European payments are changing

This article gives you all the information you need regarding PSD2 Strong Customer Authentication (SCA) – new security requirements that will come into effect in September 2019. We will describe in detail what the requirements and benefits are and for what type of payments the new stronger authentication is needed.


The European PSD2 directive is implementing new requirements for payments called SCA. Strong Customer Authentication is taken into use in order to make online payments more secure for all stake holders. In short SCA means that when an European shopper makes a payment, strong authentication will be required at the time of the payment.

In the past, consumers could be allowed to execute a payment without multi-factor authentication (MFA) by simply entering their card number and a CVC code. According to the new requirements a new security layer will be added in order for all payments to be more secure.

The standard way of implementing MFA is through a tool called 3D-Secure, which is used by the card schemes (Visa, Mastercard, American Express etc.) as a way to verify e-commerce card payments. You may be familiar with the process of making an online payment and being redirected to a new page to input a code or executing BankID or similar. 3D-Secure was implemented to make sure that the card owner is the person that is executing the e-commerce payment.

The new way to secure the card payment and to comply with PSD2 and SCA is called 3D-Secure 2, which will replace the old 3D Secure solution, and will make it easier to collect SCA information. At the time of the payment, 3D-Secure 2 will provide the card issuer with data in order to fight fraud and secure the card holder data.

The SCA requirements will take effect on September 14, 2019.

PSD2 regulation requires SCA for many but not all online payments

The new requirements include that all payments need to be authenticated using two of these three factors:

  • Something you know
  • Something you own
  • Something you are

Traditionally “Something you know” was all that was required to buy something (ex. card number, expiration and CVC code), but since this information is relatively easy for fraudsters to steal, SCA requires an added factor of authentication, like an OTP, Fingerprint, Certificate etc. The card issuer and hardware device provide this second factor in the form of 3D-Secure 2.

Online payments today can vary a lot depending on your business models, product types and customers. This means that depending on your set-up SCA rules may affect your payments differently. Generally all payments need to have SCA, but what happens if you use stored payment details or recurring payments or if the customer is situated outside of EU?

The good news is that all previously stored cards do not require SCA so you do not need to worry about older tokenized card holder data.

Although there are exceptions of SCA, its up to the card issuer to approve the transactions. The implementation of all features will vary depending on factors such as the roadmap of the banks implementing support for SCA on their side.

Luckily Mondido has an effective solution to fix potential issues that may arise through the new requirements by tools such as fallback payment methods and other tools provided by our proprietary rule and communication engines. Please contact if you have any questions or considerations on how to best handle the new requirements.

The responsibilities of the different stake holders

In a payment situation there are many players that each have their own responsibility to secure and execute the transaction. The responsibility of the different parties are:

    • The consumer

Needs to keep their card data secure

    • The merchant

Needs to use a SCA approved payment provider

    • The Payment provider

Needs to implement fraud prevention and modern 3D-Secure technologies (3D Secure 2)

    • Card Issuer

Needs to have tools to analyze consumer and merchant data to approve or decline payments, and support exemptions

    • Acquiring bank

Needs to support the SCA framework and monitor fraud

Consequences of not being PSD2 SCA compliant

If you as a merchant or your payment provider does not support SCA, there is a high risk of failed payments and for losing your merchant contract with your acquirer. If card acquirers, PSPs and card issuers do not follow and enforce SCA they will also risk losing their license and ability to participate in the payment networks.

How will SCA affect the payment experience?

If you have 3D-Secure today, the new 3D-Secure 2 will actually entail a better experience for your customers, since the user interface will be much more adapted to modern platforms. In order for the new 3D Secure 2 to work for you, you don’t need to do anything; we will make the changes for you.

If you are not using 3D-Secure today you will need to activate it, at least for the first transaction in a tokenized situation when the payment details are stored. Contact us for help with activation.

How will the new regulations affect my business models

Depending on your business model, there are different scenarios when SCA should and shouldn’t be used. Here are a list of business models:

    • Retail, physical goods

Needs to support SCA for EU consumers

    • Subscriptions and recurring

Needs to have SCA on the first transaction when the cards is stored

    • Memberships

Needs to have SCA on the first transaction when the cards is stored

    • Services and digital goods

If the merchant charges the consumer after a card is stored, then you need to have SCA on the first transaction when the cards is stored

    • Marketplaces

Needs to have SCA on the first transaction when the cards is stored

    • Mail and telephone order (MOTO)

Exempted from SCA

    • Mobile, app, IOT

New better UI for SCA

    • Non EU consumers

Exempted from SCA

SCA exemptions

  • Whitelisted merchants
  • Consumers and issuers can whitelist merchants that does not need to have SCA
  • Non EU consumers or merchants
  • < 30 EUR payments
  • Follow up recurring payments and subscriptions
  • MOTO
  • Merchant Initiated Transactions on a stored card

Low value transactions

If you have transactions below 30 EUR, you are not required to have SCA, until the consumer reaches 100 EUR or more than 5 payments without SCA.
You need to support SCA but can temporarily skip it.

Mondido is PSD2 ready

3D Secure 1.0 is not the best experience for online consumers, especially when they’re using a mobile device. This means that while the new 3D Secure adds a layer of additional security, it also most likely will lead to lower payment conversion as it’s built using newer technology.

To deal with the new requirements of PSD2 and improve consumer security, Mondido will provide the new 3D-Secure version 2.1. For you this means that 3D Secure is:

  • Adapted for mobile, desktop and other screens
  • Includes dynamic features to skip SCA under some situations
  • Built to provide card issuer with fraud prevention data

As a merchant and a Mondido customer you do not need to do anything to participate to the 3D-Secure 2.1 protection system, it will automatically be added to your merchant account.

3D-Secure 2.1 removes the not so convenient redirected pages, and your customers can authenticate themselves with modern mobile friendly interfaces. 3D-Secure 2.1 uses certified SDKs and APIs to share rich authentication data with banks, making the integration of authentication flows into websites and apps seamless, all while meeting the SCA requirements of PSD2.

Gillar du vad du läst?

Gör som tusentals andra, prenumerera på våra inlägg.