This page is also available in English. Change to English page

PSD2 and strong customer authentication – everything you need to know


The term PSD2 is all over the news, as important new rules are entering into force on 14 September. Our partner Amazon Pay is going to explain what PSD2 means in concrete terms, and how this revision of the payment services directive is going to affect your online shop.

PSD2 is a revision of the first payment services directive and it replaces it. The directive regulates payment services within the European Union (EU) and the European Economic Area (EEA) and is intended to ensure a more open and competitive payment landscape. Among the new aspects of the PSD2 is strong customer authentication (SCA), a new security level for all online transactions with credit and debit cards that becomes mandatory with effect from 14 September 2019.

The additional verification step will require banks and card issuers to authenticate the card holder to ensure that the payment is legitimate. Payments made as of the effective date that do not meet the required verification criteria may be rejected.

How does SCA work in detail?

SCA is performed for online card payments initiated by the customer, if both the company’s and the card holder’s banks are located within the EEA. This means that the directive applies for all companies that accept online payments within the EU.

During the ordering process, customers may be redirected to their bank’s or their card issuer’s website to carry out the verification. At least two of the three possible factors listed below must be used in this context:

  • Something the customer knows – such as a password
  • Something in the possession of the customer – such as a token or a mobile phone
  • Something that represents the customer or is suitable for unambiguous identification of the person – such as a finger print

The precise type of safety check and how it can be performed is determined by the respective bank.

What does SCA mean for you and your online shop?

Card payments that do not meet the authentication criteria may be rejected by the card issuing bank. It is therefore crucial that you ensure that your checkout and all activated payments types are capable of handling the new security checks.


Are there any exceptions to SCA?

Low-risk transactions may be exempted from SCA verification requirements. It is important that you make use of these exceptions as a shop operator to maintain a high conversion rate in your shop.

Adding authentication questions to the checkout process means that a further step is added, and this may cause shopping cart abandonments to increase. Application of the exceptions can reduce the number of authentication dialogues the customer has to face. This in turn can contribute to improving the checkout experience.

You should therefore verify if exceptions apply for the types of payment that are activated in your shop.

The Amazon Pay payment service, for example, can represent the entire SCA process. Amazon Pay will automatically apply all reasonable exceptions that are available for each type of company and each transaction. The payment service further allows for customers who cannot or do not want to validate their card transactions to be directly redirected to alternative payment methods (such as direct debit), thereby preventing that the purchase is cancelled.

The new functions are available to all retailers that have integrated Amazon Pay in their shop. However, if you have already integrated Amazon Pay, you will need to update the plugin to be able to display authentication dialogues. Click here for further information about the update.

I heard that strong customer authentication is not entering into force for the time being. Is that true?

It is true that the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) and other European financial regulators have issued a statement that allows for a simplification of the strong customer authentication process. However, this simplification is limited in time and it only applies for companies based in Germany. Banks and card issuers may still demand authentication for any cards issued in other countries, even when these are used in shops operated by retailers based in Germany.

The BaFin statement also says that strong customer authentication will still be required from 14 September. The starting date of the new regulation has not been postponed by the granted simplification. It is merely the case that the BaFin does temporarily not insist that the regulation is observed. However, the supervisory authority continues to expect that all parties involved will adjust their infrastructure to the new requirements as soon as possible.