Making online payments within the European Economic Area (EEA) or the UK requires authenticating the cardholder before a transaction can proceed.
Under Payment Services Directive 2 (PSD2) that regulates secure payments through Strong Customer Authentication (SCA), when the user makes a payment, they are required to provide two out of three factors:
- Knowledge: something only the user knows.
- Possession: something only the user possesses.
- Inherence: something the user is.
To comply with the regulations, Adyen uses 3D Secure to do two-factor authentication (2FA).
If the following two statements are true, then you must enroll your card in 3D Secure to direct the transactions for authentication with Adyen.
- You are issuing cards within the EEA or the UK.
- The cards that you issue can be used for online payments within the EEA or the UK.
Enroll your cards in 3D Secure
There are two ways to enroll your Adyen-issued cards in 3D Secure:
- One-time password authentication: add the cardholder's mobile phone number and a password when issuing cards. Once successfully enrolled, the cardholder will be prompted to provide their password and one-time password (OTP) sent to their phone number when they make an online payment.
- Out-of-band authentication: register the cardholder's device for subsequent authentication attempts. With the out-of-band (OOB) authentication flow, you can direct the transaction authentication requests to your secure application on an eligible device. Once successfully enrolled, the cardholder will be prompted to complete the authentication in the application using a passcode or biometrics.
Payments that don't trigger 3D Secure
Not all online payments made within the EEA and the UK trigger 3D Secure authentication. This is because some online payments are out of scope or exempted from PSD2 SCA. For these payments, Adyen doesn't require the cardholder to provide an OTP and password or perform out-of-band authentication. The payment proceeds to authorisation.
Reach out to your Adyen contact to check if any of the following exemptions apply to your use case.
The following transactions are not within the scope of PSD2, therefore they don't require SCA.
- Transactions from cards issued outside of the EEA and the UK.
- Transactions with the acquirer based outside the EEA and the UK.
- Merchant-initiated transactions (MIT), used for recurring and subscription transactions. This does not apply to the initial transaction where the merchants set up the recurring or subscription contracts.
- Mail Order/Telephone Order (MOTO) transactions.
If a payment is within the scope of PSD2 regulations, it can still be exempted from SCA. Exemptions can be applied by Adyen or requested by the acquirer. SCA is not required if a transaction is considered to be:
- Low value: This exemption applies if a transaction is less than EUR 30. When the sum of consecutive transactions exceed EUR 100, Adyen requires SCA.
- Secure corporate payment: Transaction from virtual cards.
- Low risk based on Transaction Risk Analysis (TRA): Adyen makes a risk-based decision on whether to perform authentication based on PSD2 regulations.