Electronic Payments: What Online Shops Need to do for PSD2 and SCA

19.09.2019, 4m

According to CIFAS, there were almost 500 identities stolen every day in the UK in 2017.

Today, online fraud causes more than a billion euros a year in damages across the European Union and it is very likely that this figure will continue to increase as e-commerce develops.


By now, you've probably heard about the new rules for online payments. As of 14 September 2019, the provisions of the European Payment Services Directive known as "PSD2" (Payment Services Directive 2) have been in effect to better protect European consumers against fraud during their online purchases.

This new European directive addresses various aspects to update the legal framework for online payments that will affect both consumers and online merchants as well as financial institutions. In short, it refers to Strong Customer Authentication (SCA).

But what exactly is Strong Customer Authentication and what will change for you as an online merchant and for your customers?

Find out in this article!

What is Strong Customer Authentication (SCA)?

When a user wants to make a payment transaction online, it is necessary to ensure that this person is actually authorised to do so. This is achieved through enhanced authentication.

man holding up question mark

SCA consists of asking the buyer for a second identification factor before placing an order, such as a PIN code that the customer receives on their mobile phone and must be entered on your site to validate their purchase.

According to the PSD2 directive, strong authentication exists when at least two of the following elements are used for authentication:

  1. Knowledge (something only the consumer knows - e.g. password, PIN code, access data...)

  2. Possession (something that only the consumer has - for example, a mobile phone where an SMS arrives to verify the operation (smartphone, email address...)

  3. Inherence (something that the consumer is - for example, the possibility of biometric verification, either by fingerprint, facial recognition ...)

These elements are independent of each other. In other words, the violation of one does not compromise the reliability of others. They are designed to protect the confidentiality of identification data.

You are probably already familiar with this online banking process. If you want to make a transfer, you need your PIN to log in (something you know) and a code that is sent to your mobile device (something you own).

In this way, the misuse of user data will be much more difficult for unauthorized people because, as a general rule, they will not have the user's mobile phone available to make payment.

Download the GDPR FAQ whitepaper

Download our free whitepaper on the most frequently asked questions about the GDPR!

Therefore, enhanced authentication, or SCA, seeks to better protect the buyer against any possible fraud by the mandatory presence of both factors.

Strong authentication is now mandatory for online purchases - what does this mean for you as an online merchant?

According to the EU Payment Services Directive 2015/2366 PSD2, enhanced authentication will be mandatory for online stores from 14 September 2019. It aims to better protect European consumers against e-commerce fraud.

lock with credit card and  keyboard

However, not all payment methods are equally affected by the Directive (PSD2):

  1. Direct debit: No need for enhanced authentication.

  2. Immediate Transfer/Giropay: They are based on an online banking system. So they are always secured through TANs that are issued through a second device, such as a smartphone. Therefore this system already has strong authentication.

  3. PayPal: This depends on the type of payment service used with your PayPal account. If direct debit payment is used, it is not necessary to apply enhanced authentication. If, on the other hand, a credit card is used, reinforced authentication is required.

  4. Credit card: Stronger authentication should be applied.

Payment service providers must ensure compliance with the requirements, not the online merchants themselves. In other words, providers such as PayPal, Amazon Pay and credit card companies must adjust their payment procedures by applying enhanced authentication.

However, merchants are required to verify that payment service providers meet these requirements. 

Currently, some payment providers are still working on this implementation, so it is not yet possible to know exactly how the SCA will work for these different providers.

I recommend that you keep an eye on the evolution of your payment providers in order to make the necessary changes and update your shop's legal texts on time.

Yes, it is true that at the beginning there could be some cart abandonments due to a level of consumer ignorance of the new payment process. However, thanks to the new rules, the number of fraud cases on the internet will be reduced and this will ensure more security for online shoppers and, therefore, your number of customers should increase in the long run.

What are the consequences if you do not comply with the new directive?

If someone impersonates your customer to make a purchase in your online shop and you accept payment without a strong authentication, the bank will refund the person whose data was stolen the amount unduly debited. They will then require either you or your payment service provider to refund these amounts.

Are there any exceptions to enhanced authentication?

holding a credit card by a laptop

As with many other regulations, there are also some exceptions to enhanced authentication. These are as follows:

  • Users can, for example, create their own whitelists in online banking with trusted payment recipients and in this way these users will not be required to have strong authentication. (Tip: Pay attention to the loyalty of your customers so that you too can benefit from a whitelist together with other top merchants.)

  • Users who have made a purchase via their mobile phone and the card details have been saved on it will be exempt from the SCA.

  • For payments or transactions of less than 30 euros, reinforced authentication will not be required, as long as it is not more than 5 times a day or reaches 100 euros in 24 hours.


There is no doubt that the new legislation will strengthen e-commerce for buyers and sellers by increasing security levels and ensuring greater confidence when making online payments.

Although it is up to payment service providers to implement enhanced authentication or SCA, as an online merchant, you are required to verify that your payment service providers are implementing and meeting the requirements. Then you need to update your online store's legal texts to let your customers know everything they need to do to make a purchase.

Don't forget to download the free whitepaper with frequently asked questions about the GDPR!

Download the GDPR FAQ whitepaper