Authentication: PSD2 SCA is just around the corner

3-D Secure PSD2
Datatrans AG – Authentication: PSD2 SCA is just around the corner

Find out what you need to know before the new European security directive PSD2 and Strong Customer Authentication (SCA) come into effect and what you need to do next.

Datatrans is taking care of the migration from 3-D Secure 1 to 3-D Secure 2 with the aim of making the switchover as simple as possible for affected merchants. 

Who is affected by PSD2?
Datatrans recommends that all merchants who sell goods or services to individuals in the EU and EEA comply with the requirements of PSD2 SCA, irrespective of whether their acquirer is based there or not. If you offer remote payments you must ensure that 3-D Secure is used for every payment initiated by the customer. Merchant-initiated payments (including MOTO and mail/phone transactions) are not affected.

What do merchants without 3-D Secure have to do?
Datatrans will notify all merchants that process credit card payments using a Merchant ID without 3-D Secure in advance by email. If this includes you, please verify whether your business activities are subject to the rules of PSD2 and whether you need to fulfil the Strong Customer Authentication requirements. The PSD2 and 3-D Secure checklists available on may be helpful in this research. Please contact [email protected] if you have any questions. By the way, if you already have a 3-D Secure agreement, Strong Customer Authentication will automatically be enabled for it.

Special rules on payments using the Server-to-Server API.
Are you using a cardholder-initiated payment process such as One-Click Checkout with Alias that is based on a pure Server-to-Server API? Switch over to the web-based interfaces offered by Datatrans Payment Page now to ensure that 3-D Secure is used. 

Datatrans will keep you updated about exceptions.
The SCA exceptions defined in PSD2 can be used by issuers and acquirers alike. Datatrans will coordinate the application of exceptions agreed between acquirers and merchants. As soon as Datatrans has this information, we will let you know.

SCA Authentication only: One-off SCA for multiple providers.
If a merchant does not have any involvement with the cardholder directly at the point of payment, the SCA Authentication only system ensures a clear distinction between the customer authentication and the authorisation. Take this example from the travel industry: a web-based platform accepts reservations for a hotel room, flight and hire car, and forwards these to the relevant providers. The customer authentication is carried out once on the web platform while the authorisations are handled individually through the providers in compliance with PSD2 SCA.

How does customer authentication work with PayPal, Google or Apple Pay?
According to PSD2, the customer authentication must be carried out by the card issuer or one of its service providers. To allow credit card wallet services such as PayPal, Apple Pay, Google Pay or Samsung Pay to carry out customer authentication in the future, Mastercard and Visa are working on a contractual framework that enables card issuers to delegate SCA to third parties.

The Regulatory Technical Standards (RTS) on strong customer authentication and secure communications pursuant to PSD2 come into effect on 14 September 2019. Datatrans will support you in implementing the technical requirements and is happy to assist with any questions.