PSD2 SCA compliance guide

The information we provide in this guide can help you prepare for PSD2 SCA compliance using 3D Secure. However, the information here should not be taken as legal advice. This guide supplements the following sources:

• Regulatory guidance provided by official domestic authorities.
• Card scheme regulations.
• EMVCo specifications for the 3D Secure 2 protocol.

Requirements

Before you begin, take into account the following requirements:

What is PSD2?

The Revised Payment Services Directive (PSD2) is the latest version of the Payment Services Directive, a European regulation requiring strong customer authentication (SCA) to make online payments in the European Economic Area (EEA) more secure.

PSD2 is for banks, not for merchants. This means that to comply with the law in their home country/region, issuing banks must refuse non-compliant transactions. To avoid the risk of issuing banks refusing your transactions, you as a merchant need to ensure that your transactions comply with PSD2 SCA regulations.

What do I need to do to comply with PSD2 SCA?

PSD2 requires you to perform strong customer authentication (SCA) on affected transactions. Our recommended way of applying SCA is implementing 3D Secure. Both 3D Secure 1 and 3D Secure 2 are compliant methods for applying SCA.

For more information, refer to Implement SCA compliance.

Are my payments affected?

Your payments fall within PSD2 SCA scope if both your acquiring processing entity and your customer's issuer processing entity are in the European Economic Area (EEA), Monaco, Switzerland, or the UK.

To determine your obligations, answer the questions on the following pages, beginning with:

Is my business located in one of the in-scope countries/regions for SCA compliance?