We've got you covered.
2Checkout is the PSD2 enabler for online merchants

Strong Customer Authentication and PSD2 Compliance is Not Something Your Team Should Worry About

Online payments are changing. PSD2 adds new complexity to your digital business, and in order to maintain high authorization and conversion rates you need to understand its impact on your business.

What is the 2nd Payment Service
Directive (PSD2)?

What is the 2nd Payment Service Directive (PSD2)?
PSD2 is the revised regulatory framework for payment services initiated by the European Commission. With an initial due date of September 14, 2019, following an opinion by the European Bank Authority on the deadline for the migration to SCA for eCommerce card-based payment transactions, SCA has entered in effect in most European countries within the EEA (European Economic Area) on December 31st, 2020.
This included the introduction of Strong Customer Authentication (SCA) for customer-initiated payments with the implementation of EMV 3D Secure (3D Secure 2.0), unless the payment qualifies as low risk.

A Seamless PSD2 Onboarding
Process with 2Checkout

REPER We take the burden
off your business
With 2Checkout PSD2 Payment Institution License granted, there will be no changes in the integration from your side. The sophisticated authentication logic will be maintained by 2Checkout to help you stay ahead of regulation.
REPER Stay Ahead
of Regulations
Having 2Checkout as your partner helps take away the worry about blurry and changing regulations, as we work directly with all involved parties to reconcile and represent you.
REPER We Leverage Exemptions
for a Seamless Checkout
Each transaction is paramount, which is why we leverage exemption rules and the latest 3D Secure 2 (3DS2) technology to protect your business from declined payments and low conversion rates. We aim for low-risk payments to reduce friction between customers and authentication process, with Cardholder and Merchant Initiated Transaction frameworks that trigger 3D Secure only when necessary.

PSD2 and SCA with 2Checkout

What is the 2nd Payment Service Directive (PSD2)?
Ordering Engines
2Checkout's API driven, highly optimized checkout is built using the latest technologies, minimizing customer's input during the payment process. It empowers you to understand and reduce friction with proper communication, as well as manage customer drop offs.
What is the 2nd Payment Service Directive (PSD2)?
Frictionless Data-Centric
The ultimate goal is for your end customers to experience a frictionless flow, resulting in increased conversion rates. In the first stages, due to the change in the overall process, a temporary increase in cart abandonment is expected. This can be counteracted by employing 2Checkout tools and by informing and educating users on process changes. Transactions will be authenticated based on the historic data available at the issuer, without intervention from your customers.
What is the 2nd Payment Service Directive (PSD2)?
Automated Lifecycle
Avoid churn and continue accepting recurring payments, while we identify which subscriptions require authentication via dunning management.
What is the 2nd Payment Service Directive (PSD2)?
Intelligent Exemption
Payment Routing
Payment Routing with widespread SCA coverage helps you worry less about conversion and authorization rates, as we constantly analyze and lead transactions to different ratified flows while optimizing for exemptions.

How Have We Prepared for PSD2?

2Checkout is PSD2 compliant. 2Checkout has updated its integrations with the EU service providers to comply with the PSD2 SCA regulations:
  • Cardholder Initiated Transactions (CIT) and Merchant Initiated Transactions (MIT) frameworks to initiate 3D Secure 2 when required or fallback on 3D Secure 1.
  • Exemption mandates requests - Low value transactions, low risk, trusted beneficiaries | Updated Bank Identification Number (BIN) database.
  • Dedicated Dunning emails for fallback flows on recurring payments.

Other PSD2 Resources

If you need more info about what you can do to be PSD2 compliant, please read the resources below:

Digital Commerce and Payments Capabilities That Ease the Transition to PSD2 and SCA
All you need to know about PSD2 and Strong Customer Authentication if you sell online.
All you need to know about PSD2 and Strong Customer Authentication if you sell online.

With 2Checkout, Your Online Business is Covered

PSD2 Compliance FAQs

We have compiled a list of our clients and partners' frequently-asked questions regarding PSD2.

What is the Payment Services Directive (PSD2)?

The first Payment Services Directive (EU) 2007/64/EC (PSD1) was implemented in 2009, and introduced the ground rules for electronic payments like credit transfers, credit/debit card, and mobile payments. With PSD2 enforced beginning on December 31st, 2020, the European Commission has updated the existing regulatory framework by adding new security specifications meant to cover all aspects of online payments. The new rules are introducing new benefits:

  • Safer internet payment services
  • Better protection against fraud and payment problems
  • The creation of the right ecosystem for innovative mobile and internet payment services
  • Revised and improved customer rights

Is 2Checkout compliant with PSD2?

2Checkout is compliant with PSD2. Read our guide and check our which scenarios of PSD2 might impact your business.

What new features is PSD2 bringing?

  • Security of payments done by European Union shoppers through mandatory Strong Consumer Authentication component (SCA);
  • Access to an account (XS2A) for account information and payment initiation services, allowing bank customers to give access to third-party providers to retrieve data and initiate payments directly from banks accounts;
  • Recurring transactions treatment.

When does PSD2 go into effect?

The Payment Services Directive 2 (PSD2) has already taken effect throughout the European Union in the local legislation and has been enforced in most European countries in the EEA starting December 31st, 2020, while others are pushing the timing of implementation with soft-launch scenarios into early 2021.

What are the PSD2 requirements?

The PSD2 requirements are based on three pillars:

  • Pillar 1 addresses transparency in terms of pricing, extended customer rights, and stricter reporting standards for banks. It applies to transactions where at least one party - the "one leg out" scenario - is in the European Economic Area (EEA).
  • Pillar 2 concerns security, including requirements for strong customer authentication (SCA). This impacts all parties involved in the eCommerce flow.
  • Pillar 3 sets out the technological requirements by which banks must allow payment institutes to use their infrastructure to access account data and initiate payments on behalf of customers.

Compliance with PSD2 is to be implemented in two stages: Pillar 1 (transparency) became effective on January 13, 2018, while Pillars 2 and 3 came into force on December 31st, 2020.

Do we need to sign additional agreements or any additional addendum to contracts?

No, this is not mandatory. We are sending out 2 updated documents: Privacy Policy and Data Privacy Provision for your acknowledgement.

Will PSD2 apply to my business?

  • Merchants from EEA that sell to customers within EEA, using the 2Sell and 2Subscribe plans, are impacted by PSD2 regulations and must provide SCA when receiving payments.
  • Merchants based in EEA that sell to customers outside EEA, using the 2Sell and 2Subscribe plans, are not impacted by PSD2 regulations and do not need to provide SCA when receiving payments.
  • Merchants based outside EEA that sell to customers from EEA, using the 2Sell and 2Subscribe plans, are not impacted by PSD2 regulations and do not need to provide SCA when receiving payments.
  • Any merchant using the 2Monetize solution contracted via Avangate BV is impacted by PSD2 and SCA rules, since 2Checkout acts as a reseller registered in the EEA.

Are 2Checkout Affiliates affected by PSD2?

Avangate Affiliate Network is available on the Merchant of Record model and any merchant contracted via Avangate BV is impacted by PSD2 and the SCA Rules, since 2Checkout acts as a reseller registered in EEA. The new changes do not impact the order tracking or commissioning; they only affect how the customers authenticate their payments after they decide to make a purchase.

Are 2Checkout Partners and Integrations affected by PSD2?

Partner Sales are available on the Merchant of Record model and any merchant contracted via Avangate BV is impacted by PSD2 and the SCA Rules, since 2Checkout acts as a reseller registered in EEA.

How does PSD2 impact my business?

PSD2 requires Strong Customer Authentication (SCA), a process by which the issuing bank validates the identity of the payee and allows the transaction to go through.

The SCA comes with two forms of authentication which should be provided by the customer for the payment to be validated by the issuing banks.

When merchants are using the 2Checkout-hosted ordering engines, the customers and shoppers are automatically directed from website to 2Checkout once they're ready to pay.

Since 2Checkout hosts the payment process, ensuring that merchants are ready for the new SCA requirements falls within our responsibilities.

As a 2Checkout client, what should I do next to comply with PSD2? And how is 2Checkout going to help me?

  • Having 2Checkout as an ecommerce and payments partner helps take away the worry of these blurry and changing guidelines, because we work directly with all involved parties to reconcile and represent the merchants.
  • With 2Checkout PSD2 Payment Institution License granted, the platform and models will be supported, with no changes in the integration needed on your side. Issuer logic will evolve over time, with sophisticated authentication logic maintained by 2Checkout to help you stay ahead of regulation. We have upgraded our checkout pages and payment APIs to support strong customer authentication. We have included the new 3D Secure 2.0 protocol into our APIs and payment pages in a way that keeps changes for merchants at a minimum and minimizes the impact of SCA on the checkout conversion.
  • Merchants worry less about the conversions/authorization rates impact with our support for multiple models and entities, as well as intelligent payment routing with a multitude of processors, that fall within the requirement of SCA coverage. We consistently test for high conversions and authorizations by routing the transactions to different flows, and optimize the use of exemptions.
  • Having alternative payment methods supported with built-in SCA traits will provide your buyers additional choice without disrupting their flow - e.g. iDeal, Bancontact, SEPA Payments, mobile wallets.
  • Having analytics, customization, and advanced ordering engine/ecommerce empowers merchants to understand and reduce friction with proper communication or different flows (e.g. retry pages, change of payment method, abandons recovery, dunning , etc) to manage customer drop offs.

How should my website and my communications to prospects and customers change under PSD2 in order to be compliant?

B2C subscription businesses should notify their customers about PSD2, and inform them of the new requirements to authenticate their transaction via 3DS2. B2B business should suggest that their customers check if the "whitelisting merchants" feature is supported by their banks, so that they can skip the authentication and have smoother transactions. Most of the banks in the EU should have had this feature ready by the end of 2020.If you are processing usage-based billing or variable amount recurring billing (which come under merchant-initiated transactions), and 3DS2 verification was done for the first transaction, then those subscriptions can be applied for exemption. However, the customer's bank will still have the final say if that subscription still requires SCA, which could add to friction; you can choose to accept payments via direct debit, for example, to help eliminate this friction.

What is Strong Customer Authentication (SCA)?

SCA is the new requirement that comes along with the mandatory implementation of EMV 3DS/ 3D Secure 2.0 for online transactions and purchases, which reduces fraud and makes online payments more secure. SCA and 3DS 2.0 require the use of at least two of the following three elements:

  • Something the customer knows (password, passphrase, pin, etc.)
  • Something proprietary to customer (smartphone, wearable device, token, etc.)
  • Individual biometrics (fingerprints, facial features, voice patterns, etc.)

What type of transactions require Strong Consumer Authentication (SCA)?

SCA is required for all customer-initiated online transactions (CIT) within Europe, which means most payment methods (contactless payments included) and bank transfers are done with SCA. For online payments, SCA applies to transactions where both the business and the cardholder's banks are located within the European Economic Area (EEA).

The Revised Payment Services Directive allows payment providers like 2Checkout to request exemptions from SCA and skip authentication for low-risk payments. Payments that require SCA will need to go through the "challenge" flow, whereas transactions that can be exempted from SCA can be sent through the "frictionless" flow.

What is the impact on other payment methods, like direct debit?

Direct debits and other alternative payment methods, initiated by the payee only and not the payer, are outside the scope of strong consumer authentication (SCA).

How is 2Checkout authenticating the payments made by my customers?

Payments go through the 3DS2 filter provided by 2Checkout via our ordering engines. In our back end, we automatically check to see if the issuing bank supports 3DS 2.0. If it does, the information about the payment is sent along with a request for exemption only when applicable. If the issuing bank labels the payment as exempt from SCA, the customer does not have to go through any extra authentication steps and the payment is authorized. If the issuing bank labels the payment as risky or it needs additional information to verify the customer, they will ask for the payment to go through the extra layer of security provided by 3DS 2.0.

Lastly, if the cardholder's issuing bank does not support the 3DS2 flow, the customers will be redirected via 3DS1, which acts as a fallback solution.

How is 3DS 2.0 helping my business?

Overall, the new 3DS 2.0 technology aims to improve the user experience and data transfer, as well as providing more data with less friction. This gives us more information so that we challenge potential fraud. Only the riskiest transactions go through additional verification. The rest of the transactions are authenticated in the back end and receive validation.

3DS2 is putting the shopper experience at the forefront of authentication, while merchants benefit from full liability for transactions where fraud is detected.

Which are the exemptions implied by PSD2 for SCA?

The European Commission presented the following scenarios in which online payments can be exempt from SCA:

  • Low-value transactions
    • For example, a customer could make five payments of €10 and be challenged on the sixth or make up to 10 payments of €10 before they need to authenticate. To be eligible for this exemption it is recommended to have transactions below €30.
    • The cardholder's bank decides which cumulative limit to use, so 2Checkout will continue to monitor how each bank chooses to allow this, whether based on the number of transactions or total value.
  • Transaction Risk Analysis
    • If the fraud levels for both acquirer and issuer is bellow different levels, the transaction can be exempt from SCA.
    • The cardholder's bank decides which cumulative limit to use, so 2Checkout will continue to monitor how each bank chooses to allow this, whether based on the number of transactions or total value. The fraud rate limits for payment providers are being applied as follows: Fraud transaction rateAmount limits
      0.13% → €100
      0.06% → €250
      0.01% → €500
  • Recurring transactions
    • Payments are exempted from SCA if the payer-initiated payment transactions come in a series with the same amount and the same payee.
    • However, merchant-initiated transactions are out of scope of SCA. In order to get an exemption for recurring transactions, the payment and customer information should be registered before the initiation of PSD2 and should have the same value, same payee, and same recurring cycle.
    • If a new recurring payment is initiated after December 31st, 2020, the SCA rules will apply for it.
    • For more information on PSD2 and SCA see this article.

How can I or 2Checkout influence low-risk transactions?

Sharing as much information about the customer with the issuer will make it more likely that they decide a frictionless flow (no authentication) is appropriate for that particular transaction.

Are there any countries/ regions where exceptions apply?

Each country's National Competent Authority (NCA) has flexibility regarding when and how to enforce the SCA requirement on issuing banks.
Some countries like the UK postponed the SCA final implementation towards September 2021. Other countries will formally maintain the EBA deadline, but allowing progressive ramp-ups with soft decline, applicable to various minimum transaction amounts.
Finally, other countries such as Austria or Bulgaria will not apply fines for a few months.
2Checkout is closely monitoring communication issued by all of these authorities, making sure that all transactions are compliant.

When will 3D Secure 2 (3DS 2.0) be supported by banks?

The mass adoption of 3DS 2.0 falls under the responsibility of the card-issuing bank. While some banks are already supporting 3DS 2.0, others will take more time to implement the new technology depending on the country and region (local regulators can give time extensions for the PSD2 compliance, in order for banks to be well-prepared).

What happens if the issuing bank of a shopper credit/debit card is not ready/compliant with PSD2 after December 31st?

If a bank is not yet compliant with 3DS2, 2Checkout will request a 3DS1 authentication request in order to process the transaction. If the bank doesn't have support for 3DS1 or 3DS2 in place and is still processing online transactions, this means they are not compliant with PSD2, are fully liable, and risk significant fines.

What is the 3D Secure frictionless flow and what transactions are eligible?

The new version of 3D Secure comes with capabilities for frictionless flows. This functionality allows shoppers to make online payments without authentication only if they are eligible for this type of flow. Payment eligibility is given by the issuing bank and is assessed on a per-transaction basis. If the transaction or payment is not deemed as eligible for the frictionless flow, the customer will be presented with an authentication form to complete the process.

Is 3D Secure 1 compliant with Strong Customer Authentication (SCA) regulations, and do I have to do anything to upgrade to 3D Secure 2?

For the time being, 3D Secure 1 will still be an available option for authentication online transactions.

In the future, this technology will become obsolete and banks will need to adopt 3DS 2.0 to be compliant with PSD2. In some cases, depending on the region or country, banks will need extra time to implement the new technology. During this time 3DS 1.0 will continue to be provided by banks. As a merchant working with 2Checkout you do not need to do anything to upgrade to 3D Secure 2.

What is the difference between 3D Secure version 2 and 3D Secure version 1?

3DS 1.0 has some disadvantages in comparison with 3DS 2.0:

  • 3D Secure 1 does not support exemptions or the frictionless flow
  • 3D Secure 1 doesn't provide the best customer experience
  • 3D Secure 1 will go away sometime in the future (although no date is set yet)

2Checkout supports both versions and will dynamically adapt for each transaction based on what the customer's bank supports, so merchants don't have to worry or make any changes to ensure compliance and the best customer experience.

3D Secure 2.0:

Was introduced in Europe on December 31st, 2020, mandate for all issuing banks

  • Capabilities
    • More data is now to the cardholder's bank, to be used for:
      1. Completing "frictionless" authentication with support for exemptions
      2. Sending the transaction through the "challenge" flow (when the cardholder's bank wants more proof to verify their identity).
  • Better user experience
    • Mobile ready and embeddable
    • User friendly, with static passwords replaced by tokens and biometrics

What is the 3D Secure version 2 flow?

To see how the 3-D Secure version 2 works, read here.

Am I be impacted if I don't have a business registered in EEA but sell products and services to EEA customers?

  • For merchants using the 2Checkout PSP solution with headquarters based outside the EEA but selling to EEA customers, the SCA rules do not apply.
  • Any merchants using the 2Checkout Merchant of Record/Reseller solution and selling to EEA customers are impacted by PSD2 and SCA rules, since 2Checkout acts as a reseller registered in the EEA.

Will my customers need to authenticate every recurring payment in a subscription?

Starting December 31st, 2020, SCA applies to the initial transaction, and each subsequent transaction does not require authentication as long there is no change in the subscription amount or payment method.

If I use connectors or API am I affected by SCA rules?

If you are a merchant based in the European Economic Area (EEA) and accept payments from customers residing in EEA, you are impacted by PSD2 no matter what type of integration you are using.

What should online sellers do next?

We have compiled here a few recommendations for online sellers.

What is the penalty for not applying SCA on a transaction?

If an issuing bank requests SCA on a transaction and the authentication is not validated, the bank will most likely decline the authorization.

Where can I find more information regarding PSD2 and how to prepare for it?

You can read more about PSD2 and how to prepare for it here and here.

Is there be an infrastructure for certification of PSD2 compliance?

No certification of PSD2 compliance is currently in place.

If I have more questions about PSD2, SCA, or 3D Secure 2, where can I ask?

If you are a merchant, you can contact us here.

If you are a shopper, you can contact us here.