PSD2 & PSD3: What Merchants ACTUALLY Need to Know

If both your acquirer and the customer’s issuing bank are located somewhere in the European Economic Area (EEA) or the U.K., you must process online transactions with SCA. There are a few situations where SCA requirements are not applicable. But in general, you are expected to comply with SCA requirements.

To be considered “strong”, your customer authentication process must include at least two of the following:

• Something the customer knows — like a password or PIN.
• Something the customer possesses — like the physical card or a one-time passcode
• Something the customer inherently is — like a fingerprint or voice recognition.

3D Secure 2.0 (3DS2) is the most common method of authenticating online payments in compliance with PSD2.

3D Secure 2.0 is a technology solution that allows you to send customer information to issuers for real-time authentication. Information is usually a combination of transaction-specific information — like payment card details — and contextual information — such as the customer’s order history.

The issuer uses AI to compare the information provided with information on file to determine the likelihood of fraud. If the information seems legitimate and consistent with normal activity, the transaction will likely be approved. If not, the issuer will probably suggest you decline or challenge the purchase.

3D Secure 2.0 isn’t the only way to comply with SCA requirements.

You could use other methods — like texting a one-time passcode or scanning a fingerprint. But those techniques will probably require development work for your website or mobile app.

You could technically limit payment options to only methods that already have built-in authentication capabilities — like digital wallets. But few merchants can afford to completely eliminate the acceptance of traditional payment cards.

On the other hand, a solution provider can practically flip a switch and activate 3D Secure 2.0 for your business.

As long as you are in full compliance with PSD2 requirements, you can choose whichever route is most effective for your business.

There are several situations where SCA isn’t required. Exceptions fall into three categories:

Take a look at each of the three categories.

Some transactions are exempt because they pose little threat to the people involved.

• Low-value transactions: Transactions under €30 do not require SCA. Also, if you have multiple transactions on the same card, up to €100 in combined payments are exempt.
• Trusted beneficiaries: If a customer has classified your business as a “trusted beneficiary” with the issuing bank, you are exempt from SCA requirements.
• Business-to-business transactions: Transactions initiated by other businesses are exempt from SCA.

Some transactions are exempt because they do not fall within the PSD2 regulations.

• Recurring transactions: Only the first transaction is subject to SCA requirements. Any subsequent transactions do not need SCA.
• Merchant-initiated transactions: If you initiate the transaction with the cardholder’s consent, you are not required to perform SCA. Some examples of MITs include installment billing for an expensive furniture purchase, top-ups payments for a pre-paid phone plan, or charges for hotel mini-bar usage.
• MOTO transactions: Only “electronic” or online transactions are within scope for PSD2. Mail orders and telephone orders — even though they are still considered card-not-present — do not require SCA.
• One-leg transactions: If either your acquirer or the customer’s issuing bank are outside both the European Economic Area (EEA) and the U.K., then the transaction is out of scope for PSD2.

You can also bypass PSD2’s SCA requirements if you use fraud technology to analyse transactions. Transactions classified as low risk might be eligible for an SCA exemption.

PSD2 includes several regulations intended to protect consumers from fraud — including “unconditional refunds”.

If a transaction ends up being a case of fraud and the consumer paid via a direct debit, the consumer has an 8-week unconditional refund right.

PSD2 includes a surcharge ban.

You are not allowed to charge consumers extra if they use a certain payment method. The surcharge ban applies to all purchases made with a debit card, credit card, direct debit transfer, or credit transfer.

If you process a transaction with a different payment method that isn’t within scope of the surcharge back, you can charge a fee. But the amount of the surcharge can’t be more than the cost you yourself have incurred.

The initial Payment Services Directive was adopted in 2007. It “established a harmonised legal framework for the creation of an integrated EU payments market.”

A few years later, PSD was reviewed and amended to keep pace with evolving payment opportunities and threats. PSD2 was adopted in 2015, setting out “the rules for all retail payments in the EU, euro and non-euro, domestic and cross-border.”

Once again, the Commission has decided to evaluate the current state of digital payments and propose amendments to PSD2. Experts anticipate PSD3 will be adopted sometime in 2025 with a compliance deadline in 2027 or 2028.

PSD3 will likely allow payment service providers to share fraud-related information with each other — as long as it is in full compliance with GDPR.

Access to more data should increase the accuracy of fraud detection and prevention techniques, hopefully stopping more fraudsters and reducing the risk of false positives.

PSD3 will likely introduce new SCA methods. The goal is to provide better accessibility for all users, specifically calling out:

• Elderly users
• Low-income users
• Users with disabilities

Updates may require merchants and service providers to explore options that do not depend on a single technology or device — such as a smartphone.

The Commission pointed out that PSD2 does not regulate a merchant’s billing descriptor (the short explanation of a transaction that appears on a cardholder’s statement). If a merchant uses a name that the cardholder doesn’t recognize, the cardholder might incorrectly suspect fraud.

To address this, the PSD3 proposal requires merchants to provide information in the payment account statement that “unambiguously identifies” the business — such as the business’s commercial trade name.

PSD3 will likely change how authorization holds — or blocks — are handled. Authorization holds freeze account funds or credit until a transaction can be settled.

The Commission wants unused holds to be released quicker and for holds to be proportionate to the final transaction amount.