PSD2 SCA Requirements for eCommerce

PSD2 SCA Requirements for eCommerce

What is PSD2 SCA?

PSD2 stands for Payment Services Directive 2 and is a new EU regulation that originally was proposed to go into effect on September 14, 2019. The new rules from the PSD2 are referred to as SCA, Strong Customer Authentication. The new rules are intended to enhance the security of payments and limit fraud during this new authentication process. The requirements apply to customer-initiated online payments and online banking transactions made within Europe.

Does SCA apply to me?

Strong authentication is required for customer initiated online payments within Europe. For online card payments, SCA applies if both your business’s bank and the card-holder’s bank are located in the EEA (European Economic Area).

There are some areas where transactions fall outside the scope of SCA, or are an exemption if the customer bank approves.

What is Strong Customer Authentication?

SCA means authentication based on the use of two or more elements that are independent from each other. Being independent from each other means that if there is a breach of one element, it does not compromise the reliability of the other element. i.e. the other element can not be obtained from breach of one of the elements. The customer has to provide at least two of the three elements:

  • Something the customer knows (like a PIN or password)
  • Something the customer has (like a mobile phone or hardware token)
  • Something the customer is (like facial recognition or their fingerprint)

When will SCA be required?

The SCA requirements were originally to be in effect by September 14th, 2019, however the enforcement has been delayed. The initial delay was to allow time for technology to catch up and be ready and a second delay came out due to COVID-19.

  • If your business’s bank and your customer’s bank are in the EEA, you must be ready by December 31st, 2020.
  • If your business’s bank and your customer’s bank are in the UK, gradual enforcement started in June of 2021. Full enforcement is expected by March 14th, 2022.

We recommend you start supporting SDA as soon as possible to be ready for the appropriate deadline.

How do I know if I’m SCA compliant?

Most main merchants support 3DS2 (3D Secure 2) which is the new authentication solution that complies with the SCA regulations. Your first step is to ask your merchant bank if they support 3DS2. Your next step would be to contact your developer or contact us to make sure your eCommerce platform is using a modern version of your merchant’s payment gateway that supports 3DS2.

Help! I’m not compliant!

Worried you aren’t compliant? Just drop us an email and we will help get you straightened out!