PSD2 Compliance

Important!

Opayo are now taking steps to ensure you remain PSD2 compliant. You may also need to take action.

  1. Enrolment - Opayo will enrol your MID/Merchant Number for both 3DSv1 and 3DSv2 if not already done. 
  2. Enablement - You will need to enable 3D Secure from within My Opayo. If you have not already enabled 3D Secure, please find the instructions to do so here. If you are using our PI or Direct integration you will also need to include the 3D Secure steps of the integration.
  3. Activation - We will check all accounts and enable 3D Secure shortly before the deadline on March 14th 2022. If 3D Secure is not already enabled, we will email you to let you know and then we will activate 3D Secure automatically. To avoid disruption you your payment processing we strongly recommend you enable 3D Secure before March, the sooner the better.
  4. Test your Changes - The Opayo Test server is ready for you to test the new 3DSv2 fields of the integration. Our live environment will be ready later in July for Live tests and transaction processing.

On this page:

Overview

Opayo will help you to comply with and benefit from PSD2. PSD2 is the acronym for the second Payment Services Directive, which applies to Strong Customer Authentication (SCA) and 3D Secure v2 (3DSv2).

PSD2 took effect in January 2018 and made significant changes to the payment industry in 2019. It was introduced as a follow up to the original Payment Services Directive (PSD). A key element is the introduction of additional security authentications for eCommerce transactions.

The aims are to:

  • Improve customer rights
  • Foster innovation
  • Inspire pan-European competition

Payment fraud losses steadily increased in the last decade and show no sign of easing. A core component of PSD2 is to reduce fraud by placing strong customer authentication (SCA) requirements on participants.

 

Regulatory Technical Standard

Article 98 of PSD2 legislation required a Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA), which came into effect in November 2017.

SCA Requirements

SCA requires 2 of 3 available independent factors in the authentication process: 

  • Something your customer knows [knowledge]. For example, a personal identification number (PIN).
  • Something your customer has [possession]: For example, their payment card or smartphone.
  • Something your customer is [inherence]: For example, a fingerprint.

All electronic payments (except for some exemptions) must be authenticated with at least 2 of the 3 factors. This is known as multi-factor authentication (MFA) or two-factor authentication (2FA).

Enforcement

SCA was due to come into force on September 14, 2019. In August 2019, the Financial Conduct Authority (FCA) extended the deadline to give UK businesses, banks, and online account providers more time to implement the necessary tools and processes. Businesses must now be compliant by March 2022.

While a gradual transition to SCA enforcement was expected by banks and issuers across the EU, there are steps required taken now to prepare your business. At Opayo we’ve worked to minimise the impact for you and your business by upgrading all our systems to support 3D Secure.

The first step to achieving SCA compliance is to ensure your eCommerce payments have at least 3D Secure version 1 (3DSv1) enabled. Read how to enable this on page 8 of our MySagePay User Guide.

Authentication Vs Authorisation

Authentication and Authorisation are distinct:

  • Authentication is the act of validating that the customer is who they claim to be
  • Authorisation is the act of validating that the paying account has sufficient funds for the transaction and it, or the card is not blocked for some reason.

For ecommerce transactions, we use 3D Secure. This is branded as:

  • Verified by Visa
  • Mastercard Securecode
  • Amex Safekey
Important: European issuers may decline electronic payment transactions without authentication being in place.

3D Secure

When 3D Secure is enabled, an authentication is performed, and the cardholder must be re-directed to their bank's 3D Secure page. If the cardholder's bank grades the transaction risk as ‘high’, then the cardholder is required to prove their identity. This is commonly known as a “step-up”.

Authentication cannot be bypassed (unless an exemption applies). It is expected that only 5% to 10% of authentications will require the cardholder to be re-directed to their bank's 3D Secure page to enter 2FA (challenge authentication). The majority of authentication requests result in a frictionless authentication, where the cardholder is not required to be re-directed to their bank's 3D Secure page for 2FA.​​

For contactless card machine transactions (also ‘eCommerce’), card issuers are required to prompt the Cardholder to perform a Chip and Pin transaction when their cumulative contactless spend reaches €150 since their last Chip and Pin transaction. 

3D Secure version 2

How a 3D Secure authentication is performed is up to the card issuer. SCA can be achieved with 3DSv1 and the second version of 3D Secure (3DSv2) makes it even easier for eCommerce transactions. Improvements over 3DSv1 include:

  • Responsive payment pages work well on any device.
  • Support for biometric authentication (fingerprint or facial identification)
  • Availability of a frictionless authentication flow, where customers do not experience the authentication taking place.

3DSv2 Support

Our gateway supports transactions using 3DSv1 and 3DSv2.