Understanding PSD2 and Strong Customer Authentication


Payments are a key part of the shopping experience no matter where and what you’re selling, but it’s especially important online, where trust and security are top of mind. 

If you’re selling in the European Economic Area (EEA), you may have heard about the revised Payment Services Directive (PSD2). It’s a regulatory requirement intended to increase protection against fraud for online purchases and will have some impact on businesses in the EEA.

Below, we’ll help you navigate these complexities of selling so you can focus on running and growing your business. Here’s an overview of what’s happening and what it means for you.

What is the revised Payment Services Directive (PSD2)?

The revised Payments Services Directive (PSD2) regulates the payments industry in the European Union. One of the major updates that will come into effect this year is stronger protection for customers who shop online using their debit and credit cards. This protects you, too: fewer fraudulent charges are good for everyone.

To comply with these new regulations, you’ll need to make sure you have Strong Customer Authentication (SCA) to help mitigate card-not-present fraud from payments accepted from European buyers. 

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication is similar to what many people refer to as two-factor authentication: if a customer is buying online using their debit or credit card, SCA may require them to use two forms of authentication. As an example, instead of just entering their PIN or password, Strong Customer Authentication would prompt a customer to enter a code generated on their banking app as a second step. This makes it harder for fraudulent transactions to get through.

Customers are asked to enter this information only when it’s required, through a technology known as 3D Secure—an extra layer of security that customers have to enter during checkout to authenticate themselves. Your customers will see the 3D Secure indicator start to show up on orders after PSD2 comes into effect.

What does PSD2 mean for Shopify merchants?

If you’re using Shopify Payments to process credit or debit cards in Germany, Denmark, Ireland, the Netherlands, Austria, Belgium, Sweden, Spain, or the United Kingdom, you don’t need to do anything. You’ll be compliant in time for the January 1, 2021 deadline automatically. Shopify Payments is optimized to minimize the use of 3D Secure. It will only use 3D Secure when absolutely required by the issuing bank in order for a transaction to be authorized successfully.

If you’re using Stripe to process credit or debit cards, you’ll also be fully compliant with PSD2 before the deadline and be able to offer SCA without any changes.

Local payment methods such as iDeal and Klarna, and wallets like Google Pay, Apple Pay, and PayPal Express, are already compliant with the regulation and require no action.

For merchants using third-party gateways, you will not automatically be in compliance with PSD2 on January 1, 2021. To be in compliance, we recommend you use a Shopify approved SCA gateway and create a connection with Cardinal Commerce. You will be prompted within your Shopify admin in Settings > Payments that Cardinal Commerce is available. It is your responsibility to decide if and when you want to sign up and enable this solution. We recommend that you take this action as soon as possible in order to meet the January 1, 2021 deadline.

When will PSD2 be enforced?

The full enforcement of the SCA requirement in the EEA (except for the UK) is January 1, 2021. The UK regulator has extended its enforcement deadline to September 14, 2021. The biggest impact of the enforcement timelines is on merchants not using Shopify Payments or Stripe.

Merchants will start seeing orders that have used SCA for payment processing within their Shopify orders page. Orders paid with debit or credit cards that have gone through 3D Secure will have 3D Secure (3DS) noted beside the order timeline. This means the buyer’s identity has been confirmed by the bank who issued the card, and the transaction will default to low risk. There is no action required for the merchant within the orders page for these transactions.