2-factor Authentication and PSD2 in Europe: What Merchants Need to Know

What is it, and why is it essential for your businesses?

The revised Payment Services Directive (PSD2) is a new law in Europe that aims to protect customers from online fraud. This law makes it mandatory for all online customer payments to be verified using a Strong Customer Authentication (SCA) process. While PSD2 will regulate payment service providers, retailers need to remain compliant with the new law.

The PSD2 is applicable in all countries in the EU, plus Iceland, Lichtenstein, Norway, and the UK. The new requirements have been in force across the EU from 31 December 2020. In the UK, the deadline for compliance is from 14 September 2021.

Under the PSD2, your customers will now be asked to share more information when they shop with you online. And as a merchant, you will have to implement SCA such as 2-factor authentication during your checkout process. This is valid for all payments initiated by the customer and made using a card issued in the EU or UK. This also applies to cards that are processed by an EU- or UK-based payment service provider.

How does SCA work, and how does it affect merchants?

Strong Customer Authentication (SCA) is a 2-factor authentication process that verifies every transaction using at least two of three possible factors:

Knowledge (for example, a PIN or password)
Possession (for example, a card, token, or phone)
Inherence (for example, a fingerprint or iris scan)

The main goal of SCA is to reduce payment fraud while keeping the payment process as frictionless as possible. A popular industry-standard tool for 2-Factor Authentication is 3D Secure. The latest version 3D Secure 2.1 offers several user-friendly features such as fingerprints or facial recognition and in-app authentication. It also works with digital wallets such as Apple Pay or Google Pay, making the authorization process much smoother.

Another point to note is that SCA authentication is not applicable to certain transactions. These include low-value transactions, recurring transactions and merchants ‘whitelisted’ by customers to indicate places where they make repeat purchases.

What do you need to do next?

There are a couple of things you could do to comply with the PSD2 and SCA regulatory requirements.

Upgrade your payments infrastructure and start accepting SCA-compliant payments.

Consider implementing 3D Secure 2-factor authentication as soon as possible so that you are fully compliant with the PSD2 SCA requirements. Upgrade your website checkout process and update your mobile app API. Check if your current payments services provider is already compliant with SCA and if they will be making the upgrade to 3D Secure 2 automatically. If you see your cart abandoned rate increasing or online sales dropping, consider working with a payment services provider with a lower fraud rate.

Update Your Privacy Policy to inform customers about your use of 3D Secure.

GDPR laws in EU require you to inform your customers of the types of personal data you collect on them. This includes other third parties who may collect personal data on your behalf. 3D Secure processes the personal data of your customers, such as card details and passwords. 3D Secure 2 may request biometric data and automatically collect personal data such as device IDs. Updating your Privacy Policy to factor in these updates will enable your customers to make more informed decisions.

Antony Robinson

Antony Robinson is an experienced IT expert, information architect and a customer experience evangelist. He has over 30 years of experience in web technologies, user experience, media, and marketing. Antony is currently the CMO of Novalnet AG, a fintech company in Germany. As CMO, he leads the company’s marketing strategy and fosters collaborations. Antony’s expertise and dedication to technology and innovation make him a valuable leader in his field.