PSD2 and Strong Customer Authentication (SCA)

The Second Payment Services Directive (PSD2), a set of laws and regulations for payment services in the European Union (EU) and the European Economic Area (EEA), has come with a lot of implications for marketplace business models already, and it will expand further more on all companies in Europe that deal with payments, ranging from how to regulate the emergence of Third Party Providers (TPPs) to the need for strong customer authentication (SCA).

Strong Customer Authentication (SCA) has come into force starting with 14 September 2019 and all the transactions that did not comply with the new authentication guidelines have been declined by the banks.

Strong Customer Authentication (SCA) has to be applied when all of the conditions below are met:

  • The business is based in the European Economic Area (EEA);
  • The customers are from EEA area;
  • The payment is initiated online by the customer.

SCA requires merchants to integrate into the checkout flow a two-factor authentication that is based on the use of two or more elements categorized as:

  • knowledge (something only the user knows, i.e password);
  • possession (something only the user possesses: i.e, phone, token, certificate tec.);
  • inherence (something the user is: i.e. fingerprint, Face ID).

For an authentication to meet the criteria of the PSD2, it must combine at least 2 of these 3 factors. To strongly authenticate an online payment, for example, consumers will be required to use their phone (something you own) and authenticate via fingerprint (something you are).

As of September 14, only the credit card number alone was no longer considered as a valid authentication method and additional factors that meet the requirements of PSD2, such as biometric data, had to be added in the authentication process.

The 3D Secure version 1.0 authentication method used for credit card payments is being updated to version 2.0, which is the best measure to meet the above compliance criteria.

Apart from these cases there are a few exemptions to SCA, but keep in mind that banks can choose to not honor these exemptions and you need to be prepared to handle a SCA challenge even if the transactions has been submitted under one of the exemptions.

Below is the list with the most relevant ones. For more detailed information, check out our dedicated section Exemptions to Strong Customer Authentication (SCA).

Exemptions to Strong Customer Authentication (SCA)
Exemption Description
Low Value Small amounts less than 30 EUR: For a transaction of less than 30 EUR and up to 100 EUR accumulated or up to 5 transactions since the last SCA. Beyond 100 EUR or beyond 5 unauthenticated transactions, a new SCA is required. Keep in mind that since the information needed to validate these stipulations is only available to the issuing bank, you will still need to confirm if SCA is required on all transactions that might fall into this exemption category.
Low Risk / TRA Transactional Risk Analysis: SCA can be deactivated for online payments between €30 and €500, depending on the payment providers fraud rates (see table below). There are no low-risk exemptions for transactions over €500. Merchants have to rely on a payment service provider (e.g. an acquirer) to act upon their request. In addition, the test to trigger the exemption rests with whether the PSP satisfies the prescribed conditions, not the merchants themselves. Smart2Pay keeps a very low fraud rate by using state of the art anti-fraud solutions such as RedShield, Machine Learning algorithms and by working with low risk acquiring banks which have very good fraud scores.
MIT Merchant Initiated Transaction (MIT): are payment transactions that are not initiated by the payer but by the payee only and are not subject to strong customer authentication (SCA) to the extent that these transactions are initiated without any interaction or involvement of the payer. MIT transactions are subjected to SCA except when a mandate is signed by the client. For example, SEPA Direct Debits are initiated by the merchant but have a direct debit mandate signed by the end customer. Thus, SCA is not applicable in this case and there are no restrictions to the frequency or the amount (obtained scheme transaction identifier needs to be provided for use in the subsequent transactions).
Trusted Beneficiaries Payment to a trusted beneficiary: Customers can add their preferred online sellers to a list of trusted beneficiaries held by the issuing bank, so that they don’t required to authenticate for each new payment. Please instruct your customers if possible to add your business to the white-list at their bank.
Secure Corporate payments SCA can de deactivated for corporate card payments made through secure processes and protocols initiated by businesses and not available for consumers. Payments that are included in this category are those made through central travel accounts, lodged cards, virtual cards, and secure corporate cards, like the ones used in a corporate travel management system.