How to be PSD2 compliant? A no-nonsense guide for merchants
Discover how PSD2 strong customer authentication strengthens online payments, reduces fraud, and builds trust. Guidance for businesses, fintechs, and payment providers.
If your business operates online in Europe, you’ve already felt the effects of PSD2 and its Strong Customer Authentication (SCA) rules. These rules are reshaping digital payments, protecting consumers, and reducing fraud—but they also create challenges for merchants.
Failing to comply can result in declined transactions, lost revenue, and regulatory penalties. Meeting the standards on time, however, helps you protect your business, maintain customer trust, and avoid payment disruptions.
To help you make sense of the requirements, we’ve prepared this practical guide.
What’s inside
This How to be PSD2 compliant? A no-nonsense guide for merchants is a straightforward resource for merchants, fintechs, and payment providers. It explains how SCA works, when it applies, and what exceptions exist. You’ll also find a checklist to help your business stay compliant without disrupting your customers’ payment experience.
The guide covers:
- What PSD2 and SCA mean for your business
- How SCA works in practice
- Exceptions and out-of-scope transactions
- Standards for PSD2 compliance
- PSD2 compliance checklist
Open this guide and take the next step toward secure, compliant, and customer-friendly payments.
Online purchases account for over half of all card-related fraud in the Single Euro Payments Area (SEPA), which includes 35 European nations. To protect consumers and financial institutions in the European Economic Area (EEA) from fraud and financial crime, the EEA implemented the Strong Customer Authentication (SCA) rules in 2019.
As required by the Revised Directive on Payment Services (PSD2) of the European Union, SCA mandates that payment service providers within the EEA use multi-factor authentication (MFA) to enhance the security of electronic and online payments.
This article explores the various payment methods affected by Europe's SCA regulations. Additionally, we will explain how SCA impacts your company and which transactions are exempt or not covered under these mandates.
What is SCA?
SCA is a European legislative requirement designed to combat cybercrime and increase the security of offline and online payments.
Financial institutions must implement additional authentication into the checkout process to authorize payments and comply with SCA laws. They must use two of the following three components for authentication in SCA:
- Something only the customer knows (the password or PIN)
- Something a client possesses (phone, computer)
- Identifiable features of the customer (facial or fingerprint recognition)
End-users can feel more at ease making online payments thanks to the additional protection provided by SCA. Previously, buyers just had to enter their payment information and finish the purchase. Customers will have a simpler time verifying their accounts, resulting in fewer cancellations.
Why are PSD2 and SCA important?
This new directive expands on three major provisions of the old 2007 directive. Some of these are:
- Enhanced protections for consumers while making financial transactions;
- Bringing the regulation of third-party access and account information into the fold creates fair competition;
- Enhanced security.
When we talk about security, we mean a specific set of guidelines called Strong Customer Authentication (SCA). Any company operating online in the EEA region must comply with these standards; if not, the effects will be far-reaching.
When did SCA take effect?
On September 14, 2019, went into effect. Later, because of industry unreadiness, the European Banking Authority pushed the deadline to December 31, 2020. So far, all EEA member states have implemented mandatory PSD2 SCA compliance. The UK’s deadline for full implementation was March 14, 2022.
PSD2 (PSD2 meaning - European legislation that forces payment services to strengthen customer authentication) was proposed in 2013 and officially adopted by the European Parliament and the Council of the European Union in 2015. PSD2 replaced the previous Payment Services Directive (PSD), which was introduced in 2007. PSD2 was initially scheduled to come into effect in January 2018, but the deadline was later extended to September 2019 to allow more time for implementation. Since then, PSD2 has been gradually implemented across the European Union, with some countries adopting it earlier than others.
As of 2021, PSD2 is fully implemented across all 27 EU member states, as well as Norway, Iceland, and Liechtenstein, which are part of the European Economic Area. The regulation applies to all payment service providers operating within the EU, including banks, payment institutions, and e-money institutions.
One of the most significant changes introduced by PSD2 is the requirement for banks to allow third-party providers to access their customers' account information and payment initiation services through open APIs (Application Programming Interfaces). However, with the increased access to customer data and payment initiation services, there was also a risk of increased fraud and security breaches. Therefore, to address these concerns, PSD2 introduced another requirement called Strong Customer Authentication (SCA).
Under PSD2, consumers have greater control over their payment transactions, as they can choose to authorize third-party providers to access their account information and initiate payments on their behalf. This has led to increased innovation in the payments market, as well as improved security standards and consumer protection. However, it has also posed challenges for some payment service providers, particularly smaller ones who may struggle to meet the requirements for SCA.
How does SCA work?
The best way to implement Strong Customer Authentication for a payment system varies. In most cases, is a must when paying with a debit or credit card. Many regional payment options, including e-wallets, also provide their SCA-compliant authentication phase. Let's look at the two major ones:
3D Secure
Most online card payments today use 3D Secure for authentication. Similarly, most cards in Europe adhere to this authentication standard. When using 3D Secure, the customer's bank will probably ask for supplementary information after the customer has completed the checkout process. For example, a one-time code delivered to their phone or fingerprint authentication via their mobile banking application.
Currently, 3D Secure 2.0 is the most widely adopted approach for verifying the identities of cardholders making purchases online under SCA guidelines. This updated version improves the user experience and reduces the extra steps normally required for authentication throughout the purchasing process. With offline card transactions, a PIN entry will satisfy authentication requirements.
Digital wallets and regional payment options
There are currently payment processes with an integrated layer of authentication supported by other card-based payment systems like Google and Apple Pay (biometric or password). With these, stores can provide customers with a streamlined purchasing process without sacrificing compliance.
What situation calls for SCA?
Any transaction deemed to be consumer-initiated (CIT) calls for strong customer authentication. It will apply to both online and bank transfers. SCA is unnecessary when a transaction is a merchant-initiated (MIT) one, as with recurrent debits.
So, the SCA is mandatory for online European payments when both the merchant and cardholder’s bank are within Europe. Also, any online payments made within the European Economic Area (EEA), the United Kingdom, or Morocco must be SCA compliant. That's why online shoppers must complete an additional level of authentication during the checkout process.
Exceptions to SCA
Exemptions from the SCA should maintain a smooth user experience for certain types of transactions. Transactions that are outside of PSD2’s limits do not require SCA. Listed below are the most notable exempt or out-of-scope transactions.
An SCA exception applies in certain circumstances. The retailer will inquire with the bank or credit card company about the exemption as part of the .
The level of risk involved allows the retailer to determine whether the purchase falls outside the mandate of the SCA. If so, it won’t need to go through the second authentication step.
Let us review some typical cases where the SCA rules don’t apply.
Low-risk transactions
A payment processor may do a real-time risk assessment when deciding whether to apply SCA to a transaction. For this to be possible, the overall fraud rates for card payments at the payment provider or bank must be below the following limits:
| Exception value threshold (euro) | Card-based payments |
| 100 | 0.13% |
| 250 | 0.06% |
| 500 | 0.06% |
When necessary, they will adjust these cutoffs to reflect the current value in the local currency. It's reasonable to assume that the cardholder’s bank will deny the exemption and insist on authentication if the fraud rate exceeds the threshold.
Low-value transactions
If the total of all charges on a single card is less than 30 Euros or if any one purchase is less than 100 Euros, no SCA is necessary. However, the issuing bank will track how often this exception applies. If the sum exceeds 100 Euros or there are more than five separate payments, SCA will be requested.
Recurring transactions
After the first transaction that satisfies the SCA standards, subsequent transactions of the same type and amount are exempt. These are merchant-initiated transactions and therefore exempt from SCA.
Trusted beneficiaries
Customers can whitelist a trusted merchant during the payment authentication process so that they don’t have to provide authentication for future purchases with that merchant. The customer’s bank or payment service provider will add these companies to a list of trusted beneficiaries.
B2B transactions
Businesses can avoid SCA by conducting transactions with one another using a payment method designed explicitly for B2B transactions. As we have established, the SCA does not apply to merchant-initiated transactions in which the customer is not directly involved.
The same goes for phone and mail orders, as they aren’t electronic transactions and hence fall beyond the limits of the SCA. Also, outside the bounds of the SCA is any card issuer or cardholder not in the European Economic Area (EEA), Monaco, or the United Kingdom.
Out-of-scope SCA transactions
Merchant-initiated transactions (MITs)
The term merchant-initiated transaction (MIT) refers to a transaction in which the merchant initiates it instead of the client. With the customer’s permission, it automatically deducts the payment from their stored card details on the due date.
For example, some items, like water, have variable costs based on usage. Anytime a customer uses the card for the first time, whether as part of a purchase or to save payment information, authentication is a requirement. Yet if designated as a merchant-initiated transaction, the subsequent payments can bypass SCA.
Mail order/Telephone order (MOTO)
It refers to sales made by mail or phone to MOTO sales. SCA does not apply to MOTO transactions conducted entirely through mail or telephone. Payments made by mail or telephone order are not part of it since SCA do not regard them to be electronic.
One-leg-out transactions
Specifically, this term refers to deals in which the issuer or buyer is outside the European Economic Area. SCA sees these kinds of transactions as being outside of the scope. It means European companies are free to accept payments from customers outside of Europe without meeting the standards set forth by the PSD2 SCA.
Anonymous transactions
If a customer pays through an anonymous way (such as a gift card), they are exempt from completing SCA.
There are a lot of other exceptions and out-of-scope situations, and how the bank, plan, and regulations interpret them will vary widely. The for SCA under PSD2 contain the list of all the exemptions.
There are a lot of other exceptions and out-of-scope situations, and how the bank, plan, and regulations interpret them will vary widely. The for SCA under PSD2 contain the list of all the exemptions.
When you use the payment processing platform, our team takes compliance off your shoulders, as Solidgate is fully certified for standards such as PSD2 and PCI-DSS. What is more, Transaction Risk Analysis (TRA) exemption allows for certain transactions to be exempted from SCA, provided that a robust risk analysis is performed, and the merchant meets specific fraud thresholds.
What if a business is not SCA compliant?
The bank associated with the cardholder will reject any transactions that do not comply. If this happens, it could cost your company a lot of money, mainly if you rely on online payments for most or all of your income. If a company cannot meet the SCA standards, the FCA says it will take full supervisory and enforcement measures against the company.
The good news is you don’t have to view this as a threat to your company but rather as an opportunity. If you prepare for SCA now, you can have an advantage over inadequately prepared rivals later.
Standards for PSD2 compliance
PSD2 compliance requirements include several key elements such as open APIs for third-party access, strong customer authentication (SCA), enhanced transparency, faster complaint resolution, and cessation of debit/credit card surcharges. Learn more about these requirements below:
- Open APIs for third-party access - Banks must allow third-party payment providers access to their APIs for free.
- Strong customer authentication (SCA) - All electronic payments must be authorized using a minimum of two independent factors, such as fingerprint + password.
- Enhanced transparency - For example, PSD2 bans the use of non-transparent pricing methods, and banks must clearly explain financial products.
- Improved complaint resolution - Third-party payment service providers must give a full response to complaints that are governed by PSD2 in under 15 days.
- Elimination of debit/credit card surcharges - Under PSD2, debit/credit surcharges have been outlawed. This means a merchant cannot add extra fees when a customer opts to pay via card.
Checklist for PSD2 compliance
As PSD2 continues to transform the payments industry within the European Union, banks and third-party payment systems must ensure that they are compliant with the directive's regulations. PSD2 compliance not only ensures that financial institutions and payment service providers meet legal requirements but also enables them to capitalize on the opportunities provided by open banking. However, achieving and maintaining compliance can be a complex and challenging task. Below we will provide a checklist for PSD2 compliance to guide banks and third-party payment systems through the process of staying compliant and taking advantage of the benefits of open banking.
For banks
Banks can achieve PSD2 compliance by sticking to this checklist:
- Register with the relevant regulatory authority - Banks must register with their national regulatory authority as a payment service provider to operate under PSD2.
- Implement strong customer authentication (SCA) - Banks must implement SCA using at least two authentication factors for all electronic payment transactions.
- Provide access to account information and payment initiation - Banks must provide third-party providers with access to their customers' account information and payment initiation services through open APIs.
- Ensure data protection and confidentiality - Banks must ensure the confidentiality and protection of customer data by implementing adequate security measures.
- Keep records - Banks must keep records of all payment transactions for at least six years.
- Notify customers of any security breaches - Banks must notify their customers of any security breaches that may affect their account information or payment transactions.
- Conduct regular security assessments - Banks must conduct regular security assessments to identify any vulnerabilities in their systems and implement the necessary security measures.
- Provide transparency - Banks must provide transparent information to customers regarding fees, charges, and payment transaction details.
- Ensure compliance of third-party providers - Banks must ensure that any third-party providers they work with are also PSD2 compliant by monitoring their compliance.
For third-party payment systems
To ensure third-party payment systems are PSD2 compliant, we recommend following this basic checklist:
- Apply for and receive an Account Information Service Provider (AISP) or Payment Initiator Service Provider (PISP) licence.
- Implement Strong Customer Authentication - Generate one-time authentication codes and use at least two factors (2FA). Also, avoid SMS-based authentication and other non-compliant authentication methods.
- Implement Know Your Customer (KYC) - Third-party payment providers need to gather information such as full name, address, contact details, identity documents, tax identification numbers, and other legal documents.
- Build secure applications featuring...
- Generate user consent - Under PSD2 regulations, third-party payment providers (TPPs) are required to obtain user consent before accessing their account information or initiating payments on their behalf. The three main methods include decoupled, embedded, and redirect.
Have any questions left? Our team is always happy to answer your questions and provide guidance whenever you need it.
For help, reach out to your account manager or our support team: support@solidgate.com
To get started with Solidgate, to discuss the details.
Frequently asked questions
PSD2 compliance refers to adhering to the requirements set forth by the Revised Payment Services Directive (PSD2), a European Union regulation aimed at enhancing payment security and promoting competition in the payment industry. It imposes obligations on merchants, banks, and payment service providers to ensure the protection of customer data and facilitate secure online payments.
To achieve PSD2 compliance, merchants can take several steps, including implementing strong customer authentication (SCA) for online transactions, using secure payment service providers that are licensed under PSD2, and ensuring they have appropriate fraud prevention measures in place. They may also need to update their payment systems to support open banking APIs and share transaction data with authorized third parties.
Non-compliance with PSD2 can have serious consequences for merchants. Regulatory authorities can impose fines or penalties for non-compliance, which can be substantial. In addition, merchants may face reputational damage, loss of customer trust, and potential legal action. It is crucial for merchants to understand and meet the requirements of PSD2 to avoid these negative outcomes.
