Payments are a key part of the shopping experience, no matter where and what you’re selling—but they’re especially important online, where trust and security are top of mind.
If you operate in the European Economic Area (EEA), you may have heard about the revised Payment Services Directive (PSD2). It’s a regulatory requirement that includes Strong Customer Authentication (SCA) and is intended to increase protection against fraud for online purchases and will have some impact on businesses in the EEA.
Ahead, learn how to navigate these complexities of selling so you can focus on running and growing your business. This article answers all the questions you might have on PSD2, SCA, and more.
Table of Contents
What is Strong Customer Authentication?
Strong Customer Authentication is a security policy in the EEA that helps reduce fraud and make payments more secure. It is part of the revised Payment Services Directive.
SCA is similar to what many people refer to as two-factor authentication: if a customer is buying online using their debit or credit card, SCA may require them to use two forms of authentication.
As an example, instead of just entering their PIN or password, SCA might prompt a customer to enter a code texted to them as a second step. This makes it harder for fraudulent transactions to get through.
SCA also helps ensure that a breach of one authentication item doesn’t compromise another method of authentication, furthering the overall security of the customer’s information.
What is the revised Payment Services Directive?
The revised Payments Services Directive regulates electronic payments made in the European Union. The first Payments Services Directive came into effect in 2007, and PSD2 was released in late 2019—although it wasn’t fully implemented until the end of 2020.
One of the major updates this revision brought to the table was stronger protection for customers who shop online using their debit and credit cards. This also protects you as an ecommerce merchant.
To comply with these regulations, you’ll need to make sure you have Strong Customer Authentication to help mitigate card-not-present fraud from payments accepted from European buyers.
Strong Customer Authentication must include two of these three elements: knowledge, possession, and inherence.
Knowledge refers to something that only your customer would know. A few examples of this include:
- A password
- A passphrase
- A secret fact
- A PIN
- A sequence
- Knowledge-based challenge questions
Possession refers to items the customer physically owns. This includes things like:
- A phone
- A tablet
- Wearable tech
- A hardware token
- A smart card
- A badge
Inherence refers to things that are inherently the customer—personal and physical identifiers that no one else can fit. It’s referred to as “something the customer is.” Examples are:
- Facial recognition
- Voice detection
- Iris format
- Retina scan
- DNA signature
How does SCA work?
In the past, access to accounts and payment authorization could be done with a simple “something the customer knows”—like a PIN. SCA requires more than that, ensuring even better security.
Passwords can be leaked or hacked. Credit and debit cards can be lost or stolen. But if someone is required to input a password from their specific device or provide a fingerprint scan alongside their credit card PIN, it makes the entire process much more secure.
SCA is done through a protocol called 3D Secure—a technology that is supported by most European cards. This protocol adds an extra layer of security that customers have to enter during checkout to authenticate themselves.
Your customers will see the 3D Secure indicator show up on orders and it will then prompt them to further authenticate themselves with a multifactor authentication process.
This could be:
- A one-time code texted to the customer’s smartphone
- Fingerprint authentication via a banking app
- Facial recognition via the smartphone
The fact that many smart devices are compatible with these types of inherent authentication helps make it even easier for customers to make secure purchases.
Once this SCA step has been completed, any fraudulent chargebacks are the bank’s problem—not yours.
How to ensure SCA compliance
If your business operates within the EEA, you need to be compliant with PSD2 and SCA, or banks can decline purchases. However, it’s not difficult to make sure you’re compliant—you simply have to do one (or both) of two things:
- Apply 3D Secure on credit and debit card payments
- Use a payment portal—like Shopify Payments or Apple Pay—that is automatically optimized to be PSD2 SCA compliant
Having a Shopify store makes it easy to be compliant. With the number of payment options you can add, you can easily ensure 3D Secure is automatically applied to purchases made in the EEA.
Users are also able to see orders that have used SCA for payment processing within their Shopify orders page. Orders paid with debit or credit cards that have gone through 3D Secure will have 3D Secure (3DS) noted beside the order timeline.
This means the buyer’s identity has been confirmed by the bank who issued the card, and the transaction will default to low risk. There is no action required for the merchant within the orders page for these transactions.
When does SCA apply?
SCA applies to all online payments made within the European Union. This means the customer resides within the EU and has made a purchase from a business that also operates in the EU.
However, more and more countries are moving toward similar requirements in order to prevent fraudulent payments and protect merchants and payment providers.
Not every electronic payment or ecommerce transaction is subject to SCA. Here are some examples of when SCA isn’t required.
Low-risk transactions are pinpointed through a transaction risk analysis (TRA). Payment providers are able to conduct real-time risk analyses to decide whether or not SCA needs to be applied.
This risk is determined by the payment provider’s fraud rates. They may be exempt if their fraud rates are below these thresholds:
- 0.13% for transactions up to €100
- 0.06% for transactions up to €250
- 0.01% for transactions up to €500
The payment provider can then request a “TRA exemption” to bypass the need to use SCA.
Low-value transactions, or transactions that don’t cost a lot, may also be exempt from SCA. The regulations dictate that any transaction of €30 or less can be considered a low-value transaction.
However, the issuing bank or card provider keeps track of the number of times this exemption is used. SCA will be required after every five low-value transactions to ensure the payments are secure and intentional so fraudsters can’t get around PSD2 regulations.
A recurring transaction, or a fixed-amount subscription, is another exemption. SCA will be required for the first payment, but subsequent automatic payments for subscriptions will be exempt from these security requirements.
Merchant-initiated transactions (MITs) are considered to be “out of scope” rather than exempt. However, marketing a transaction as an MIT is typically a similar process to requesting an exemption.
This type of payment uses a card that’s already on file. As with recurring transactions, the first payment must go through Strong Customer Authentication. However, additional payments do not, typically because the customer has agreed through a contract or other policy that the transaction is verified.
MOTO transactions, or mail order and telephone order transactions, are also considered to be out of scope. As these types of payments are not considered to be electronic or online payments, they don’t fall under the SCA requirements.
Corporate or B2B transactions are those that occur between two corporations. When this payment is made with a card that is specified for corporate transactions, these payments are also exempt from SCA requirements.
Inter-regional transactions are transactions that are made by consumers who do not live within the regions or parameters of the PSD2 regulations and are therefore out of scope of SCA requirements.
For example, even if your business is located within the EU, if someone from the United States is making a purchase, that transaction is out of the scope of SCA.
Lastly, customers themselves are able to essentially whitelist companies that they regularly work with or trust so their payments no longer need to be authenticated. The consumer’s bank will then keep track of this list of “trusted beneficiaries” so the consumer can skip the SCA process.
What does PSD2 mean for Shopify merchants?
If you’re using Shopify Payments to process credit or debit cards in Germany, Denmark, Ireland, the Netherlands, Austria, Belgium, Sweden, Spain, or the United Kingdom, you don’t need to do anything—you’re automatically compliant.
Shopify Payments is optimized to minimize the use of 3D Secure. It will only use 3D Secure when absolutely required by the issuing bank in order for a transaction to be authorized.
Local payment methods such as iDeal and Klarna, and wallets like Google Pay, Apple Pay, and PayPal Express, are already compliant with the regulation and require no action.
For merchants using third-party gateways, you’re not automatically in compliance with PSD2.
To be in compliance, we recommend you use a Shopify-approved SCA gateway and create a connection with Cardinal Commerce. You’ll be prompted within your Shopify admin in Settings > Payments that Cardinal Commerce is available.
If you’re operating in countries in the EEA or EU, it’s in both yours and your customers’ best interest to ensure you’re compliant and that you offer 3D Secure options, or that the way you take payments is exempt from SCA.
Strong Customer Authentication FAQ
When is Strong Customer Authentication required?
Strong Customer Authentication, or SCA, is required any time a payment is made by a consumer residing within the European Economic Area (EEA). While there are exemptions, businesses that operate within the EEA should ensure they’re compliant, regardless.
What happens if you aren't SCA compliant?
These laws are in place for banks. This means that the bank cannot (and should not) approve transactions that do not go through SCA security, or else they’re in violation of European law. However, this also means that if you aren’t SCA compliant, banks will likely decline the transaction, meaning consumers that reside within the EEA are unable to shop with your business. This can hurt sales, so it’s in your best interest to ensure compliance.
Who is responsible for Strong Customer Authentication?
The European Banking Authority (EBA) within the European Union (EU) is responsible for enforcing SCA. In the UK, PSD2 SCA regulations are enforced by the Financial Conduct Authority (FCA).
What is a PSD2 license and how do I get one?
A PSD2 license is required by payment institutions in the EU. These include Stripe, PayPal, Square, Apple Pay, Google Pay, and others. These types of companies will have licenses so they can provide payment services that are compliant with PSD2 guidelines.