PSD2 & Strong Customer Authentication Guide

PSD2 fundamentally changed European payments when SCA requirements became mandatory. Understanding these requirements is essential for any business accepting payments in Europe.

Strong Customer Authentication (SCA) requires two independent authentication factors from three categories:

• Knowledge: Password, PIN, security question
• Possession: Phone, hardware token, smart card
• Inherence: Fingerprint, face recognition, behavioral biometrics

The factors must be independent—compromising one doesn't compromise the other. A password stored on a phone doesn't count as two factors.

SCA is required for customer-initiated electronic payments within the European Economic Area (EEA).

Transactions requiring SCA: - Online card payments (e-commerce) - Bank transfers initiated online - Adding new payment methods - First payment of a recurring series - Accessing payment account information

Transactions NOT requiring SCA: - Merchant-initiated transactions (after initial setup) - Mail order/telephone order (MOTO) - One-leg transactions (payer or payee outside EEA) - Anonymous prepaid cards under €150 - Unattended terminals for transport/parking

Understanding scope helps you know which transactions need SCA flows and which don't.

Exemptions allow transactions to proceed without SCA, reducing friction for low-risk payments.

Low-value transactions: - Under €30 per transaction - Cumulative limit: €100 or 5 transactions since last SCA - Issuer may decline if limits exceeded

Recurring payments: - Same amount to same merchant - SCA required for initial setup - Subsequent payments exempt

Trusted beneficiaries: - Customer whitelists specific merchants - SCA required to add to whitelist - Future payments to whitelisted merchants exempt

Low-risk transactions (Transaction Risk Analysis): - Merchant fraud rate below thresholds - Exemption amounts: €100 (0.13% fraud), €250 (0.06% fraud), €500 (0.01% fraud) - Requires real-time fraud analysis

Corporate payments: - B2B payments using dedicated corporate cards - Secure corporate payment processes

Request exemptions through your payment provider. The issuing bank makes the final decision whether to honor the exemption.

3D Secure 2 (3DS2) is the primary protocol for implementing SCA on card payments.

How 3DS2 works: 1. Merchant submits payment with enriched data 2. Card network routes to issuer's ACS 3. Issuer assesses risk using provided data 4. Low-risk: frictionless approval 5. High-risk: challenge (OTP, biometric, etc.)

Frictionless vs challenge flow: - Frictionless: No customer action, instant approval - Challenge: Customer completes authentication step

Data that improves frictionless rates: - Shipping address matching billing address - Device fingerprint and behavioral data - Previous transaction history - Account age and purchase patterns

Implementation approaches: - Redirect: Customer sent to issuer authentication page - Embedded: Authentication within merchant checkout - Native (mobile): In-app SDK authentication

Payment providers (Stripe, Adyen) handle 3DS2 automatically. Focus on providing rich transaction data to maximize frictionless approvals.

SCA compliance affects fraud liability allocation between merchants and issuers.

Traditional liability (no SCA): Merchant bears liability for fraudulent transactions. Chargebacks come from merchant's revenue.

With successful SCA: Liability shifts to issuer. If authenticated transaction is fraudulent, issuer (not merchant) bears the loss.

Exemption liability: If merchant requests exemption and fraud occurs, merchant may bear liability. Balance conversion improvement against fraud risk.

Implementation recommendations: - Always attempt SCA for first-time customers - Use exemptions judiciously for returning customers - Monitor fraud rates by exemption type - Adjust strategy based on actual fraud experience

The goal is optimizing the trade-off between checkout friction (fewer completions) and fraud protection (liability shifts).