The Complete Guide to PSD2 and Strong Customer Authentication

The Payment Services Directive 2 (PSD2) represents one of the most significant regulatory shifts in the history of European payments. Adopted in 2015 and fully implemented by 2019, PSD2 has fundamentally reshaped how payments are initiated, authenticated, and processed across the European Economic Area (EEA). In this comprehensive guide, we'll break down everything you need to know about PSD2 and its cornerstone requirement: Strong Customer Authentication (SCA).

What is PSD2?

PSD2 is the second iteration of the European Union's Payment Services Directive. It builds upon the original PSD (2007) with the primary objectives of:

  • Creating a more integrated and efficient European payments market
  • Enhancing the security of payments and customer data
  • Opening up the payment ecosystem to new entrants (Third-Party Providers)
  • Improving consumer protection and rights

Unlike the first directive, PSD2 introduces two new categories of regulated payment service providers: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). These "Open Banking" entities can access account information and initiate payments on behalf of customers, provided they have explicit consent.

"PSD2 isn't just a regulatory mandate — it's a catalyst for innovation. By forcing banks to open their APIs, the directive has created an entire ecosystem of fintech services that simply couldn't exist before."

— Eleanor Hayes, Head of Compliance at Mossen

Understanding Strong Customer Authentication (SCA)

At the heart of PSD2's security framework lies Strong Customer Authentication (SCA). The Regulatory Technical Standards (RTS) on SCA require that electronic payments be authenticated using at least two out of three categories of evidence:

The Three Elements of SCA

  1. Knowledge: Something only the user knows (e.g., password, PIN, security question)
  2. Possession: Something only the user possesses (e.g., mobile device, hardware token, smart card)
  3. Inherence: Something the user is (e.g., fingerprint, facial recognition, voice biometrics)

Critically, these elements must be independent — the compromise of one should not compromise the others. For example, a password stored on the same device used for biometric authentication would not satisfy the SCA requirements.

🔐

SCA Exemptions and Exceptions

Not every transaction requires full SCA. The RTS outlines several exemptions designed to balance security with user experience. Here are the most important ones:

Low-Value Transactions

Transactions below €30 are exempt from SCA, subject to certain conditions. However, cumulative limits apply — SCA is required after five consecutive low-value transactions or when the cumulative amount exceeds €100.

Trusted Beneficiaries

Customers can add specific beneficiaries to a "trusted list" after completing SCA once. Subsequent payments to these beneficiaries may be exempt from repeated authentication.

Transaction Risk Analysis (TRA)

Payment service providers can apply TRA-based exemptions if their fraud monitoring systems determine that a transaction is low-risk. The applicable thresholds depend on the provider's fraud rate.

// Example: SCA Check Logic
function requiresSCA(transaction) {
  // Check amount threshold
  if (transaction.amount < 30 && !exceededCumulativeLimit()) {
    return false;
  }
  
  // Check trusted beneficiary
  if (isTrustedBeneficiary(transaction.recipient)) {
    return false;
  }
  
  // Check TRA exemption
  if (getRiskScore(transaction) < RISK_THRESHOLD) {
    return false;
  }
  
  return true;
}

Implementation Strategies

Successfully implementing SCA requires careful planning across technology, operations, and customer experience. Here's our recommended approach:

  • Start with a gap analysis: Audit your current payment flows against SCA requirements
  • Choose the right authentication methods: Balance security with user experience
  • Leverage exemptions strategically: Use TRA and low-value exemptions to minimise friction
  • Test thoroughly: Simulate various scenarios before going live
  • Monitor and iterate: Track authentication success rates and adjust as needed

3D Secure 2.x: The Primary SCA Solution

For card payments, 3D Secure 2.x (also known as EMV 3-D Secure) has emerged as the de facto standard for achieving SCA compliance. Unlike the original 3D Secure (often called "3DS1"), 3DS2 offers:

  • Better user experience with in-app and native mobile flows
  • More data sharing between merchants and issuers for better risk assessment
  • Higher likelihood of frictionless authentication (no challenge required)
  • Support for biometric authentication methods

"The difference between 3DS1 and 3DS2 is night and day. We've seen conversion rates improve by 18% since migrating our clients to 3DS2, largely due to the increase in frictionless approvals."

— David Roberts, Head of Product at Mossen

Common Pitfalls to Avoid

Based on our experience helping dozens of merchants achieve SCA compliance, here are the most common mistakes we see:

  1. Over-reliance on exemptions: While exemptions reduce friction, overusing them can increase fraud risk and regulatory scrutiny.
  2. Poor fallback mechanisms: Always have a backup authentication method if the primary method fails.
  3. Ignoring mobile optimisation: A significant percentage of payments happen on mobile — ensure your SCA flows work seamlessly on all devices.
  4. Inadequate customer communication: Users abandon payments when they don't understand why they're being asked to authenticate.

Looking Ahead: What's Next?

The payment regulatory landscape continues to evolve. While PSD2 is now fully implemented, the European Banking Authority (EBA) continues to issue guidance and clarifications. Additionally, PSD3 is on the horizon, with the European Commission publishing a review and proposals as early as 2025.

For businesses operating in the UK, post-Brexit divergence remains an important consideration. While the UK has retained most of PSD2 through the Payment Services Regulations 2017, future changes may diverge from the EU framework.

Staying compliant requires ongoing monitoring and adaptation. Working with an experienced payment services provider like Mossen can help you navigate these complexities while focusing on your core business.

EH

Eleanor Hayes

Head of Compliance · Mossen

Eleanor is a payments compliance expert with over 15 years of experience in financial services regulation. Prior to joining Mossen, she held senior compliance roles at major UK banks and served as an FCA policy advisor. She regularly speaks at industry conferences on PSD2, Open Banking, and payment security.

Need help with PSD2 compliance?

Our team of compliance experts can help you navigate SCA requirements, optimise your payment flows, and stay ahead of regulatory changes.