What You Need to Know About the PSD2 and Strong Customer Authentication

Caitie Gonzalez
Caitie Gonzalez
June 12th, 2019
Estimated read time: 3 minutes, 16 seconds

On December 31st, 2020 all payment providers who process payments for consumers in the European Union must adhere to new requirements for authenticating online payments as part of the second Payment Services Directive (PSD2).

Already a FastSpring seller? Skip to the bottom of this piece to find out what you need to do about this regulation.

You may recall the initial Payment Services Directive (PSD) established by the European Commission that was initially adopted in 2007, then updated in 2009, and again in 2012. The PSD was established as a legal framework that all payment service providers must adhere to in order to sell goods and services in the European Union. The PSD is intended to increase pan-European competition and participation while increasing consumers’ rights and holding payment providers accountable.

In 2015, the EU commission expanded on the existing regulation and introduced the second Payment Services Directive. The new rules introduced in the PSD2 are designed to add additional protection for consumers making online payments. The biggest change for the ecommerce industry is the Strong Customer Authentication requirement for online transactions. The new regulation will become mandated on December 31st, 2020.

What is the Strong Customer Authentication requirement?

Strong Customer Authentication (SCA) is intended to increase the security of online payments and reduce fraud. In order to comply, ecommerce merchants must implement two-factor authentication for all eligible transactions.

What does this mean for me and my customers?

Beginning in January of 2021, all ecommerce transactions where either the issued card or acquirer is in the EU are required to incorporate a two-factor authentication in the checkout process. Merchants and other players in the payments space are required to have 3D Secure 2.0 implemented by the December 31st, 2020 deadline in order to effectively meet the SCA requirements. However, any transactions or subscriptions initiated prior to the deadline will be grandfathered in.

What is two-factor authentication?

Two-factor authentication uses two or more elements to verify the information needed for secure online purchases. There are three categories for authentication:

  • Knowledge. Something the user knows.
  • Possession. Something the user owns like a physical credit card.
  • Inherence. Something the user is like fingerprints or facial recognition.

The most common tool to implement the SCA is with 3-D Secure (3DS). A new version of the 3DS has been released that will offer the ability to authenticate transactions using a biometric method that many mobile phones already offer like fingerprints and facial recognition. The 3DS2 update also includes an option for “frictionless flow” where payments are authorized without additional security measures. The 3DS2 will become mandated on December 31st, 2020, as part of the SCA and PSD2.

How is FastSpring preparing for the Strong Customer Authentication requirement?

As a Merchant of Record, FastSpring is actively working with our network of payment issuers, acquirers, and processors to ensure we implement the required changes in the most optimal way. We are developing a solution that limits the disruption to the customer experience, conversion rates, and transaction success rates while meeting the requirements and sharing the benefits of the directive.

What do I need to do as a FastSpring customer?

Part of the beauty of FastSpring is that we take on all the Merchant complexity related to global ecommerce. As such, FastSpring sellers are not required to take any additional action in regards to the SCA or PSD2. We will communicate specific changes to the checkout flow in the coming weeks and months as we prepare for the December 31st, 2020 deadline.

What if I am not a FastSpring customer?

If you’re not a FastSpring customer you are on the hook for adhering to the new regulations. You will need to research and understand the specific requirements for your business and payment processors. Otherwise, you will not be approved to sell in the European Union.

To learn how partnering with a full-service ecommerce provider like FastSpring keeps you compliant with this and all other major ecommerce-related regulations, request a demo with an ecommerce specialist.

Try FastSpring

Get a free account and see why FastSpring is the ecommerce partner of choice for software providers around the world. Try our full-service ecommerce solution today to unlock revenue growth for your online company.