PSD2 and Strong Customer Authentication

Understand the regulatory requirements, applicable exemptions and how to minimise the impact on conversion

9 min

The European Payment Services Directive 2 (PSD2) transformed the digital payment landscape in Europe by introducing the requirement for Strong Customer Authentication (SCA). Its goal is to reduce fraud in electronic payments by demanding additional verification during transactions.

For online merchants, PSD2/SCA represents a delicate balance between security and conversion. Applying authentication to every transaction reduces fraud but also increases friction and can drive up abandonment. This guide explains how to navigate that tension.

What is PSD2 and what does it require?

PSD2 is the European directive that regulates electronic payment services in the European Economic Area (EEA). It came into force in 2018 and its most impactful requirement, SCA, was phased in gradually until September 2021 in most countries.

The directive pursues three objectives: increasing the security of electronic payments, fostering innovation by opening access to bank accounts (Open Banking) and protecting consumer rights. For ecommerce businesses, the practical impact centres on SCA.

  • Applies to buyer-initiated transactions within the EEA
  • Affects card payments, bank transfers and account-to-account payments
  • Requires authentication with at least two of three factors: knowledge, possession and inherence
  • Payment gateways handle most of the technical compliance

The three authentication factors

SCA requires the payer to authenticate with at least two independent factors from three different categories. This ensures that even if one factor is compromised, the transaction remains protected.

  • Knowledge (something you know): PIN, password, security question answer
  • Possession (something you have): mobile phone, physical card, hardware token, banking app
  • Inherence (something you are): fingerprint, facial recognition, voice recognition

SCA exemptions

Not every transaction requires SCA. The directive defines exemptions that, when properly applied, reduce friction without compromising security. Exemptions are requested by the merchant or gateway, but the card issuer has the final say on whether to accept them.

  • Low-value transactions: payments under €30 (with a cumulative limit of €100 or 5 consecutive transactions)
  • Low-risk transactions (TRA): based on the acquirer’s risk analysis. Available if the PSP’s fraud rate is below defined thresholds
  • Fixed-amount recurring payments: the first transaction requires SCA, subsequent ones are exempt if the amount stays the same
  • Trusted beneficiaries: the cardholder can mark a merchant as trusted in their bank, exempting future transactions
  • MOTO transactions: payments by phone or mail are outside the scope of SCA
  • Corporate transactions: B2B payments with corporate cards under certain conditions

Technical implementation with 3DS2

3D Secure 2 is the protocol that implements SCA in practice for card payments. Unlike its predecessor, 3DS2 sends contextual data about the device and transaction to the issuer, enabling a more sophisticated risk assessment that powers the frictionless flow.

Gateways like Stripe, Adyen and Checkout.com handle 3DS2 transparently. The merchant submits the transaction, the gateway requests the appropriate exemption and, if the issuer accepts it, the payment completes without user intervention. If the issuer declines the exemption, the challenge flow is triggered.

  • Send as much data as possible with each transaction to maximise frictionless approvals
  • Configure the correct exemptions based on your risk profile and volume
  • Implement fallback flows for when the issuer declines the exemption
  • Monitor approval rate by issuer to identify patterns

Impact on conversion and how to mitigate it

SCA implementation has had a measurable impact on conversion. According to industry data, transactions that go through a 3DS challenge have an abandonment rate 10% to 25% higher than those that do not require additional authentication.

The key to minimising this impact is to maximise exemptions and the frictionless flow. Merchants with low fraud rates and high-quality transaction data achieve up to 85–90% of transactions processed without a challenge. This requires sending complete device data, customer history and transaction information with every request.

Best practices for merchants

Optimal SCA management combines exemption strategy, data quality and continuous monitoring. It is not just about meeting regulatory requirements but doing so in a way that minimises the impact on conversion.

  • Use a gateway that automatically optimises exemption requests (Stripe, Adyen)
  • Send device data (browser fingerprint, IP, user agent) with every transaction
  • Implement trusted beneficiaries for returning customers
  • Monitor challenge vs frictionless rate by issuer and market
  • Offer alternative payment methods that do not require SCA (wallets, bank transfer)
  • Communicate to the user why additional verification may be needed to reduce anxiety

Key Takeaways

  • PSD2/SCA requires two-factor authentication for electronic payments in the EEA
  • Exemptions (low value, low risk, recurring) reduce friction without compromising security
  • 3DS2 is the protocol that implements SCA with frictionless and challenge flows
  • Maximising transaction data sent to the issuer is key to achieving more frictionless approvals
  • Optimal SCA management can maintain conversion without sacrificing security

Need to optimise your SCA implementation?

We help you configure the right exemptions, maximise the frictionless flow and minimise the impact on your payment conversion.