PSD2 Authentication

PSD2 regulations came into force in the European Union from 2019 and since then, all the third party service providers and banks were forced to adapt to the new requirements in regard to money transactions inside Europe.

The main goals revolve around making online/remote transactions safer, faster and reduce fraud. With that in mind, it became mandatory to apply a specific set of security measures to every transaction.

More specifically, these measures are covered by what’s called strong customer authentication (SCA), which most of the time is referred to as two-factor authentication (2FA).


PSD2 Authentication and SCA

These two terms — PSD2 Authentication and SCA — are many times used interchangeably, since they refer to the same set of security measures, but that doesn’t mean they are synonyms.

Essentially, strong customer authentication is a set of safety measures/regulations that were integrated into PSD2, under the authentication section.


How was SCA integrated into PSD2 Authentication

The set of rules implemented by strong customer authentication are very clear, easy to follow and easy to monitor.

For a transaction to be validated and to comply with the PSD2 authentication requirements, third party providers need to assure that the customer identity is verified using at least two independent pieces of information:

  • Something they own (e.g., smartphone)
  • Something they know (e.g., PIN code)
  • Something they are (e.g., fingerprint)

By assuring that these security measures are followed on every transaction, it became possible to greatly reduce the risk of fraud.

Although these regulations must be applied to payments processed in the European Economic Area (EEA), a few exemptions were created to facilitate some low-risk transactions. Even though a service provider might request exemption for a transaction, the last decision will always be taken by the bank, which can always deny it and request for SCA to be applied.

Most common PSD2 authentication SCA exemptions:

  • Fixed-amount subscriptions
  • When a subscription is initiated and the amount charged is fixed, SCA is only applicable on the first payment. All the subsequent payments can be processed without applying SCA, as long as the amount remains the same and it’s done by the same merchant.
  • Payments below €30
  • All transactions below the 30 euro mark may be exempted from SCA, but there are two situations where banks will still need to request customer authentication. If the exemption has been used five times in a row, or if the sum of exempted payments exceeds 100 euros, banks will be force to apply SCA.
  • Low-risk transactions
  • A payment provider is allowed to do a real-time risk assessment to decide whether to apply, or not, SCA to a transaction. This is only possible if the provider’s or bank’s overall fraud rates for card payments are below pre-determined thresholds:
  • 0.13% - up to 100 euros
  • 0.06% - up to 250 euros
  • 0.01% - up to 500 euros
  • Merchant-initiated transactions
  • Payments that are made with saved cards and the customer isn’t present at the checkout might qualify for exemption. As long as the customer has authenticated the card when it was saved or at the time of a first transaction.
  • Phone sales
  • Every time card details are acquired over the phone, the payment is labelled as “mail order and telephone orders” (MOTO) and do not require SCA to be applied.
  • Corporate payments
  • Mostly used within the travel industry, where an online travel agent holds a corporate card to manage employee travel expenses.


PSD2 Strong Customer Authentication regulation

With its integration with PSD2, some regulations were introduced to help guide and ensure the correct enforcement of strong customer authentication. More specifically, we are talking about Regulatory Technical Standards, also known as RTS.

These are a set of technical compliance standards that, once endorsed by the European Commission, need to be met by all parties.

While the two major players to guarantee safety with PSD2 are strong customer authentication and secure open standards of communication, they were lightly described in the regulation. For that reason, the European Commission drafted RTS to be applied on both, so the safety and privacy of users would be protected.


PSD2 Strong Customer Authentication PayPal

Being one of the largest online payment platform in the world, PayPal is enquired many times regarding their security practices and measures to fight against fraud. As many of its users perform transactions in Europe,  PayPal couldn’t delay the implementation of new procedures to ensure PSD2 compliance.

To highlight the measures implemented, PayPal even created a dedicated page to PSD2 and Strong Costumer Authentication, explaining to their users what are they and how SCA works within the payment platform.


What were the changes brought to PayPal costumers?

Essentially, PayPal explained to customers that the new implementation will simply result in an extra layer of security when verifying identity. They specify that most of the time users will be able to login by only using their email and password. Although, from time to time, they might be asked to receive an additional one time password.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.