This FAQ provides you with answers to common questions about the PSD2 regulation changes in Europe. These requirements primarily cover domestic European transactions.
For more detailed information about 3-D Secure and 3-D Secure 2.0, refer to the 3-D Secure Guide.
In October 2015, the European Parliament adopted the European Commission's proposal to create safer and more innovative European payments, the Revised Directive on Payment Services (PSD2, Directive (EU) 2015/2366), referred to as PSD2. The new rules aim to better protect consumers when they pay online. The PSD2 has come into force and requires SCA to be in place by 14‑September‑2019.
SCA (Strong Customer Authentication) is a European requirement developed to make online payments more secure. When a European shopper makes a payment, extra levels of authentication are required at the time of the transaction.
SCA is more than just entering a password. Authentication must include two or more of the following:
- Something the shopper knows, such as a static password or 4‑digit PIN
- Something the shopper possesses, such as:
- payment card
- smart phone
- wearable: smartwatch, smartkey
- token (hard/soft)
- a one-time password sent thru SMS
- Something to recognize the shopper, such as:
- touch ID
- facial recognition
- iris recognition
- voice print
- biometric behavior
- passive biometrics
3-D Secure is an advanced authentication solution implemented to reduce eCommerce fraud by verifying a cardholder’s identity in real time. Each of the major card brands has a 3‑D Secure offering:
- American Express Safekey®
- Discover ProtectBuy®
- Mastercard SecureCode®
- Visa Secure®
This additional layer of security helps prevent unauthorized use of cards and protects eCommerce merchants and issuers from exposure to fraud.
3-D Secure 2.0 (3DS 2.0) is the new global specification for card payment security developed by EMVCo. It is designed to deliver frictionless payment authentication across a range of devices, including mobile devices. Unlike previous versions of 3DS, it allows for more seamless integration with merchants’ e-commerce customer experiences. 3DS 2.0 will be deployed across Europe from now through 2019.
The use of 3‑D Secure 2.0 satisfies the PSD2 requirement for SCA. For more information on 3‑D Secure 2.0, refer here.
PSD2 and SCA apply to customer‑initiated online payments within Europe. Most card payments are impacted by the regulation if the cardholder’s bank and the merchant are both located in the European Economic Area (EEA). However, most merchant‑initiated payments are exempt from SCA.
The intent of PSD2 is to make SCA a requirement for all online transactions; however, there are some transactions that are considered out of scope and there are some exemptions. Refer here for details.
Yes. Refer here for more information on how we support 3-D Secure 2.0.
All BlueSnap European merchants need to meet SCA requirements and implement 3DS 2.0 by 14‑September‑2019. BlueSnap is providing methods to help you deploy 3DS 2.0 as required. Follow the relevant instructions for your integration here.
For European merchants, transactions could be declined by the issuer.
The European Banking Authority (EBA) has weighed in on the ongoing debate over PSD2 with an Official Opinion. This Opinion sets the deadline for the migration to Strong Customer Authentication (SCA) for e-commerce card-based payment transactions to 31‑December‑2020, giving national authorities a 15-month extension to implement the new rules. It also prescribes the expected actions to be taken during the migration period.
No. If you want to apply 3DS only to EU-issued cards for PSD2, but not US-issued cards, you can do that. Refer here for more information.
If I create a vaulted shopper request, without an associated transaction, do I still have to perform a 3DS challenge?
Yes. You must perform the 3DS challenge of the shopper even if you don't have an associated transaction.