PSD2 and Strong Customer Authentication continue the shift in the online payment landscape in Europe. The next big change comes in January 2021. This article will explain what changes to expect and how to prepare for them.


PSD2 stands for the Payment Services Directive 2. The term was designed by the European Commission to regulate online transactions in Europe.


One of the key requirements of the PSD2 directive is related to Strong Customer Authentication. This requirement will become mandatory for all electronic transactions in the European Union starting in January 2021.


SCA has evolved from the existing 3-D Secure protocol standard developed by the card producers to protect online credit card transactions against fraud. Each vendor has its own name for it.

Services based on the 3-D protocol have different names such as:

  • Verified by Visa
  • SecureCode by MasterCard
  • Safe Key by American Express
  • ProtectBuy by Discover
  • J/Secure by JCB International

Strong Customer Authentication requires cardholders to authenticate themselves with at least two factors out of the following three.

  • something they know - a PIN or a password
  • something they have - a card reader or a mobile phone
  • something they are - voice recognition or a fingerprint scanner


Therefore SCA, a newer version of 3-D Secure, is meant to provide a safer online experience and protect customers against card fraud risks. With SCA the cardholders are no longer able to make an online purchase using only the information on their cards, such as CVV or the card number. From January 2021 online customers will have to verify their identity for example with the bank app (something that they have) and a password (something that they know) or a fingerprint (something that they are) to approve the purchase.


What will the SCA and PSD2 change mean for online merchants?

Until now, it was the decision of the merchant if the 3-D Secure protocol should be used or not. With the new directive that will become biding by January 2021, it is now the issuer who will decide to present authentication in the authorization process. One of the core differences in version 2 is that the issuer can use a lot of data points from the transaction to determine the risk of the transaction. For example, the IP address, the browser information, the cardholder details, etc.


Strong Customer Authentication introduces two flows:

  • The frictionless flow
  • The challenge flow

Frictionless is meant for low-risk or low-value transactions. The issuers will not challange the transactions. The authentication is done in the background and is invisible to the cardholder. This provides a more seamless experience for the customer.


Challenge is for high-risk transactions. If the data provided by the customer is not sufficient, the issuer will require the cardholder to be authenticated. In this situation, an additional authentication request will be added in the checkout process.


How should merchants prepare for the SCA and PSD2?


  1. 3-D Secure implementation
    It is crucial to implement 3-D Secure as soon as possible. If it’s not done by the end of 2020, the European issuers will decline transactions that don’t meet the PSD2 requirements.
  2. Additional customer data
    It’s also important to submit additional data to the issuer in order to maximize the chance that frictionless flow will be dominant. The additional data can be the cardholder's name, email address, phone number, shipping location, and billing addresses or information about previous orders.
  3. Implement fraud detection
    The last thing is to start using fraud detection. The data, already collected for 3-D Secure, is also extremely useful for fraud prevention tools. Risk management algorithms are based on statistics of past behaviors as well as individual merchants' or consumers' data.  As a merchant, you can improve your credibility by consistently sending reliable transactions. This will increase your chances to be considered a safe partner and enable frictionless flow for the future.

How can Secfense help to prepare for the PSD2 deadline?

As you see the PSD2 directive and SCA is strongly related to strong authentication. The online payment related directive requires cardholders to authenticate themselves with at least two factors. Online merchants have little time to introduce strong authentication mechanisms in order to comply with the new law.

The traditional strong authentication deployment process requires software development. The online application that is supposed to be equipped with two-factor authentication needs to be redesigned by software developers so it can work with a new authentication standard. This software development work is usually time-consuming, expensive, and complicates the everyday operations of the company.  


Secfense has developed a solution called User Access Security Broker that is meant to make a strong authentication adoption process smooth and easy. The broker makes it possible to deploy any method of strong authentication without touching a protected application code. No software development work is required. Additionally, security admin has the ability to switch between authentication methods as many different authentication methods are available in the admin dashboard. At any time the administrator can deploy, switch on, and off strong authentication on any web application within the company. This gives independence, comfort, and security that was not possible before when traditional deployment mechanisms were introduced. To learn more about the Secfense broker please visit our solution site.