What is PSD2 & SCA? The Essential Guide

How your customers will be affected by the next leap forward in payment security

Or continue reading below….

What Is PSD2?

The second Payment Services Directive (PSD2) is an EU Directive considered to be a game-changer for banking and online retail. It’s goal will be to increase transparency and consumer trust.

In summary, it will allow customers to approve third-party providers to manage their finances, analyse spending, make Peer-to-Peer (P2P) transfers and more, all through their existing bank account. New, innovative financial service providers could appear in the market as banks allow easy integration to their system (referred to as Open Banking). This is great news for customers as they will have a wider choice of finance providers and a huge variety of ways to pay for goods and services.


What is SCA?

Part of PSD2 is to reduce fraud and improve security, this will be done by introducing Strong Consumer Authentication (SCA) for some online electronic card payments. It is scheduled to come into force by early 2021.

Card issuers (typically banks) will require customers to take additional steps to prove their identity during a payment, and can stop working with acquirers, PSPs and organisations (Merchants) who don’t adopt this new layer of security.

How Do I Comply with SCA with Multi-Factor Authentication (MFA)?

The easiest way for merchants and organisations to comply with SCA is to use 3DS 2.0 (or 3DS v2), the next evolution of 3D Secure.

Certain transactions will require customers to provide two types of information when making a payment.

These include:

  • Something you have (E.g. A payment card, mobile phone or security code generator)
  • Something you know (E.g. a Password or PIN)
  • Something you are (E.g. Biometric or a fingerprint)

SCA will drastically improve security, but could frustrate a lot of customers looking for quick and convenient purchases online, especially those who have not encountered existing verification steps like 3D Secure before.

However, the experience of using a smartphone fingerprint reader or SMS code to verify a payment isn’t a completely new experience for many online shoppers. It will soon become the norm for online card payments.

An Example of Multi-Factor Authentication (MFA)

Steve is shopping online using his smartphone, he’s buying an item worth £45.

After entering his credit card details at the checkout stage, SCA requires him to verify his identify. He can either provide his mobile number and receive a security passcode via SMS or using his smartphone fingerprint reader to complete the payment.

If he wants to make shopping quicker in future he can save (tokenise) his card with the organisation or add them to a trusted payee list.

Will It Affect All My Transactions?

Good news! No it won’t. As there are some exemptions to SCA you may not be affected at all.

These include:

Transactions less than €30 will not require SCA.

If your customers pay over the phone and you don’t ask them to read out their card details, it will not require SCA.
However, if your agent is using your customer-facing online payment screen to complete a payment, SCA will be required. You should consider an Agent Assisted Payments service.

Customers can whitelist your organisation with their banks, ideal for those making repeated purchases and regular payments.

Transactions deemed as low risk when ran through a real-time risk assessment by your acquirer or PSP (also known as a Transaction Risk Analysis or TRA).

For customers who have signed up to repeat or recurring payments, SCA is only required on the first transaction. Essentially a customer is giving permission for an organisation or merchant to take future payments of a set amount on a set date.

Want to find out how you'll really be affected?

What Is Defined as 'Cardholder Data' or Credit Card Data?

Here are the ways PSD2 and SCA may affect your organisation and your customers:


If you take card payments over the phone (either via an automated IVR or with an agent) you won’t be affected, as long as your agents aren’t using a customer facing web payments page to process an order.

Not all over-the-phone payment solutions are equal. If you are asking your customers to read out card details to an agent then not only are you posing a serious security risk to your customers, but your entire organisation.

The best solution is to use an Agent Assisted Payments service so customers can enter their card details securely on their keypad, allowing agents to stay on the call with the customer and follow the transaction, without seeing any sensitive card details.

Need a secure over-the-phone payments service?


If you ask your customers to pay online using a debit or credit card, you will see the biggest change. It’s important to assess your customer journey with SCA and the extra verification steps. You may see more customers calling your organisation, wanting to pay over the phone, possibly frustrated with trying to complete their order online.

If you don’t have the facility to take payments over the phone securely, without asking for customers to read out their sensitive card details, it should be something you consider to avoid losing any sales revenue from frustrated shoppers.

Need a secure and compliant over-the-phone payments service?

It Depends

If your agents have a flexible service that provides a payment URL within a webchat app or social media messaging, like our Click-to-Pay service, SCA is required. The payment is processed on a secure web payments screen, compliant to the highest level of PCI-DSS, Level 1.

For webchat payment services that process within the webchat app or window, SCA isn’t required as it is considered a MOTO transaction. However, this method suggests that a payment is completed within the organisation’s network, and the overall risk and security of the payment could be questioned.

Need a flexible pay-by-link solution for webchat?


You won’t need to re-authenticate existing customers who have already saved or tokenised their card with your organisation. However, if your customer changes their details such as name, address or adds a new card then SCA may be required.

Not sure what tokenisation is?

What Are The Next Steps?

Look at how you take payments and how your customer experience could be affected by the extra steps introduced by SCA and 3DS v2.

They will be responsible for enforcing the SCA part of PSD2 on relevant transactions by September 14th 2019. This could drastically alter how you collect payments and earn revenue.

For customers struggling to pay online you may want to provide alternative payment methods, such as secure over-the-phone payment solution or with a 24/7 automated payment line. Tokenisation could also help alleviate a lot of friction for customers who make regular and repeated purchases, with a simple tick box advising the card issuer that your organisation can be trusted for future payments.

Key IVR will be fully compliant with the PSD2 directive by the required deadline. Our payment platform provides web, phone and SMS payment services to PCI-DSS Level 1 compliant level, and we’re trusted by hundreds of organisations with over £1.7bn processed annually. It’s our mission to reduce the risk of fraud and improve payment security for organisations, but we also appreciate that you want to make the buying process quick and easy for customers, with as little change as possible in order to be compliant.

Get your free PSD2 assessment

It’s good to know what your options are, the last thing you want is to lose valuable revenue by not being prepared.

Find out how you’re affected with a no-obligation PSD2 assessment.

Mark Kelly

Chief Commercial Officer (CCO) (UK) & VP International Sales (US)