Industry Regulations GUIDE

A Primer on SCA, PSD2 and 3DS

Stay on top of changing regulations and electronic payment security requirements with our complete guide to SCA and PSD2.

On This Page

What Is the Revised Payment Services Directive?

The revised Payment Services Directive — more commonly known as PSD2 — is a European regulation that aims to make electronic payment services more secure for consumers while promoting competition, innovation and security within the wider payments industry.

PSD2 traces its origins to the Payment Services Directive (PSD or PSD1), a European Union (EU) directive that was first adopted in 2007. According to the European Commission (EC), PSD “provides the legal foundation for an EU single market for payments to establish safer and more innovative payment services across the EU” and aims “to make cross-border payments as easy, efficient and secure as ‘national’ payments within a member state.”

In recognition of advancements within the electronic payments landscape, the EC introduced a proposal for a revised PSD in 2013. The European Parliament adopted the proposal in 2015, PSD2 went into effect for EU member states in 2018 and all EU member states were required to comply with PSD2 by 2020.

Again, citing the EC, PSD2 offers numerous consumer benefits, including:

  • Stronger security requirements for electronic payments to tackle fraud in online payments and protect consumers’ financial data
  • New regulations for third-party payment service providers, thereby increasing competition within the EU payments market
  • Increased consumer rights, including reduced consumer liability for unauthorized payments and an unconditional refund right for direct debits in euro
  • Prohibition of surcharging
  • An improved complaints procedure

For the purposes of this guide page, we’ll focus on the first of these benefits — stronger security requirements for electronic payments.

What Is Strong Customer Authentication?

Strong customer authentication (SCA) is a PSD2 regulatory requirement that uses multifactor authentication to build an extra layer of security into electronic payments.

In order to meet PSD2’s SCA requirement, all payment service providers must verify customers’ identities based on at least two of the following components:

  • Compromised or stolen authentication elements
  • Transaction amounts
  • Any known fraud scenarios in the provision of payment services
  • Signs of malware infection during an authentication session
  • The use of the access device or software provided to the payment service or provider

Is SCA Required?

Yes, SCA is required in all countries within the European Economic Area (EEA) and the U.K. under PSD2’s Regulatory Technical Standards (RTS). SCA was first introduced on September 14, 2019 and was fully enforced in the EEA by December 31, 2020. The U.K. was offered an extended implementation timeline, with a deadline of March 14, 2022.

Failure to comply with PSD2’s SCA requirements could result in issuing banks refusing merchant transactions — which can, in turn, lead to lower authorization rates.

To achieve compliance, payment service providers (PSPs) must implement transaction monitoring to detect any unauthorized or fraudulent behavior and document:

  • Compromised or stolen authentication elements
  • Transaction amounts
  • Any known fraud scenarios in the provision of payment services
  • Signs of malware infection during an authentication session
  • The use of the access device or software provided to the payment service or provider

What Are the Risks of SCA/PSD2 Non-Compliance?

Online businesses that fail to comply with PSD2’s SCA requirements run the risk of declined payments, which can lead to a difficult checkout process, frustrated customers and lower conversion rates. For PSPs, SCA/PSD2 non-compliance can result in penalties, increased liability in the event of fraudulent transactions and damage to brand reputation.

What Is 3D Secure?

At a high level, 3D Secure (3DS) authentication is the most common form of SCA. At a more granular level, 3D Secure is a security protocol designed to reduce the risk of fraud, identity theft and other illicit activities during card-not-present transactions.

3DS utilizes a three-domain model, in which each domain refers to one of the parties involved in the authentication process:

Acquirer Domain

The bank or merchant to which money is being paid

Issuer Domain

The cardholder’s issuing bank

Interoperability Domain

The underlying systems that support 3DS

In 2018, EMVCo — a consortium between Visa, American Express, Mastercard, China UnionPay, Discover and JCB — introduced 3D Secure 2.0 (3DS 2.0). Compared to the original 3DS, 3DS 2.0 includes a software development toolkit to support native integration with mobile applications and conducts risk-based and biometric authentication in the background, creating a frictionless customer experience without compromising on security.

Additional updates include 3DS 2.1, which increased the number of data elements that merchants are able to send to issuers at the point of transaction to 100 and 3DS 2.2, which enables merchants to request exemptions through their acquirer, issuers to use third parties for delegated authentication and users to conduct authentication outside of the main authentication flow.

Beyond 3DS 2.0, Are There Other Forms of SCA?

Yes. Although 3DS 2.0 is the most common way of authenticating online payments and meeting PSD2’s SCA requirements, certain card-based payment methods — including digital wallets such as Apple Pay and Google Pay — have built-in authentication layers.

What Is Dynamic Linking?

Dynamic linking — which, like SCA, is a PSD2 requirement — refers to the process by which PSPs link transactions to unique, dynamically generated authentication tokens to prevent transaction details from being altered while in transit from the payer to the payee. If the payment amount or the payee changes while transaction details are in transit, the authentication token is rendered invalid, and a new token must be generated.

What Is the Relationship Between SCA, PSD2, Dynamic Linking and 3DS 2.0?

Both SCA and dynamic linking are requirements for compliance under PSD2’s RTS, while 3DS 2.0 is a form of SCA that enables PSPs and merchants to ensure PSD2 compliance.

What Are the Benefits of Implementing SCA?

In addition to ensuring PSD2 compliance, online merchants and PSPs that implement SCA often see:

Reduced Fraud Risk

By requiring users to authenticate their identities, SCA builds an additional layer of security into the electronic payments process, ensuring that payers are who they claim to be.

Higher Conversion Rates

For merchants, 3DS 2.0 and other forms of SCA optimize payments orchestration and create frictionless flows, while SCA exemptions reduce the risk of declined payments. With fewer hurdles to clear during the checkout process, customers are less likely to abandon their carts, increasing merchants’ conversion rates.

Fewer Chargebacks

SCA makes it much harder for fraudsters to use stolen payment credentials to make transactions, thereby decreasing the rate of true fraud chargebacks.

Increased Consumer Confidence

With stronger security measures and reduced risk of fraud comes increased consumer confidence, increased brand loyalty and better reputational standing for PSPs and merchants alike.

Are There Any Exemptions to SCA?

Yes. There is a wide variety of transactions that are exempt from SCA, either because they are considered low risk or out of scope.

Low-risk transactions include:

Low-Value Transactions

This category encompasses any transaction under €30 in value or cumulative payments under €100 on the same card.

Trusted Beneficiaries

Payments made to merchants that payees have designated as trusted beneficiaries with their issuing bank.

Recurring Transactions

Although the first payment is subject to SCA, all recurring fixed payments from the second transaction onward are exempt.

B2B Transactions

Payments made between corporations are exempt from SCA.

Out-of-scope transactions include:

Mail Order and Telephone Order (MOTO) Transactions

MOTO transactions are not considered electronic payments and therefore are not subject to SCA.

Merchant-Initiated Transactions

Also known as MITs, these refer to any payment initiated by a merchant on behalf of a consumer based on a pre-existing agreement between that merchant and that consumer. Since MITs do not require direct involvement from consumers, they are exempt from SCA.

Inter-Regional Transactions

Also known as one-leg transactions, this category includes any payments where the issuer is not based in the EEA or the U.K., meaning they fall outside of the scope of both SCA and PSD2.

In addition to low-risk and out-of-scope transactions, merchants and PSPs can also capitalize on SCA exemptions by implementing strong transaction risk analysis. Strong transaction risk analysis is exactly what it sounds like: a software layer built into the payments process that analyzes individual transactions and determines their risk level.

Transactions that are deemed low risk — for example, a transaction made from a trusted device or IP geolocation — become eligible for SCA exemption. This eliminates the need for additional authentication layers, allowing for faster transaction approvals and removing unnecessary friction from the purchase process.

View this brief video for a visual breakdown of how this works:

Alleviate the burdens of SCA, remove friction and make the most out of these exemptions as directed by PSD2 with the ACI Fraud Management solution.

How Can I Implement SCA?

Merchants and PSPs looking to implement SCA — either to support PSD2 compliance initiatives or to strengthen their customer security — will need to develop a robust SCA strategy and invest in the appropriate technology.

The ACI Fraud Management solution helps merchants and PSPs reduce their SCA/PSD2 compliance burden through the use of transaction risk analysis, fraud scoring, advanced machine learning models, fraud signal monitoring, fraud screening and more. With ACI’s support, all players within the payments value chain have the ability to develop strong exemption strategies that optimize the payments experience for their customers. 

What Does the Future Hold for PSD2?

In May 2022, the EC published a public consultation and two targeted consultations that cover the PSD2 review and future Open Finance Legal Framework for Europe. The review in question aimed to determine whether PSD2 had achieved its objectives of improving market integration, enhancing competition and making electronic payments safer.

Based on this review, the following items are under consideration and likely to change with the impending release of PSD3:

  • The authorization of both payment institutions and third-party payment providers (TPPs)
  • Own funds and safeguarding-related requirements
  • The provision on liability in case a PSP uses third parties to provide services
  • Triangular passporting
  • Transparency of conditions and information requirements for one-leg transaction
  • The current maximum execution time allowed for payments within the EU
  • The process for performing SCA
  • Whether SCA application should extend to payee-initiated transactions
  • Limits for contactless payments without SCA
  • These issues will be tacked by the Open Finance Framework Legislative initiative, not via the PSD3, so shall not be in the list covering PSD3.

In June 2022, the EBA published its opinion on its technical advice on the review of PSD2, which included the following recommendations specific to SCA:

  • Clarify aspects on the application of SCA related to reliance on third-party technology, delegation of SCA to TPPs and delegation to technical service providers, including digital wallet providers
  • Clarify different aspects in relation to the use of the SCA elements “knowledge,” “inherence” and “possession”
  • Clarify the nature of the exemptions from SCA and whether these should be optional or mandatory
  • Introduce requirements in relation to the transactions excluded from the scope of application of SCA
  • Introduce clear definitions of merchant-initiated transactions, clarify the regulatory approach to these transactions and introduce requirements with regard to the setup of the mandate
  • Introduce a clear definition of transactions based on mail order and telephone order, clarify the treatment of these transactions and introduce a minimum level of security requirements for these transactions

For a complete list of the EBA’s recommendations and a better view of what PSD3 might look like, we encourage you to read our blog post on the subject.