We've got you covered.
2Checkout is the PSD2 enabler for online merchants

Strong Customer Authentication and PSD2 Compliance is Not Something Your Team Should Worry About

Online payments are changing. PSD2 adds new complexity to your digital business, and in order to maintain high authorization and conversion rates you need to understand its impact on your business.

What is the 2nd Payment Service
Directive (PSD2)?

What is the 2nd Payment Service Directive (PSD2)?
PSD2 is the revised regulatory framework for payment services, initiated by the European Commission, which will be set in motion starting September 14, 2019.
This will include the introduction of Strong Customer Authentication (SCA) for customer-initiated payments with the implementation of EMV 3D Secure (3D Secure 2.0), unless the payment qualifies as low risk.

A Seamless PSD2 Onboarding
Process with 2Checkout

REPER We take the burden
off your business
With 2Checkout PSD2 Payment Institution License granted, there will be no changes in the integration from your side. The sophisticated authentication logic will be maintained by 2Checkout to help you stay ahead of regulation.
REPER Stay Ahead
of Regulations
Having 2Checkout as your partner helps take away the worry about blurry and changing regulations, as we work directly with all involved parties to reconcile and represent you.
REPER We Leverage Exemptions
for a Seamless Checkout
Each transaction is paramount, which is why we leverage exemption rules and the latest 3D Secure 2 (3DS2) technology to protect your business from declined payments and low conversion rates. We aim for low-risk payments to reduce friction between customers and authentication process, with Cardholder and Merchant Initiated Transaction frameworks that trigger 3D Secure only when necessary.

Get ready for PSD2 and SCA with 2Checkout

What is the 2nd Payment Service Directive (PSD2)?
Advanced
Ordering Engines
2Checkout's API driven, highly optimized checkout is built using the latest technologies, minimizing customer's input during the payment process. It will empower you to understand and reduce friction with proper communication, as well as manage customer drop offs.
What is the 2nd Payment Service Directive (PSD2)?
Frictionless Data-Centric
Checkout
Your customers will experience a frictionless flow, resulting in increased conversion rates. Transactions will be authenticated based on the historic data available at the issuer, without intervention from your customers.
What is the 2nd Payment Service Directive (PSD2)?
Automated Lifecycle
Management
Avoid churn and continue accepting recurring payments, while we identify which subscriptions require authentication via dunning management.
What is the 2nd Payment Service Directive (PSD2)?
Intelligent Exemption
Payment Routing
Payment Routing with widespread SCA coverage helps you worry less about conversion and authorization rates, as we constantly analyze and lead transactions to different ratified flows while optimizing for exemptions.

How are We Preparing for PSD2?

2Checkout is currently in the process of becoming PSD2 compliant. Since it is a complex process, it takes time and involves mapping, assessing, planning, and implementing changes throughout the company. 2Checkout is updating the integrations with the EU service providers to comply with the PSD2 SCA regulations :
3D SECURE 2
100% COMPLETED
  • Cardholder Initiated Transactions (CIT) and Merchant Initiated Transactions (MIT) frameworks to initiate 3D Secure 2 when required or fallback on 3D Secure 1.
EXEMPTION MANAGEMENT
100% COMPLETED
  • Exemption mandates requests - Low value transactions, low risk, trusted beneficiaries | Updated Bank Identification Number (BIN) database.
DUNNING
100% COMPLETED
  • Dedicated Dunning emails for fallback flows on recurring payments.

Other PSD2 Resources

If you need more info about what you can do to be PSD2 compliant, please read the resources below:

FULLBOX
BLOGPOST
What is PSD2 and What Does Strong Customer Authentication (SCA) Mean for You?
FULLBOX
KNOWLEDGE BASE DOCUMENTATION
All you need to know about PSD2 and Strong Customer Authentication if you sell online.
FULLBOX
WEBINAR
All you need to know about PSD2 and Strong Customer Authentication if you sell online.
REPER

With 2Checkout, Your Online Business is Covered

PSD2 Compliance FAQs

We have compiled a list of our clients and partners' frequently-asked questions regarding PSD2.

What is the Payment Services Directive (PSD2)?

The first Payment Services Directive (EU) 2007/64/EC (PSD1) was implemented in 2009, and introduced the ground rules for electronic payments like credit transfers, credit/debit card, and mobile payments. With PSD2 enforced beginning on September 14, 2019, the European Commission has updated the existing regulatory framework by adding new security specifications meant to cover all aspects of online payments. The new rules are introducing new benefits:

  • Safer internet payment services
  • Better protection against fraud and payment problems
  • The creation of the right ecosystem for innovative mobile and internet payment services
  • Revised and improved customer rights

Is 2Checkout compliant with PSD2?

2Checkout is compliant with PSD2. Read our guide and check our which scenarios of PSD2 might impact your business.

What new features is PSD2 bringing?

  • Security of payments done by European Union shoppers through mandatory Strong Consumer Authentication component (SCA);
  • Access to an account (XS2A) for account information and payment initiation services, allowing bank customers to give access to third-party providers to retrieve data and initiate payments directly from banks accounts;
  • Recurring transactions treatment.

When does PSD2 go into effect?

With an initial start on January 13, 2018, the Payment Services Directive 2 (PSD2) has already taken effect throughout the European Union in the local legislation. Since not all directive areas are in effect yet, PSD2 will become effective on September 14, 2019.

What are the PSD2 requirements?

The PSD2 requirements are based on three pillars:

  • Pillar 1 addresses transparency in terms of pricing, extended customer rights, and stricter reporting standards for banks. It applies to transactions where at least one party - the "one leg out" scenario - is in the European Economic Area (EEA).
  • Pillar 2 concerns security, including requirements for strong customer authentication (SCA). This impacts all parties involved in the eCommerce flow.
  • Pillar 3 sets out the technological requirements by which banks must allow payment institutes to use their infrastructure to access account data and initiate payments on behalf of customers.

Compliance with PSD2 is to be implemented in two stages: Pillar 1 (transparency) became effective on January 13, 2018, while Pillars 2 and 3 must come into force on September 14, 2019.

Do we need to sign additional agreements or any additional addendum to contracts?

No, this is not mandatory. We will send out 2 updated documents: Privacy Policy and Data Privacy Provision for your acknowledgement.

Will PSD2 apply to my business?

  • Merchants from EEA that sell to customers within EEA, using the 2Sell and 2Subscribe plans, will be impacted by PSD2 regulations and must provide SCA when receiving payments.
  • Merchants based in EEA that sell to customers outside EEA, using the 2Sell and 2Subscribe plans, will not be impacted by PSD2 regulations and do not need to provide SCA when receiving payments.
  • Merchants based outside EEA that sell to customers from EEA, using the 2Sell and 2Subscribe plans, will not be impacted by PSD2 regulations and do not need to provide SCA when receiving payments.
  • Any merchant using the 2Monetize solution contracted via Avangate BV will be impacted by PSD2 and SCA rules, since 2Checkout acts as a reseller registered in the EEA.

Will 2Checkout Affiliates be affected by PSD2?

Avangate Affiliate Network is available on the Merchant of Record model and any merchant contracted via Avangate BV will be impacted by PSD2 and the SCA Rules, since 2Checkout acts as a reseller registered in EEA. The new changes will not impact the order tracking or commissioning; they will only affect how the customers authenticate their payments after they decide to make a purchase.

Will 2Checkout Partners and Integrations be affected by PSD2?

Partner Sales are available on the Merchant of Record model and any merchant contracted via Avangate BV will be impacted by PSD2 and the SCA Rules, since 2Checkout acts as a reseller registered in EEA.

How will PSD2 impact my business?

PSD2 will require Strong Customer Authentication (SCA), a process by which the issuing bank validates the identity of the payee and allows the transaction to go through.

The SCA comes with two forms of authentication which should be provided by the customer for the payment to be validated by the issuing banks.

When merchants are using the 2Checkout-hosted ordering engines, the customers and shoppers are automatically directed from website to 2Checkout once they're ready to pay.

Since 2Checkout hosts the payment process, ensuring that merchants are ready for the new SCA requirements falls within our responsibilities.

As a 2Checkout client, what should I do next to comply with PSD2? And how is 2Checkout going to help me?

  • Having 2Checkout as an ecommerce and payments partner helps take away the worry of these blurry and changing guidelines, because we work directly with all involved parties to reconcile and represent the merchants.
  • With 2Checkout PSD2 Payment Institution License granted, the platform and models will be supported, with no changes in the integration needed on your side. Issuer logic will evolve over time, with sophisticated authentication logic maintained by 2Checkout to help you stay ahead of regulation. We have upgraded our checkout pages and payment APIs to support strong customer authentication. We are including the new 3D Secure 2.0 protocol into our APIs and payment pages in a way that keeps changes for merchants at a minimum and minimizes the impact of SCA on the checkout conversion.
  • Merchants worry less about the conversions/authorization rates impact with our support for multiple models and entities, as well as intelligent payment routing with a multitude of processors, that fall within the requirement of SCA coverage. We consistently test for high conversions and authorizations by routing the transactions to different flows, and optimize the use of exemptions.
  • Having alternative payment methods supported with built-in SCA traits will provide your buyers additional choice without disrupting their flow - e.g. iDeal, Bancontact, SEPA Payments, mobile wallets.
  • Having analytics, customization, and advanced ordering engine/ecommerce will empower merchants to understand and reduce friction with proper communication or different flows (e.g. retry pages, change of payment method, abandons recovery, dunning , etc) to manage customer drop offs.

How should my website and my communications to prospects and customers change under PSD2 in order to be compliant?

B2C subscription businesses should notify their customers about PSD2 in advance, and inform them of the new requirements to authenticate their transaction via 3DS2. B2B business should suggest that their customers check if the "whitelisting merchants" feature is supported by their banks, so that they can skip the authentication and have smoother transactions. Most of the banks in the EU will have this feature ready by the end of this year. If you are processing usage-based billing or variable amount recurring billing (which come under merchant-initiated transactions), and 3DS2 verification was done for the first transaction, then those subscriptions can be applied for exemption. However, the customer's bank will still have the final say if that subscription still requires SCA, which could add to friction; you can choose to accept payments via direct debit, for example, to help eliminate this friction.

What is Strong Customer Authentication (SCA)?

SCA is the new requirement that comes along with the mandatory implementation of EMV 3DS/ 3D Secure 2.0 for online transactions and purchases, which reduces fraud and makes online payments more secure. SCA and 3DS 2.0 require the use of at least two of the following three elements:

  • Something the customer knows (password, passphrase, pin, etc.)
  • Something proprietary to customer (smartphone, wearable device, token, etc.)
  • Individual biometrics (fingerprints, facial features, voice patterns, etc.)

What type of transactions will require Strong Consumer Authentication (SCA)?

SCA will be required for all customer-initiated online transactions (CIT) within Europe, which means most payment methods (contactless payments included) and bank transfers will be done with SCA. For online payments, SCA will apply to transactions where both the business and the cardholder's banks are located within the European Economic Area (EEA).

The Revised Payment Services Directive will allow payment providers like 2Checkout to request exemptions from SCA and skip authentication for low-risk payments. Payments that require SCA will need to go through the "challenge" flow, whereas transactions that can be exempted from SCA can be sent through the "frictionless" flow.

What is the impact on other payment methods, like direct debit?

Direct debits and other alternative payment methods, initiated by the payee only and not the payer, are outside the scope of strong consumer authentication (SCA).

How is 2Checkout authenticating the payments made by my customers?

Payments will have to go through the 3DS2 filter provided by us 2Checkout via our ordering engines. In our back end, we will automatically check to see if the issuing bank supports 3DS 2.0. If it does, the information about the payment is sent along with a request for exemption only when applicable. If the issuing bank labels the payment as exempt from SCA, the customer does not have to go through any extra authentication steps and the payment is authorized. If the issuing bank labels the payment as risky or it needs additional information to verify the customer, they will ask for the payment to go through the extra layer of security provided by 3DS 2.0.

Lastly, if the cardholder's issuing bank does not support the 3DS2 flow, the customers will be redirected via 3DS1, which acts as a fallback solution.

How will 3DS 2.0 help my business?

Overall, the new 3DS 2.0 technology will improve the user experience and data transfer, as well as providing more data with less friction. This gives us more information so that we challenge potential fraud. Only the riskiest transactions will go through additional verification. The rest of the transactions are authenticated in the back end and receive validation.

By putting the shopper experience at the forefront of authentication, 3DS2 can be adopted without fear of drop off. Merchants will be able to process more successful transactions while being able to benefit from full liability for transactions where fraud is detected.

Which are the exemptions implied by PSD2 for SCA?

The European Commission presented the following scenarios in which online payments can be exempt from SCA:

  • Low-value transactions
    • For example, a customer could make five payments of €10 and be challenged on the sixth or make up to 10 payments of €10 before they need to authenticate. To be eligible for this exemption it is recommended to have transactions below €30.
    • The cardholder's bank decides which cumulative limit to use, so 2Checkout will continue to monitor how each bank chooses to allow this, whether based on the number of transactions or total value.
  • Transaction Risk Analysis
    • If the fraud levels for both acquirer and issuer is bellow different levels, the transaction can be exempt from SCA.
    • The cardholder's bank decides which cumulative limit to use, so 2Checkout will continue to monitor how each bank chooses to allow this, whether based on the number of transactions or total value. Fraud transaction rate must be below → To apply for exemptions on payments up to:
      0.13% → €100
      0.06% → €250
      0.01% → €500
  • Recurring transactions
    • Payments are exempted from SCA if the payer-initiated payment transactions come in a series with the same amount and the same payee.
    • However, merchant-initiated transactions are out of scope of SCA. In order to get an exemption for recurring transactions, the payment and customer information should be registered before the initiation of PSD2 and should have the same value, same payee, and same recurring cycle.
    • If a new recurring payment is initiated after September 14, 2019, the SCA rules will apply for it.
    • For more information on PSD2 and SCA see this article.

How can I or 2Checkout influence low-risk transactions?

Sharing as much information about the customer with the issuer will make it more likely that they decide a frictionless flow (no authentication) is appropriate for that particular transaction.

When will 3D Secure 2 (3DS 2.0) be supported by banks?

The mass adoption of 3DS 2.0 will fall under the responsibility of the card-issuing bank. While some banks are already supporting 3DS 2.0, others will take more time to implement the new technology depending on the country and region (local regulators can give time extensions for the PSD2 compliance, in order for banks to be well-prepared).

What will happen if the issuing bank of a shopper credit/debit card will not be ready/compliant with PSD2 after September 14?

If a bank is not yet compliant with 3DS2, 2Checkout will request a 3DS1 authentication request in order to process the transaction. If the bank doesn't have support for 3DS1 or 3DS2 in place and is still processing online transactions, this means they are not compliant with PSD2, are fully liable, and risk significant fines.

What is the 3D Secure frictionless flow and what transactions are eligible?

The new version of 3D Secure comes with capabilities for frictionless flows. This functionality allows the shoppers and customers to make online payments without authentication only if they are eligible for this type of flow. Payment eligibility is given by the issuing bank and is assessed on a per-transaction basis. If the transaction or payment is not deemed as eligible for the frictionless flow, the customer will be presented with an authentication form to complete the process.

Is 3D Secure 1 compliant with Strong Customer Authentication (SCA) regulations, and do I have to do anything to upgrade to 3D Secure 2?

For the time being, 3D Secure 1 will still be an available option for authentication online transactions.

In the future, this technology will become obsolete and banks will need to adopt 3DS 2.0 to be compliant with PSD2. In some cases, depending on the region or country, banks will need extra time to implement the new technology. During this time 3DS 1.0 will continue to be provided by banks.

What is the difference between 3D Secure version 2 and 3D Secure version 1?

3DS 1.0 has some disadvantages in comparison with 3DS 2.0:

  • 3D Secure 1 does not support exemptions or the frictionless flow
  • 3D Secure 1 doesn't provide the best customer experience
  • 3D Secure 1 will go away sometime in the future (although no date is set yet)

2Checkout supports both versions and will dynamically adapt for each transaction based on what the customer's bank supports, so merchants don't have to worry or make any changes to ensure compliance and the best customer experience.

3D Secure 2.0:

Will be introduced in Europe on September 14, 2019, mandate for all issuing banks

  • Capabilities
    • More data will sent to the cardholder's bank, to be used to:
      1. Complete "frictionless" authentication with support for exemptions
      2. Send the transaction through the "challenge" flow (when the cardholder's bank wants more proof to verify their identity).
  • Better user experience
    • Mobile ready and embeddable
    • User friendly, with static passwords replaced by tokens and biometrics

What is the 3D Secure version 2 flow?

To see how the 3-D Secure version 2 works, read here.

Will I be impacted if I don't have a business registered in EEA but sell products and services to EEA customers?

  • For merchants using the 2Checkout PSP solution with headquarters based outside the EEA but selling to EEA customers, the SCA rules will not apply.
  • Any merchants using the 2Checkout Merchant of Record/Reseller solution will be impacted by PSD2 and SCA rules, since 2Checkout acts as a reseller registered in the EEA.

Will my customers need to authenticate every recurring payment in a subscription?

Starting September 14, 2019, SCA will apply to the initial transaction, and each subsequent transaction will not require authentication as long there is no change in the subscription amount or payment method.

If I use connectors or API will I be affected by SCA rules?

If you are a merchant based in the European Economic Area (EEA) and accept payments from customers residing in EEA, you will be impacted by PSD2 no matter what type of integration you are using.

What should online sellers do next?

We have compiled here a few recommendations for online sellers.

What is the penalty for not applying SCA on a transaction?

If an issuing bank requests SCA on a transaction and the authentication is not validated, the bank will most likely decline the authorization.

Where can I find more information regarding PSD2 and how to prepare for it?

You can read more about PSD2 and how to prepare for it here and here.

Will there be an infrastructure for certification of PSD2 compliance?

No certification of PSD2 compliance is currently in place.

If I have more questions about PSD2, SCA, or 3D Secure 2, where can I ask?

If you are a merchant, you can contact us here.

If you are a shopper, you can contact us here.

Simplify the eCommerce process. Try 2Checkout.
The most flexible digital commerce platform that can give your business a real boost.