How to prepare for the PSD2 regulation from September 2019?

How to prepare for the PSD2 regulation on strong client authentication (09/2019)


As of September 14, 2019, some banks will decline online payments that are not protected by additional authentication.

Strong Client Authentication (SCA) is a new legal requirement of the European Union. It will enter into force in September under the revised Payment Services Directive. PSD2 aims to fight fraud and enhance the security of online transactions.

As an online store owner who accepts credit cards or wire transfers online, you need to prepare for this change to allow your customers to easily checkout. For your convenience, we’ve summarized in this short article everything you need to know.


What does a strong client authentication mean

Every time you pay for something online, you confirm your identity using a process called « authentication ». Just as if a key on your door was protecting your home from intruders, authentication protected your money from fraudsters online.

There are three ways (or authentication factors) to prove your identity:

Knowledge: a secret that you are the only one to know (a PIN, a password, the birthday of an old friend);
Property: a physical object in your possession (ID, credit card, mobile phone);
Inherence: a physical characteristic that is unique to you (your fingerprint, your signature, your face identifier or your voice).

Strong Customer Authentication (SCA) requires anyone making online payments to require an extra step to verify the identity of the customer making a payment by credit card or online bank transfer. Thus, instead of a single form of authentication, buyers will be required to provide two authentication factors from the list above. The exact method (for example, entering a single-use code) will be chosen by the cardholder’s bank.


How to prepare for PSD2

The responsibility for complying with SCA lies primarily with your payment gateway. The chosen payment gateway will be required to set up an additional authentication step for credit card payments in order to do business in the EU.

However, if your payment gateway chooses not to comply with the SCA requirements, some credit card payments in your online store may be denied, resulting in lower conversion rates and lost sales. So while the responsibility lies with the payment gateway, you can still feel the consequences.

But SCA does not affect all merchants under the sun. What you need to be prepared depends on where you sell and how you are paid.


Your website is not hosted in the EU

If you are not from the European Union or do not trade in it, SCA will not affect you.

However, if your bank is not in Europe but your customer is, SCA can still apply. The final decision belongs to the bank of the cardholder. For example, some European issuing banks will need SCAs when the payment recipient is outside Europe, while others can not.

If you live in the United States or in another third country, but have European customers, it is advisable to offer an SCA-compliant method of payment to avoid loss of credit card payments. In this case, read the instructions for European merchants below to learn how to prepare for SCA.


Your website is hosted in the EU

The SCA applies to you if your customers and banks are located in Europe, but your action beyond depends on the payment method of your orders.

You accept credit cards. The SCA applies specifically to credit cards and bank transfers. It is therefore important to ensure that your payment gateway conforms to the SCA:

If you accept credit cards online with Stripe, for example, the compliance update for the SCA will probably be done automatically. Just make sure you use the most recent and optimized payment page of your online store.
If you use other online payment options to accept credit cards or bank transfers (for example, Authorize.Net, 2Checkout), contact your payment gateway support team to confirm their compliance with SCA. If your payment gateway redirects customers to their website in order to complete the transactions (such as Authorize.Net), adjustments will need to be made to the gateway side in accordance with the new SCA standard. If your payment gateway does not plan to comply with the new SCA requirements, consider adding other payment options to your store.

If you only accept payments in cash or other offline methods, you are out of play! SCA only applies to online payment methods in this scenario.



Your website is hosted in the United Kingdom

If you live in the UK, SCA applies to you. Even if the UK is not part of the EU, SCA will continue to apply to UK citizens.

But there is good news: the UK has pushed the deadline for compliance. So you have more than a year to meet the new requirements.


It’s your turn

Although SCA does not legally require merchants to comply, it is strategic to do so for two reasons:

To be sure not to lose customers after transaction failures after September 14th.
To provide additional security for your customers when ordering with SCA-compliant payment gateways.

Take a few minutes to review your connected payment options and tell us if we can help!