This FAQ provides you with answers to common questions about the PSD2 regulation changes in Europe. These requirements primarily cover domestic European transactions.
For more detailed information about 3D Secure and 3D Secure 2, refer to the 3D Secure Guide.
In October 2015, the European Parliament adopted the European Commission's proposal to create safer and more innovative European payments, the Revised Directive on Payment Services (PSD2, Directive (EU) 2015/2366), referred to as PSD2. The rules aim to better protect consumers when they pay online.
SCA (Strong Customer Authentication) is a European requirement developed to make online payments more secure. When a European shopper makes a payment, extra levels of authentication are required at the time of the transaction.
SCA is more than just entering a password. Authentication must include two or more of the following:
- Something the shopper knows, such as a static password or 4‑digit PIN
- Something the shopper possesses, such as:
- payment card
- wearable: smartwatch, smartkey
- token (hard/soft)
- a one-time password sent thru SMS
- Something to recognize the shopper, such as:
- touch ID
- facial recognition
- iris recognition
- voice print
- biometric behavior
- passive biometrics
3D Secure is an advanced authentication solution implemented to reduce eCommerce fraud by verifying a cardholder’s identity in real-time. Each of the major card brands has a 3‑D Secure offering:
- American Express Safekey®
- Discover ProtectBuy®
- Mastercard SecureCode®
- Visa Secure®
This additional layer of security helps prevent unauthorized use of cards and protects eCommerce merchants and issuers from exposure to fraud.
3D Secure 2 (3DS 2) is the new global specification for card payment security developed by EMVCo. It is designed to deliver frictionless payment authentication across a range of devices, including mobile devices. Unlike previous versions of 3DS, it allows for more seamless integration with merchants’ e-commerce customer experiences. 3DS 2.
The use of 3‑D Secure 2 satisfies the PSD2 requirement for SCA.
PSD2 and SCA apply to customer‑initiated online payments within Europe. Most card payments are impacted by the regulation if the cardholder’s bank and the merchant are both located in the European Economic Area (EEA) or the UK. However, most merchant‑initiated payments are exempt from SCA.
The intent of PSD2 is to make SCA a requirement for all online transactions; however, there are some transactions that are considered out of scope and there are some exemptions. Refer here for details.
Yes. Refer here for more information on how we support 3D Secure 2.
All BlueSnap European merchants need to meet SCA requirements and implement 3DS 2. BlueSnap is providing methods to help you deploy 3DS 2 as required. Follow the relevant instructions for your integration here.
For European merchants, transactions could be declined by the issuer.
Due to PSD2, Strong Customer Authentication (SCA) is required for all EEA countries when transactions are in-scope. Declines for ‘Missing Strong Customer Authentication’ indicate a decline was caused by a lack of SCA (3DS). These declines may begin to increase at different times depending on the country and their banks. So far, we are seeing this decline reason for the below EEA countries:
- United Kingdom
No. If you want to apply 3DS only to EU or UK-issued cards for PSD2, but not US-issued cards, you can do that. Refer here for more information.
Australia’s CNP Fraud Mitigation Framework requires Strong Customer Authentication (SCA or 3DS) for some merchants. One similarity to PSD2, is that the scope is limited to “two-legged” transactions, where the cardholder’s issuing bank and the merchant’s acquiring bank are both in Australia. However, Australia’s SCA requirement is less broad, aimed at merchants with high fraud.
The below 4 conditions must be met for a merchant to trigger the SCA requirement for Australia:
- Cardholder’s issuing bank is Australian.
- Merchant’s acquiring bank is Australian.
- Merchant’s in-scope fraud rate is 20bps or 0.2% (calculated by dollar value).
- Merchant’s in-scope fraud dollars per quarter total more than $50,000.
Here are a few example scenarios to consider based on the above criteria:
- A merchant with a fraud rate of 0.2% for in-scope sales would need to exceed $25,000,000 in quarterly in-scope sales to exceed the $50,000 fraud threshold.
- A merchant with a fraud rate of 1% for in-scope sales would need to exceed $5,000,000 in quarterly in-scope sales to exceed the $50,000 fraud threshold.
The Reserve Bank of India mandates two-factor authentication (3DS) for transactions where the cardholder’s issuing bank and the merchant’s acquiring bank are both in India. But some merchants enable 3DS authentication even without a local Indian acquiring bank, which can inadvertently increase declines. If higher declines are experienced with 3DS for India-issued cards processed through acquiring banks outside of India, then disabling 3DS is recommended.
If I create a vaulted shopper request, without an associated transaction, do I still have to perform a 3DS challenge?
Yes. You must perform the 3DS challenge of the shopper even if you don't have an associated transaction.
Updated 15 days ago