Complete guide to PSD2 compliance: SCA requirements, exemptions, 3D Secure 2 implementation, and liability shifts.
PSD2 (Payment Services Directive 2) is EU regulation requiring Strong Customer Authentication (SCA) for electronic payments. SCA mandates two-factor authentication using something the user knows (password), has (phone), or is (biometric). Non-compliance results in declined transactions and potential fines.
PSD2 fundamentally changed European payments when SCA requirements became mandatory. Understanding these requirements is essential for any business accepting payments in Europe.
Strong Customer Authentication (SCA) requires two independent authentication factors from three categories:
The factors must be independent—compromising one doesn't compromise the other. A password stored on a phone doesn't count as two factors.
SCA is required for customer-initiated electronic payments within the European Economic Area (EEA).
Transactions requiring SCA:
Transactions NOT requiring SCA:
Understanding scope helps you know which transactions need SCA flows and which don't.
Exemptions allow transactions to proceed without SCA, reducing friction for low-risk payments.
Low-value transactions:
Recurring payments:
Trusted beneficiaries:
Low-risk transactions (Transaction Risk Analysis):
Corporate payments:
Request exemptions through your payment provider. The issuing bank makes the final decision whether to honor the exemption.
3D Secure 2 (3DS2) is the primary protocol for implementing SCA on card payments.
How 3DS2 works:
Frictionless vs challenge flow:
Data that improves frictionless rates:
Implementation approaches:
Payment providers (Stripe, Adyen) handle 3DS2 automatically. Focus on providing rich transaction data to maximize frictionless approvals.
SCA compliance affects fraud liability allocation between merchants and issuers.
Traditional liability (no SCA): Merchant bears liability for fraudulent transactions. Chargebacks come from merchant's revenue.
With successful SCA: Liability shifts to issuer. If authenticated transaction is fraudulent, issuer (not merchant) bears the loss.
Exemption liability: If merchant requests exemption and fraud occurs, merchant may bear liability. Balance conversion improvement against fraud risk.
Implementation recommendations:
The goal is optimizing the trade-off between checkout friction (fewer completions) and fraud protection (liability shifts).
Technical guide to implementing Stripe Billing: products, prices, subscriptions, webhooks, and the customer portal.
Read articleBuilding reliable webhook handlers and reconciliation systems for payment data integrity.
Read articleDeep-dive into our complete library of implementation guides for payment solutions for europe - psd2, sca, stripe, mangopay.
View all Payment Solutions for Europe - PSD2, SCA, Stripe, MangoPay articlesShare your project details and we'll get back to you within 24 hours with a free consultation—no commitment required.
Boolean and Beyond
825/90, 13th Cross, 3rd Main
Mahalaxmi Layout, Bengaluru - 560086
590, Diwan Bahadur Rd
Near Savitha Hall, R.S. Puram
Coimbatore, Tamil Nadu 641002