PSD2 Compliance

On this page:

Overview

Opayo will help you to comply with and benefit from PSD2. PSD2 is the acronym for the second Payment Services Directive, which applies to Strong Customer Authentication (SCA) and 3D Secure v2 (3DSv2).

PSD2 took effect in January 2018 and made significant changes to the payment industry in 2019. It was introduced as a follow up to the original Payment Services Directive (PSD). A key element is the introduction of additional security authentications for eCommerce transactions.

The aims are to:

  • Improve customer rights
  • Foster innovation
  • Inspire pan-European competition

Payment fraud losses steadily increased in the last decade and show no sign of easing. A core component of PSD2 is to reduce fraud by placing strong customer authentication (SCA) requirements on participants.

 

Regulatory Technical Standard

Article 98 of PSD2 legislation required a Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA), which came into effect in November 2017.

SCA Requirements

SCA requires 2 of 3 available independent factors in the authentication process: 

  • Something your customer knows [knowledge]. For example, a personal identification number (PIN).
  • Something your customer has [possession]: For example, their payment card or smartphone.
  • Something your customer is [inherence]: For example, a fingerprint.

All electronic payments (except for some exemptions) must be authenticated with at least 2 of the 3 factors. This is known as multi-factor authentication (MFA) or two-factor authentication (2FA).

Authentication Vs Authorisation

Authentication and Authorisation are distinct:

  • Authentication is the act of validating that the customer is who they claim to be
  • Authorisation is the act of validating that the paying account has sufficient funds for the transaction and it, or the card is not blocked for some reason.

For ecommerce transactions, we use 3D Secure. This is branded as:

  • Verified by Visa
  • Mastercard Securecode
  • Amex Safekey
Important: European issuers may decline electronic payment transactions without authentication being in place.

3D Secure

When 3D Secure is enabled, an authentication is performed, and the cardholder must be re-directed to their bank's 3D Secure page. If the cardholder's bank grades the transaction risk as ‘high’, then the cardholder is required to prove their identity. This is commonly known as a “step-up”.

Authentication cannot be bypassed (unless an exemption applies). It is expected that only 5% to 10% of authentications will require the cardholder to be re-directed to their bank's 3D Secure page to enter 2FA (challenge authentication). The majority of authentication requests result in a frictionless authentication, where the cardholder is not required to be re-directed to their bank's 3D Secure page for 2FA.​​

For contactless card machine transactions (also ‘eCommerce’), card issuers are required to prompt the Cardholder to perform a Chip and Pin transaction when their cumulative contactless spend reaches €150 since their last Chip and Pin transaction. 

3D Secure version 2

How a 3D Secure authentication is performed is up to the card issuer. SCA can be achieved with 3D Secure (3DSv2) makes it even easier for eCommerce transactions. Improvements over the previous version include:

  • Responsive payment pages work well on any device.
  • Support for biometric authentication (fingerprint or facial identification)
  • Availability of a frictionless authentication flow, where customers do not experience the authentication taking place.