January 18, 2024

PSD2 and SCA compliance checklist: Qualifications and exemptions

psd2 sca

Businesses operating in the European Union (EU) are required to comply with the Revised Payment Services Directive (PSD2) and Strong Customer Authentication (SCA) regulations. These regulations aim to enhance security for electronic payments, reduce fraud, and protect customer data.

As a business owner, it's important to understand the requirements and take the necessary steps to ensure compliance. To help you with this process, we have created a checklist of key items businesses need to adhere to be PSD2 and SCA compliant.

Understanding PSD2 and SCA

Before diving into the compliance checklist, it is important to understand what PSD2 and SCA are. The PSD2 regulation, which came into effect in 2019, aims to increase competition and innovation in the payment industry by opening the market to new players such as fintech startups. 

SCA is a requirement under PSD2 that mandates strong authentication for electronic payments, meaning customers must use at least two of three factors (something they know, something they have, something they are) to verify their identity.

PSD2 and SCA compliance: What businesses need to know

Some critical elements to becoming compliant when working or operating within the EU exist to ensure everyone adheres to the same compliance protocols. The first step is to understand which businesses qualify for PSD2 compliance. 

Does your business need to be PSD2 compliant? 

The first step in the PSD2 compliance process is determining if your business must comply with PSD2 and SCA. This applies to businesses located within the EU or conducting business with customers in the EU.

To determine if PSD2 and SCA apply to your business, follow these steps:

  1. Location of operations: First, assess whether your business is located within the European Economic Area (EEA), which includes all 27 EU member states, Monaco, and the UK (United Kingdom). PSD2 regulations apply to all businesses operating within these territories.
  2. Customer base: Secondly, look at your customer base. Even if your business is not located within the EEA, if you accept payments from customers in this region, you must comply with PSD2 and SCA.
  3. Transaction type: Evaluate the type of transactions your business processes. If you facilitate electronic payments, especially online or mobile transactions, PSD2 regulations will apply. This includes card payments, bank transfers, and certain types of mobile payments.
  4. Consult a legal advisor: If in doubt, it's always advisable to consult a legal advisor or a professional well-versed in PSD2 and SCA regulations. They can provide an in-depth analysis of your business model and operations, ensuring full compliance with the law.

What types of SCA exemptions exist?

Even if your business is in the EEA and accepts electronic payments, certain transactions may be exempt from the SCA requirements under PSD2. These include low-value transactions, recurring payments, and secure corporate payments. Be sure to understand these exemptions and whether they apply to your business.

  1. Low-value transactions under €30: Low-value transactions less than €30 are exempt from SCA, but this exemption resets after five consecutive payments or when the total amount of payments exceeds €100.
  2. Contactless payments in the UK: Contactless transactions under £100 in a single transaction or £300 in a combined transaction are exempt.
  3. Trusted beneficiaries: Customers can list trusted beneficiaries with their payment service provider, who are then exempt from SCA.
  4. Recurring transactions: Regular payments of the same amount to the same company are exempt from SCA after the first payment is authenticated. Recurring subscription payments fall under this category. 
  5. Secure corporate payments: Payments made through dedicated corporate processes and protocols are exempt from SCA.
  6. Low-risk transactions: Transactions deemed low-risk based on real-time risk analysis may be exempt from SCA.
  7. Self-payments (account transfers): Transfers made by the account holder to themselves on the same payment service provider are exempt.

Remember, while these exemptions exist, it's crucial to understand and apply them correctly to avoid non-compliance penalties, sometimes up to 4% of annual revenue.

Implementing SCA in your business

To ensure SCA compliance in your business, review the following considerations for a strong and secure SCA strategy.

Adopt multi-factor authentication

Firstly, Implement your multi-factor authentication steps. This is a primary requirement for SCA, requiring customers to confirm their identity using two out of three possible factors:

  • Something you know (Knowledge): Examples include a password or PIN
  • Something you have (Possession): Examples include a chip card, device fingerprint, or SMS OTP (one-time password)
  • Something you are (Inherence): Examples include a physical fingerprint or Face ID

You can also utilize device intelligence solutions, such as Fingerprint, as a sufficient solution to your "Something You Have" requirement. Including a device fingerprint as part of a layered approach to SCA can serve as a valuable first line of defense, helping to identify known devices and flagging unfamiliar ones for further authentication. 

Integrate 3D Secure 2 (3DS2)

3DS2 s is the updated version of 3D Secure, an authentication protocol designed to be more user-friendly and mobile-friendly than its predecessor. It also allows for more data sharing between merchants and card issuers, enabling better risk-based analysis. Popular 3D Secure implementations from leading credit card vendors include Verified by Visa, Mastercard Identity Check, and American Express SafeKey.

Make necessary software changes and monitor transactions

When implementing SCA steps for the first time or making significant changes to existing steps, your payment interfaces must accommodate the additional authentication step. This might mean updating your website, mobile app, or in-store payment terminals with different software. Work closely with your payment providers to ensure seamless integration of SCA requirements into existing payment processes and reduce any non-compliance or broken processes.

Additionally, you'll want to monitor and closely monitor your transactions to understand how SCA affects your conversion rates and adjust your processes as necessary. If there is a negative effect on your purchases or conversion rates, look at which step of the process is causing the drop-off or cart abandonment and optimize that process or change it to something else altogether. 

Update and communicate with your customers

It's important to communicate changes to your customers. They should understand why extra authentication steps are necessary and how to complete them. This is typically done through an update to a Privacy Policy, Terms and Conditions, or sometimes both. Being upfront with the changes to current customers builds trust and encourages them to be repeat customers. 

Key takeaways

Staying compliant with regulations and requirements can be confusing or stressful for businesses. Still, the time spent adhering to these requirements and being able to operate in specific economic regions is worth it. This article covered the qualifications, exemptions, and considerations of PSD2 and SCA requirements for operating with the EEA. 

We also mentioned how device fingerprinting can help streamline and secure the SCA process from instances of payment fraud and identity theft.

Disclaimer: As a quick note, we provide publicly available and well-known information on this topic, but it should not replace any legal or financial advice from a licensed professional. We aim to provide you with the most accurate and up-to-date information. We recommend you consult a professional should you have any questions about anything included in this blog post.

All article tags

Share this post