Stay informed about cyber awareness training topics and mitigate risk in your organisation.

A Guide to PSD2 – Strong Customer Authentication


about the author

Advances in digital technologies and the growth of the internet have led to an explosion in online crime. As traditional crimes like burglary and car theft continue to fall, online fraud has quickly become the most common crime in the UK with almost one in ten people falling victim.

Criminals have shifted their strategies, and online crime has enabled them to target thousands of victims at the same time from almost anywhere in the world. Using phishingmalware, and a host of other tactics, criminals can gain access to people’s bank accounts by tricking them into revealing their passwords and personal details.

These online crimes can have a devastating impact on the victim, and in some cases, individuals aren’t even aware they have been targeted until they realise that their bank account has been cleared out.

The financial services industry has invested heavily in new measures to help protect customers online and this has helped prevent more than £1.6 billion of unauthorised fraud. However, despite this investment, cybercriminals still managed to steal £1.2 billion through fraud and scams in 2018.

In January 2018, a new EU Payments Services Directive (PSD2) was introduced, bringing in new laws designed to enhance consumer rights and reduce online fraud. This was an update on the previous First Payment Services Directive (PSD1) which was implemented in 2009. The updated version of the Directive was driven by the rise in eCommerce and technological innovations in the payments sector.

What is PSD2 Strong Customer Authentication?

A Guide to PSD2 - Strong Customer Authentication

A key element of PSD2 is the introduction of additional security authentications for online transactions of more than €30, known as Strong Customer Authentication (SCA). In the past, customers could just checkout online by entering their card number and a CVC verification code. However, under the new PSD2 regulations, customers will need to provide an additional form of identification.

What is the Strong Customer Authentication requirement?

Under the new regulation, all electronic payment transactions will need to be authenticated by at least two of three possible methods:

  1. Knowledge: Something only the user knows – Ex: A password
  2. Possession: Something only the user possesses – Ex: Mobile phone, token or card reader
  3. Inherence: Something the user is – Ex: Biometric – Fingerprint, facial recognition, voice recognition

Where does Strong Customer Authentication Apply?

A Guide to PSD2 - Strong Customer Authentication

SCA will apply to transactions in the European Economic Area (EEA) only, where both payer and payee are in the region. If one of these is located outside Europe, the requirement is for the payment service provider in Europe to use their best efforts to apply SCA.

What is SCA payment?

Strong Customer Authentication will apply to customer-initiated online payments within Europe. This will mean that the majority of card payments and all bank transfers will require SCA.

At the current time, the most common way of authenticating an online card payment relies on 3D Secure. This service is offered by several credit card providers and gives additional protection to card users by introducing another layer of password protection. Drawbacks to the current method include the use of a different URL for the pop-up screen which could be misconstrued as a phishing site. It can also be difficult to remember multiple passwords for different cards.

To address these challenges and meet the new SCA requirements, an updated version of 3D Secure has been adopted by European banks. The new 3DSecure2 is mobile friendly and supports the use of biometrics, helping improve the overall user experience.

What are the exemptions to Strong Customer Authentication?

A Guide to PSD2 - Strong Customer Authentication

PSD2 was designed to make SCA a requirement for all online transactions. However, some exemptions will help maintain a frictionless customer payment journey and help achieve the right balance between convenience for the consumer and fraud prevention.

Exemptions include:

  • Low-Value Transactions – Transactions under €30 are exempt from SCA. However, if the customer attempts more than five consecutive low-value payments, or if the total payments value exceeds €100, SCA will be required.
  • Recurring Transactions – When a customer makes a regular payment of the same amount to the same business, SCA will only be required for the first transaction. If the amount changes, 3D secure will be required for every new amount.
  • Whitelisted Merchants – Consumers have the option to assign businesses to a whitelist of trusted beneficiaries. After the first authentication is completed, all further transactions will be exempt from authentication.
  • Low-Risk Transactions – Low-risk transactions that have undergone real-time assessment may be processed without SCA. This decision will be based on the average fraud levels of the card issuer and they will have the ultimate say on whether SCA is required.
  • Mail Order and Telephone Orders (MOTO) – Mail order and telephone order transactions are not considered to be electronic payments, so they are exempt from SCA.
  • Corporate Payments – When a transaction is initiated by a business rather than a consumer, it will not require separate authentication.

When will PSD2 Strong Customer Authentication come into effect?

The implementation of PSD2 Strong Customer Authentication will come into effect from September 14, 2019.

Within the last week, the UK Financial Regulator, the Financial Conduct Authority (FCA), has agreed to delay enforcement of the new online payment regulation by 18 months. Businesses will have until March 2021 to effectively implement the new feature.

The delay was granted after pressure mounted from industry groups warning that card issuers, payment firms, and online retailers would not have enough time to implement the changes and that customers could be impacted as a result.

The FCA said it will not take action against firms that fall foul of the new legislation during this time frame, providing they can demonstrate they have taken steps to comply with the system. After the 18-month grace period, all online payments will be subject to the new security measures.


There’s no doubt that the implementation of PSD2 will bring about huge changes for payment service providers. Many will have to change their systems to handle 3D Secure2 and other SCA methods, while carefully balancing the convenience and security needs of their customers. However, by helping reduce fraud rates in the industry, the new regulation will lead to increased trust with consumers and ultimately improve the overall customer payment journey.

MetaCompliance specialises in creating the best Cyber Security awareness training available on the market. Our products directly address the specific challenges that arise from cyber threats and corporate governance by making it easier for users to engage in Cyber Security and compliance. Get in touch for further information on how we can help transform Cyber Security training within your organisation.

you might enjoy reading these

Cyber Secure on Social Media

Staying Cyber Secure on Social Media

In today’s digital age, cybercriminals are becoming increasingly sophisticated, targeting users through various methods on social media. According to a study conducted by Cybersecurity Insiders,
Read More »