Select a brand

PSD2 and SCA: Here's what you need to know

Ingenico ePayments prides itself on being confirmed PSD2 compliant since 29 May 2018.

One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that is required on all electronic transactions in the EU from September 2019.

This means your customers will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

Get support for PSD2

As a payment partner, Ingenico will support you the whole way.

Ingenico is committed to be the right partner for you, today and tomorrow. When you use our own payment page, SCA compliance is smooth for you, we manage it on your behalf. If you would like to benefit from this as well, please contact us. 

Get in touch

Get ready for PSD2 with Stella

Frequently Asked Questions

  • What is PSD2?

    The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, Ingenico ePayments prides itself on being confirmed PSD2 compliant since 29 May 2018. 

    One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from September 2019. SCA will require cardholders to authenticate themselves with at least TWO out of the following three methods:

    • Something they know (PIN, password, …)
    • Something they possess (card reader, mobile. …)
    • Something they are (voice recognition, fingerprint, …

    This means your customers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

    More information about PSD2

  • How does PSD2 impact me as a merchant?

    On September 14th 2019, Strong Customer Authentication (SCA) rules did come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after September 14th you will have to make sure that these technical solutions will work with your online store.

    Accepting payments from the world’s largest card networks, Visa, Mastercard and Amex, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that will facilitate the PSD2 Strong Customer Authentication requirements.

    Ingenico ePayments is recommending to use 3-D Secure, since it helps prevent fraud and also protects you from liability in case of any fraud. From September 14th 2019 it is also a requirement for accepting the payments from major cards.

  • What is the new 3-D Secure v2.1?

    Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

    One of the core differences in version 2 is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge).

    Separately the Strong Customer Authentication (SCA) required in Europe by September 14th, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible. In short 3-D Secure version 2 means:

    • You will need to implement 3-D Secure before September 14th, 2019 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
    • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
    • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
    • A much better user experience for your consumers

    The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the cardholder compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

  • What is the difference between exemption and exclusion?

    Exclusions are transactions that are OUT of scope for PSD2 SCA regulations:

    • Mail order/telephone order
    • One leg journey - Payee's PSP (aka Merchant's acquirer) or Payer's PSP (aka Buyer's payment method issuer) is outside of EEA zone
    • Anonymous prepaid cards up to 150€ (article 63)
    • MIT - merchant initiated transactions

    Exemptions are transactions that are IN the scope of PSD2 SCA regulations:

    • Low value transactions
    • Subscriptions
    • Risk analysis
    • Whitelisting
  • What are the exemptions for SCA?

    To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

    • Low value transactions: This exemption will, most likely, be the most frequently used. The exemption says that if a customer makes a purchase for under 30 euros they can be exempted from making a strong customer authentication. This exemption is limited and if a customer makes five such transactions in a row or reaches a value of more than 100 euros, a strong customer authentication will always be required.
    • Subscriptions: Another type of transaction that can be exempted is recurring and subscription payments where the sum for each transaction is the same. For these transactions a strong customer authentication will only be required when the customer first signs up for the subscription and not for every individual transaction.
    • Risk analysis: Exemptions can also be made based on what is called “transaction risk analysis”. This means that a payment service provider, like Ingenico ePayments, can be allowed to make exemptions for transactions that are deemed as “low risk” based on the requirements in PSD2’s technical standards. This exemption has a limit when it comes to transaction value and can only be applied if the payment service provider has a sufficiently low fraud rate for that specific type of transaction.
    • Whitelisting: A final type of exemption is called whitelisted recipients. Whitelisting means that a customer can register certain payment recipients as “trusted” with their card issuing bank. By doing that they won’t have to carry out a strong customer authentication when paying to that specific recipient, subject to the issuing bank agreement.
  • Is Ingenico ePayments ready?

    We advise you to start testing your integration as soon as possible.

    Click here if you’re using the Ingenico eCommerce page. If you’re using your own page, click here.

  • Is Credentials/Card on file (COF) part of the exclusion/exemptions list?

    COF in a nutshell: Customer initiates a first transaction with a merchant with a 3D-S (CIT). From this first transaction experience, the merchant has the possibility to do recurring transactions (subscription or with customer approval -> tokenization), flagged as MIT transactions.

    MIT are one of the exemptions foreseen within the 3DSv2., if they fulfill the following cumulative conditions:

    • Subsequent transactions of an initial CIT 
    • CIT was done with a mandatory authentication
    • A dynamic ID linking is made between initial CIT and the subsequent MITs.

    After initial authentication, exemptions/exclusions can apply:

    • Either because of legal recurring exemptions which apply to subscriptions with a fixed amount and periodicity (merchants are indeed advised to authenticate for full amount + provide details about number of agreed payments with card holders).
    • Either because other type of transactions are excluded from SCA scope... at merchant sole risk in case of chargeback (protection limited to authenticated amount) AND need for issuer to accept that risk to be taken:
      • Unscheduled COF: principle of subsequent transactions is agreed with card holder, but amount and/or periodicity is not fixed.
      • Industry practices: incremental, no show, ...

    For the transitional period, schemes have defined a default ID to be used for subsequent MITs created before introduction of 3DS v2.

  • What do I need to do to comply to PSD2 and SCA?

    First, you need to make sure that 3-DS is enabled on your online store for all your payment methods (Visa, MasterCard, American Express, Carte Bancaire, JCB). Make sure it's done. If not, please ask our support to activate it.

    As 3-D Secure version 2 (3DSv2) aims to grant the Strong Customer Authentication (SCA) trigger to the issuing bank, the issuing bank needs to better assess the risk involved within transaction. As a consequence the 3DSv2 specification contains a lot of data elements. Good news if you are using our fraud tool, since some of them are already commonly used in our fraud screening!  Of course, some are new and specific to 3-D Secure v2. In summary the data elements can be categorized as follows:

    • Mandatory information - browser data:
      • Integration with Shopping Carts? You are kindly invited to go onto the shopping cart market place to install the latest version of the Ingenico ePayments plugin or take contact with your supplier directly.
      • If you are using our eCommerce page, mandatory information are collected by Ingenico ePayments. You can directly go to the recommended information below.
      • If you are using your own payment page, you will need to collect mandatory information yourself as per below. We advise you to consult our support page to find out how and take a look at the example of java script.
      • Card holder name (CN)
      • Read more in the Directlink 3D guide
    • Recommended information - these could possibly be used as part of fraud prevention screening:
      • Email (EMAIL)
      • IP address (REMOTE_ADDR)
      • Phone number (Mpi.WorkPhone.subscriber, Mpi.HomePhone.subscriber ...)
    • Note that the recommended/optional parameters should be provided to benefit from the friction less flow which can increase your conversion.
    • Optional information – extended cardholder/account data as introduced by EMVCo:
      • Mpi.cardholderAccountAgeIndicator
      • Mpi.cardholderAccountChange
      • Mpi.cardholderAccountPasswordChange
      • Mpi.suspiciousAccountActivityDetected
      • Mpi.threeDSRequestorChallengeIndicator

    Our existing APIs already capture a lot of the data elements, but we are adding a lot of new data elements. The reason is that we believe that everybody in the payments ecosystem benefits from increased security, with the least amount of negative impact to the experience of the consumer. Payments are based on trust and by providing more data it becomes easier for parties to trust one-another, without requiring additional challenges to authenticate the consumer. Almost all of the newly added data elements are optional, but we advise you to supply as much of them as possible. This increases the likelihood of your transactions following the frictionless flow, while you benefit from liability shift. In case you use the Ingenico ePayments hosted payment page, we will capture the browser related data automatically.

    The level of required changes will differ based on the type of integration you have with Ingenico ePayments.

  • How can I capture additional data for SCA?

    If you use our eCommerce page, Ingenico ePayments will take care of all mandatory fields.

    If you are integrated in DirectLink, meaning that you have your own payment page, we have a Javascript example available on the support page to collect the mandatory data.

    For the optional information collection, refer to our support page on how to integrate with Ingenico ePayments.

  • Could we provide Secure authentication performed on another MPI than the Ingenico ePayments one?

    No and it is also not planned to do so.

  • What happens if merchant is not sending V2 mandatory fields?

    This situation is only possible if you are integrated via DirectLink only (Merchant own page / FlexCheckOut), as in Ingenico ePayments hosted payment page page, Ingenico ePayments is collecting the mandatory data.

    First of all, Ingenico ePayments will identifiy the flow to be directed to v1 or v2 based on the card numbers.

    If the card is enrolled V2, there are the following possible scenarios:

    Mandatory data:

    • If the wrong data is passed, transaction is blocked
    • If some data is missing, Ingenico ePayments will direct your transaction to v1 flow
    • If no data is passed, transaction is NOT blocked but diverted to flow v1

    Recommended or optional data:

    • if no data is passed, transaction is NOT blocked, but cannot benefit from exemption. 
  • What do I need to know on PSD2 and personal data sharing (GDPR)?

    3DSv2 is inviting merchants to send additional information (mandatory / recommended ... ). All you need to know as a merchant can be found here: section 3.

  • My PCI certification is less than 1 year old. Do I need to pass it again if I change my acquirer?

    Your PCI certificate is valid for a year and is compliant for any acquirer.