PSD2 Compliance Guide for Merchants
Discover how PSD2 strong customer authentication strengthens online payments, reduces fraud, and builds trust. Guidance for businesses, fintechs, and payment providers.
If your business operates online in Europe, you’ve already felt the effects of PSD2 and its Strong Customer Authentication (SCA) rules. These rules are reshaping digital payments, protecting consumers, and reducing fraud—but they also create challenges for merchants.
Failing to comply can result in declined transactions, lost revenue, and regulatory penalties. Meeting the standards on time, however, helps you protect your business, maintain customer trust, and avoid payment disruptions.
To help you make sense of the requirements, we’ve prepared this practical guide.
What’s inside
This How to be PSD2 compliant? A no-nonsense guide for merchants is a straightforward resource for merchants, fintechs, and payment providers. It explains how SCA works, when it applies, and what exceptions exist. You’ll also find a checklist to help your business stay compliant without disrupting your customers’ payment experience.
The guide covers:
- What PSD2 and SCA mean for your business
- How SCA works in practice
- Exceptions and out-of-scope transactions
- Standards for PSD2 compliance
- PSD2 compliance checklist
Open this guide and take the next step toward secure, compliant, and customer-friendly payments.
Online purchases account for over half of all card-related fraud in the Single Euro Payments Area (SEPA), including 35 European nations. To safeguard consumers and European Economic Area (EEA) financial institutions against fraud and financial crime, the EEA established the SCA rules in 2019.
As mandated by the of the European Union, the SCA ensures that payment service providers inside the EEA use multi-factor authentication (MFA), as it further strengthens the security of electronic or online payments.
This article delves deeper into the various payment methods affected by Europe’s Strong Customer Authentication (SCA) mandates. Also, we will explain how SCA affects your company and what kinds of transactions are exempt or not covered.
What is Strong Customer Authentication (SCA)?
SCA is a European legislative requirement designed to combat cybercrime and increase the security of offline and online payments.
Financial institutions must implement additional authentication into the checkout process to authorize payments and comply with SCA laws. They must use two of the following three components for authentication in SCA:
- Something only the customer knows (the password or PIN);
- Something a client possesses (phone, computer);
- Identifiable features of the customer (facial or fingerprint recognition).
End-users can feel more at ease making online payments thanks to the additional protection provided by SCA. Previously, buyers just had to enter their payment information and finish the purchase. Customers will have a simpler time verifying their accounts. This will result in fewer cancellations.
Why Are PSD2 and SCA Important?
This new directive expands on three major provisions of the old 2007 directive. Some of these are:
- Enhanced protections for consumers while making financial transactions;
- Bringing the regulation of third-party access and account information into the fold creates fair competition;
- Enhanced security.
When we talk about security, we mean a specific set of guidelines called Strong Customer Authentication (SCA). Any company operating online in the EEA region must comply with these standards. If not, the effects will be far-reaching.
When Did Strong Customer Authentication Take Effect?
On September 14, 2019, PSD2’s Strong Customer Authentication (SCA) requirements went into effect. Later, because of industry unreadiness, the European Banking Authority pushed the deadline to December 31, 2020. So far, all EEA member states have implemented mandatory PSD2 SCA compliance. The UK’s deadline for full implementation was March 14, 2022.
PSD2 (PSD2 meaning – European legislation that forces payment services to strengthen customer authentication) was proposed in 2013. It was officially adopted by the European Parliament and the Council of the European Union in 2015. PSD2 replaced the previous Payment Services Directive (PSD), which was introduced in 2007.
PSD2 was initially scheduled to come into effect in January 2018. The deadline was later extended to September 2019 to allow more time for implementation. Since then, PSD2 has been gradually implemented across the European Union, with some countries adopting it earlier than others.
As of 2021, PSD2 is fully implemented across all 27 EU member states, as well as Norway, Iceland, and Liechtenstein, which are part of the European Economic Area. The regulation applies to all payment service providers operating within the EU, including banks, payment institutions, and e-money institutions.
One of the most significant changes introduced by PSD2 is the requirement for banks to allow third-party providers to access their customers’ account information and payment initiation services through open APIs (Application Programming Interfaces).
However, with the increased access to customer data and payment initiation services, there was also a risk of increased fraud and security breaches. Therefore, to address these concerns, PSD2 introduced another requirement called Strong Customer Authentication (SCA).
Under PSD2, consumers have greater control over their payment transactions. They can choose to authorize third-party providers to access their account information and initiate payments on their behalf. This has led to increased innovation in the payments market, as well as improved security standards and consumer protection.
However, it has also posed challenges for some payment service providers. Particularly, it affected smaller ones who may struggle to meet the SCA requirements.
How Does Strong Customer Authentication Work?
The best way to implement Strong Customer Authentication for a payment system varies. In most cases, is a must when paying with a debit or credit card. Many regional payment options, including e-wallets, also provide their SCA-compliant authentication phase. Let’s look at the two major ones.
3D Secure
Most online card payments today use 3D Secure for authentication. Similarly, most cards in Europe adhere to this authentication standard. When using 3D Secure, the customer’s bank will probably ask for supplementary information after the customer has completed the checkout process. For example, a one-time code delivered to their phone or fingerprint authentication via their mobile banking application.
Currently, 3D Secure 2.0 is the most widely adopted approach for verifying the identities of cardholders making purchases online under SCA guidelines. This updated version improves the user experience. It reduces the extra steps typically required for authentication throughout the purchasing process. With offline card transactions, a PIN entry will satisfy authentication requirements.
Digital Wallets and Regional Payment Options
There are currently payment processes with an integrated layer of authentication supported by other card-based payment systems like Google and Apple Pay (biometric or password). With these, stores can provide customers with a streamlined purchasing process without sacrificing compliance.
What Situation Calls for Strong Customer Authentication?
Any transaction deemed to be “consumer-initiated” (CIT) calls for strong customer authentication. It will apply to both online and bank transfers. SCA is unnecessary when a transaction is “merchant-initiated” (MIT), as with recurrent debits.
So, the SCA is mandatory for online European payments when both the merchant and cardholder’s bank are within Europe. Also, any online payments made within the European Economic Area (EEA), the United Kingdom, or Morocco must be SCA compliant. That’s why online shoppers must complete an additional level of authentication during the checkout process.
Exceptions to the SCA
Exemptions from the SCA should maintain a smooth user experience for certain types of transactions. Transactions that are outside of PSD2’s limits do not require SCA. Listed below are the most notable exempt or out-of-scope transactions.
An SCA exception applies in certain circumstances. The retailer will inquire with the bank or credit card company about the exemption as part of the .
The level of risk involved allows the retailer to determine whether the purchase falls outside the mandate of the SCA. If so, it won’t need to go through the second authentication step.
Here are some typical cases where the SCA rules don’t apply.
Low-Risk Transactions
A payment processor may do a real-time risk assessment when deciding whether to apply SCA to a transaction. For this to be possible, the overall fraud rates for card payments at the payment provider or bank must be below the following limits:
| Exception value threshold (euro) | Card-based payments |
| 100 | 0.13% |
| 250 | 0.06% |
| 500 | 0.06% |
When necessary, they will adjust these cutoffs to reflect the current value in the local currency. It’s reasonable to assume that the cardholder’s bank will deny the exemption and insist on authentication. That’s if the payment provider’s fraud rate is lower than the threshold, but the cardholder’s bank’s rate is higher.
Low-Value Transactions
If the total of all charges on a single card is less than 30 Euros or if any one purchase is less than 100 Euros, no SCA is necessary. This means that transfers of less than 30 Euros do not require verification. But the issuing bank will note how often this exception applies. If the sum exceeds 100 Euros or there are more than five separate payments, SCA will be requested.
Recurring Transactions
After the first transaction that satisfies the SCA standards, subsequent transactions of the same type and amount are exempt. Since these are ongoing, they are “merchant-initiated” transactions and, therefore, exempt from the SCA.
Trusted Beneficiaries
Customers can “whitelist” a trusted merchant during the payment authentication process. So they won’t have to provide authentication for future purchases with that merchant. The customer’s bank or payment service provider will add these companies to a list of “trusted beneficiaries.”
B2B Transactions
Businesses can avoid SCA by conducting transactions with one another using a payment method designed explicitly for B2B transactions. As we have established, the SCA does not apply to “merchant-initiated” transactions in which the customer is not directly involved.
The same goes for phone and mail orders. They aren’t electronic transactions and hence fall beyond the limits of the SCA. Also, outside the bounds of the SCA is any card issuer or cardholder not in the European Economic Area (EEA), Monaco, or the United Kingdom.
Out-Of-Scope SCA Transactions
Merchant Initiated Transactions (MITs)
The term “merchant-initiated transaction” (MIT) refers to a transaction in which the merchant initiates it instead of the client. With the customer’s permission, it automatically deducts the payment from their stored card details on the due date.
For example, some items, like water, have variable costs based on usage. Anytime a customer uses the card for the first time, whether as part of a purchase or to save payment information, authentication is a requirement. Yet if designated as a “Merchant Initiated Transaction,” the subsequent payments can bypass SCA.
Mail Order/Telephone Order (MOTO)
It refers to sales made by mail or phone to MOTO sales. SCA does not apply to MOTO transactions conducted entirely through mail or telephone. Payments made by mail or telephone order are not part of it. SCA does not regard them as “electronic.”
One-Leg-Out Transactions
Specifically, this term refers to deals in which the issuer or buyer is outside the European Economic Area. SCA sees these kinds of transactions as being outside of the scope. It means European companies are free to accept payments from customers outside of Europe without meeting the standards set forth by the PSD2 SCA.
Anonymous Transactions
If a customer pays through an anonymous way (such as a gift card), they are exempt from completing SCA.
There are a lot of other exceptions and out-of-scope situations. How the bank, plan, and regulations interpret them will vary widely. The for SCA under PSD2 contain the list of all the exemptions.
When you use the Solidgate payment processing platform, our team takes compliance off your shoulders. Solidgate is fully certified for standards such as PSD2 and PCI-DSS. Moreover, Transaction Risk Analysis (TRA) exemption allows for certain transactions to be exempted from SCA, provided that a robust risk analysis is performed and the merchant meets specific fraud thresholds.
What Will Happen if You’re not SCA Compliant?
The bank associated with the cardholder will reject any transactions that do not comply. If this happens, it could result in significant financial losses. Especially, if you rely on online payments for most or all of your income. If a company fails to meet the SCA standards, the FCA states that it will take full supervisory and enforcement measures against the company.
The good news is you don’t have to view this as a threat to your company. Consider this an opportunity. If you prepare for SCA now, you can have an advantage over inadequately prepared rivals later.
Controls and Standards for PSD2 Compliance
PSD2 compliance requirements include several key elements. For example, open APIs for third-party access, strong customer authentication (SCA), enhanced transparency, faster complaint resolution, and cessation of debit/credit card surcharges. Learn more about these requirements below:
- Open APIs for Third-Party Access – Banks must allow third-party payment providers to access their APIs at no cost.
- Strong Customer Authentication (SCA) – All electronic payments must be authorized using a minimum of two independent factors, such as fingerprint + password.
- Enhanced Transparency – For example, PSD2 bans the use of non-transparent pricing methods, and banks must clearly explain financial products.
- Improved Complaint Resolution – Third-party payment service providers must provide a full response to complaints governed by PSD2 within 15 days.
- Elimination of Debit/Credit Card Surcharges – Under PSD2, debit/credit surcharges have been outlawed. This means a merchant can not add extra fees when a customer opts to pay via card.
PSD2 Compliance Checklist
As PSD2 continues to transform the payments industry within the European Union, banks and third-party payment systems must ensure compliance with the directive’s regulations. PSD2 compliance not only ensures that financial institutions and payment service providers meet legal requirements. It also enables them to capitalize on the opportunities provided by open banking.
However, achieving and maintaining compliance can be a complex and challenging task. Below, we will provide a checklist for PSD2 compliance. It aims to guide banks and third-party payment systems through the process of staying compliant and leveraging the benefits of open banking.
For Banks
Banks can achieve PSD2 compliance by sticking to this checklist:
- Register with the relevant regulatory authority. Banks must register with their national regulatory authority as a payment service provider to operate under PSD2.
- Implement strong customer authentication (SCA). Banks must implement SCA using at least two authentication factors for all electronic payment transactions.
- Provide access to account information and payment initiation. Banks must provide third-party providers with access to their customers’ account information and payment initiation services through open APIs.
- Ensure data protection and confidentiality. Banks must ensure the confidentiality and protection of customer data by implementing adequate security measures.
- Keep records. Banks must keep records of all payment transactions for at least six years.
- Notify customers of any security breaches. Banks must notify their customers of any security breaches that may affect their account information or payment transactions.
- Conduct regular security assessments. Banks must conduct regular security assessments to identify any vulnerabilities in their systems and implement the necessary security measures.
- Provide transparency. Banks must provide customers with transparent information regarding fees, charges, and payment transaction details.
- Ensure compliance with third-party providers. Banks must ensure that any third-party providers they work with are also PSD2 compliant by monitoring their compliance.
For Third-Party Payment Systems
To ensure third-party payment systems are PSD2 compliant, we recommend following this basic checklist.
- Apply for and receive an Account Information Service Provider (AISP) or Payment Initiator Service Provider (PISP) license.
- Implement Strong Customer Authentication. Generate one-time authentication codes and use at least two factors (2FA). Also, avoid SMS-based authentication and other non-compliant authentication methods.
- Implement Know Your Customer (KYC). Third-party payment providers must gather information such as full name, address, contact details, identity documents, tax identification numbers, and other relevant legal documents.
- Generate user consent. Under PSD2 regulations, third-party payment providers (TPPs) are required to obtain user consent before accessing their account information or initiating payments on their behalf. The three main methods include decoupled, embedded, and redirect.
Have any questions left? Our team is always happy to answer your questions and provide guidance whenever you need it.
For help, reach out to your account manager or our support team: support@solidgate.com
To get started with Solidgate, to discuss the details.
Grab the full guide
Frequently asked questions
PSD2 compliance refers to adhering to the requirements set forth by the Revised Payment Services Directive (PSD2), a European Union regulation designed to enhance payment security and promote competition in the payment industry. It imposes obligations on merchants, banks, and payment service providers to ensure the protection of customer data and facilitate secure online payments.
To achieve PSD2 compliance, merchants can take several steps, including implementing strong customer authentication (SCA) for online transactions, using secure payment service providers that are licensed under PSD2, and ensuring they have appropriate fraud prevention measures in place. They may also need to update their payment systems to support open banking APIs and share transaction data with authorized third parties.
Non-compliance with PSD2 can have serious consequences for merchants. Regulatory authorities can impose fines or PSD2 non-compliance penalties, which can be substantial. In addition, merchants may face reputational damage, loss of customer trust, and potential legal action. Merchants must understand and meet the requirements of PSD2 to avoid these negative outcomes.
