Login >

Payment Services Directive 2, Strong Customer Authentication and 3D Secure v2

Payment Services Directive

The new EU Payment Services Directive (PSD2) took effect in January 2018 and is set to make significant changes to the payment industry in 2019. 

PSD2 was introduced as a follow up to the original Payment Services Directive (PSD). A key element of PSD2 is the introduction of additional security authentications for ecommerce transactions.

The aim is to bring in new laws to increase customer rights, foster innovation and inspire pan-European competition. 

Sage Pay are here to help guide you through the changes that will come into effect in September 2019 and ensure you have the tools to benefit from and remain compliant with the new regulations.  

Why is Strong Customer Authentication needed?

Payment fraud losses have been steadily increasing for nearly a decade with little sign of easing. The European Commission has intervened by placing strong customer authentication (SCA) requirements on participants to reduce fraud as one of the core components of PSD2. 

From the 14th September 2019, the expectation is for all ecommerce transactions to be processed via secured industry protocol such as 3D Secure. Ecommerce transactions will need additional authentication (with some exemptions).  

Strong Customer Authentication requirements?

SCA requires at least two independent factors in the authentication process. The three available factors for authentication are listed below.  

  1. Something your customer knows [knowledge]: e.g. a PIN
  2. Something your customer has [possession]: e.g. card, smartphone
  3. Something your customer is [inherence]: e.g. fingerprint

Each electronic payment (except for some exemptions) must be authenticated with at least two of these factors. This is known as multi-factor authentication (MFA) or two-factor authentication (2FA). 

So what will be different?

The customers' payment journey may look a little different. Today if 3D Secure is enabled, an authentication is performed, and the cardholder will always be re-directed to their banks 3D Secure page. If the cardholders bank deems the transaction risk to be ‘high’, the cardholder will be required to prove their identity. This is commonly known as a “step-up”. After September 2019, authentication will become the new default and cannot be bypassed (unless an exemption applies). Although authentication will be performed,  it is expected that only 5% to 10%  of authentications will result in the cardholder having to be re-directed to their banks 3D Secure page to enter 2FA (challenge authentication). The majority of the authentication requests will result in a frictionless authentication, where the cardholder is not re-directed to their banks 3D Secure page to enter 2FA.​​

Contactless card machine transactions (also ‘ecommerce’) will be subject to new rules. After 14th September, card issuers are required to prompt the Cardholder to perform a Chip and Pin transaction each time their cumulative contactless spend reaches €150 since their last Chip and Pin transaction  

Regulatory Technical Standard

One of the many things included in the PSD2 legislation was a directive that the EBA/ECB prepared, Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA). [Article 98 of PSD2] 

In November 2017, the RTS on SCA was signed and this new EU regulation comes into force on 14th September 2019.  

When does the regulation apply?

This regulation applies to any electronic payment that takes place within the European Economic Area (EEA). For ecommerce card-based transactions (including digital wallets backed by cards), it applies to transactions where both the card issuer (i.e. financial institution with whom cardholder has relationship) and the acquirer (i.e. financial institution with whom merchant has relationship) both reside within the EEA.  

Authentication Vs Authorisation?

Authentication is the act of validating that the customer is who they claim to be. This is distinct to authorisation which is the act of validating that the account has sufficient funds for the transaction and the account (or card) is not blocked for some reason. For ecommerce transactions today, we use 3D Secure(sometimes known as Verified by Visa, or Mastercard Securecode or Amex Safekey) to authenticate the customer. 

3D Secure v2

A new version of the authentication protocol for ecommerce transactions, 3D Secure, has been published. It contains many improvements to make it easier to achieve SCA on ecommerce transactions. The main improvements are:

  • Responsive payment pages to work well on any device
  • Support for biometric authentication (fingerprint / face id)
  • Possibility of frictionless authentication flow – where customer doesn’t even realise that authentication has taken place.

During a 3D Secure authentication, how the authentication is performed is up to the card issuer. It’s possible to achieve SCA with 3DSv1, however 3DSv2 makes achieving SCA much easier.  

What are Sage Pay doing?

We are in the process of upgrading our gateway to support 3DSv2 and to make the necessary changes for contactless card machine transactions. We will be certifying our updated gateway with the card schemes and acquirers in the coming months. We aim to deliver these changes in a way that minimises the changes our customers need to make.  

What will happen after 14th September 2019?

European issuers are likely to start declining electronic payment transactions that have no authentication in place. The current 3D Secure implementation [3DSv1] will continue to be supported until end of 2020 (at which time 3DSv2 becomes mandatory worldwide).  


To find out what customers need to do now and in the future, click here