of skepticism towards SCA and PSD2 has been raised by merchants. 

Research shows that only 44% of businesses expected to be ready by the September 14th deadline. In fact, 24% of businesses surveyed indicated that they would implement 3DSecure2 only after the deadline. 

Perhaps most shocking is the 57 billion euros of forecasted loss (from the same study) in economic activity due to SCA. This estimate stems from forgone opportunities such as cart abandonment from new security requirements. 

Merchants are justified in their fear of a higher security level causing a lower conversion rate. If merchants stay on 3DS, customers will see more challenges—each and every transaction would need to be confirmed. Merchants who previously could get around 3DS won’t be able to do so anymore.   

Will all these factors lead to higher cart abandon rates? Nobody knows for sure.  

The State of Enforcement

Another issue of concern is whether or not SCA will be strictly enforced after the 14th of September.  

The EBA states that competent authorities can work with stakeholders to grant additional time to comply with SCA. Countries such as Ireland and Germany have even indicated that they will be postponing the rollout for rules on SCA.  

Our Recommendation

In the midst of the skepticism, there is also opportunity 

“While PSD2 makes SCA mandatory, it brings benefits to customers via enhanced control over their accounts. Smart use of exemptions from SCA and frictionless flow applied to 3DS2 authentication can provide reduced risks and an improved user experience for customers.  ” – Danila Turuntaev, Product Manager, optile. 

Yes, the state of enforcement for RTS is uncertain, but if you’re still not ready as a merchant, it’s high time to get things on track. The penalty for non-compliance would be steep. One should assume that banks will decline payments when SCA is not applied. 

Merchants should take advantage of exemptions to keep friction low for consumers. One easy way to do this is by connecting to payment providers that have adjustment strategies for PSD2. 

There are many new parameters which allow issuers to assess risk and to choose frictionless flow. Merchants should provide these parameters even though they are often optional. If you are having trouble implementing changes, it may be comforting to know that 3DS will still, for the near future, count as customer authentication for a majority of banks and providers.  

If You Haven’t Already Done so…

Merchants, start a conversation with your payment providers to understand how they can help you adjust to PSD2. Customers also need to be informed. Online businesses who have not educated their customers about PSD2 on time, must hurry up or put their customer base at risk for shrinking.

You should also maximize their use of exemptions to maintain a stellar checkout and of course, stay vigilant for fraud.   

optile provides a unified interface for merchants to handle the requirements of PSD2 regardless of their provider.  

Comments for this post:

Your email address will not be published. Required fields are marked *

    What’s Next?


    Your unified payment experience starts here.


    Contact us
    • Explore Further
    • Experience Live Demo
    • Calculate Your Benefits
    • Play in Sandbox
    • Brainstorm Business Ideas
    • Fix Individual Workshop