PSD2 and SCA concerns. How they can impact your business

PSD2 and SCA concerns. How they can impact your business

Even though the PSD2 implementation started recently, it already makes waves in the EU and globally. At its core, PSD2 is necessary to both establish more possibilities for third-party Fintech companies, and to better protect customers from fraud.

Still, some merchants are concerned about this regulation and have to face some of the PSD2 challenges. Today, Maxpay will uncover what companies are most worried about when it comes to PSD2 and strong customer authentication and explain what they can do about it.

The most common PSD2 challenges

First and foremost, let us remind you what PSD2 is. Established in 2018, the Second Payment Services Directive is aimed at promoting competition among financial institutions to better technological experience and security for merchants and their customers alike. There are two main parts to the PSD2:

  • Open banking. This is a significant change to the way the brick-and-mortar banks and Fintechs co-exist and provide their services. PSD2 requires that traditional banks give access to their customers’ data to Third-Party Providers (Fintech companies, etc.), which is realized through API. This way, individuals and companies can use the financial services that third-party businesses provide, which pushes for healthy competition between banks and Fintechs. 
  • Strong customer authentication. SCA is aimed at making customers’ online payment experience more secure. The SCA demands that a client verifies their identity via two out of three methods when making a purchase. This way, it is easier to ensure that no one else is using the customer’s stolen data to buy something online. We will elaborate more on SCA in the next section of our article.

The regulations apply to the payments carried out in the EU and EEA, requiring compliance from financial institutions and merchants within said zones. For more information, please check out the article: “What is PSD2 regulation and what is the impact?”. 

The deadline for the implementation of PSD2 within the EU had been postponed multiple times. The deadline finally ended on 31 December 2020. As for Great Britain, the deadline was postponed yet again – till 14 March 2022. 

Now, let’s dive into the main PSD2 challenges for financial institutions and merchants. 

The traditional banks had the competition factor. As mentioned before, giving the third-party providers access to the clients’ data allows people and companies to better experience services from Fintech businesses. The thing is, many Fintechs are more technologically savvy than banks: they provide services online and make financial operations more frictionless. 

Thus, brick-and-mortar banks had to up their game when it came to the provision of convenient and quick services. The need for digitization grew even more with multiple lockdowns happening throughout 2020. These factors combined are what push traditional banks to adapt to the growing demand for online services. And healthy competition is always great news for customers and marketplaces!

Companies that accept payments have to face the PSD2 challenges as well. The concerns were in regards to strong customer authentication. The problem is that the clients that want to purchase something on the merchant’s website need to take additional steps to verify their identity, as SCA demands. That is why companies worry that more people will be prone to leaving the shopping cart before completing the order. 

Though posing this inconvenience, SCA is still a crucial step to making online payments safer. The double authentication of a customer allows detecting fraudsters that use the stolen cardholder data, which will keep businesses from getting chargebacks related to this issue. 

So, how can you, as a merchant, deal with this PSD2 challenge? Here are some suggestions:

  • Notify your customers. Warn your clients about SCA beforehand – this way they will know that they make this extra step for safety precautions. Display the information about SCA on your website and/or send short notifications to your existing customers;
  • Ensure your merchant service provider is up to the task. Before starting a merchant account within a bank/other financial institution, make sure they comply with PSD2 legislation or have the 3D Secure version 2 implemented. This applies not only to the EU businesses but international ones as well. Need more information about 3D Secure? Check out the next article section! 

Payment authentication methods


Strong customer authentication is one of the primer requirements for businesses that sell products and services online within the EU and EEA. It requires that a customer passes the two-factor authentication when they make a transaction. 

Clients need to provide information on two out of three of the following parameters:

  • Something a person knows. This refers to something a customer can generate, like a PIN code, a password, a PIN code, or a security question.
  •  Something a person has. This can be done if a person has a device like a phone, laptop, or token to verify their identity.  
  •  Something a person is. Clients can use their biometrical data (via the fingerprint, face recognition technology, or iris scan) to identify themselves;

The most common way to implement SCA on your website is by using the 3D Secure version 2, which we will describe next.

3D Secure 2

3D Secure (3DS) is a security protocol used for the verification of customers when they make purchases online. Here is how it works: if a merchant doesn’t use the 3D Secure protocol, all their clients will need to enter when buying something on their website is their payment details (credit/debit card number, CVV, etc.). But, if a 3DS is enabled, customers will also need to verify that the payment information they provided truly belongs to them. To do so, they need to enter an OTP or a permanent 3DS password.

In 2016, the 3D Secure 2.0 version (3DS2) was introduced. The 3DS2 version brought on new features, like authentication through biometrics, and enabled integration with mobile devices. 3DS2 also can evaluate transactions based on 150 data points, compared to 15 data points in the 3DS version. This means that 3DS2 is more likely to detect fraudulent transactions. Thus, based on all the updates 3DS2 received, it is a necessary tool for SCA implementation.

For even more information on 3D Secure: its history and benefits, check out one of our previous articles.

Maxpay is a payment gateway service provider that also helps companies with merchant account opening. We are PSD2 compliant and offer clients with 3D Secure services. Not only that, but merchants can track and analyze their clients’ 3D Secure usage within our transaction reports. For more information on the merchant account opening and fees for our services, please visit Maxpay’s website