PSD2 Readyness / EU’s Payment Services Directive 2

The EU’s Payment Services Directive 2  (PSD2) came into force on September 14, bringing a set of responsibilities on companies processing credit/debit card payments online to strengthen security.


The main purpose of the new PSD2 regulations is to combat fraud, but they also open up the payments sector to third-party providers who can manage your online payments for you (only banks exclusively had control over account information).


Irish businesses using e-commerce have been slow to get their online payment systems in line with PSD2, to the effect that the Central Bank has granted a grace period (with as yet no limit date set) businesses to get their websites in order after September 14.


Although PSD2 became law in Ireland in January 2018, popular payments processor Stripe has indicated that more than half of small businesses either don’t know what SCA is  (Strong Customer Authentiation), are not compliant and don’t know when they’ll be compliant.

According to Stripe, on 8 August 2019 the Irish regulator announced a temporary enforcement extension for Irish cards, however, the exact length and scope of the delay has not yet been defined. Across the European Union, only Denmark, France, Hungary and the UK have issued a suggested date to fully require SCA for online payments from their state’s credit cards, and that date is March 2021.



Strong Customer Authentication (SCA)

PSD2 require businesses transacting online within the European Economic Area to implement Strong Customer Authentication (SCA) for transactions over €30. This means that they need to introduce a two-factor authentication process into their payment procedure before a customer can complete a purchase online.

PSD2 thus introduces an extra step into the payments process, which is good for security but it will be an additional headache for business especiallty online retailers. Online shoppers are impatient at the best of times, and it is expected that SCA will drive shpping card abandonment figures higher resulting in lost sales.

How EU PSD2 / SCA regulations will affect your company  will depend on the on the type of purchase, when you charge a customer and what bank (credit card company) your customer uses. Payments platforms (e.g. Stripe, PayPal etc) have already put new software support in place to accommodate the PSD2 regulations, and banks are following suit.   Now those companies with API type integrations will have to update their payment flows to ensure they can transact after once the new regulation comes into full force.



PSD2 Exceptions

There are exceptions supported in the regulations for transactions below €30 or for regular payments such as subscriptions, howevereven these exceptions (if implemented at the discretion of the card issuer) will still require SCA for the initial set-up payment. 


It is expected that the major payment processors (STRIPE, PayPal etc) will be able to handle such exemptions.


What does SCA look like in practice

The EU PSD2 regulation requires companies and banks handling online payments to validate the customer’s identity through any two of the following three categories: something that the customer knows (e.g. a one-time PIN or password sent your system sends them to complete the transaction), something the customer has (e.g. a card or a mobile phone to send the PIN to) or something the customer is (e.g. fingerprint, face recognition).