By Daniel Buttigieg on 2019, April 8

3D Secure 2.0 | Seamless authentication experiences - Apcopay

By Daniel Buttigieg on 2019, April 8

From 14th of September 2019, European banks will be required to follow the new regulation under PSD2 imposed by the European Union. The new regulation is named the Strong Customer Authentication (SCA).

PSD2, Payment Services Directive 2, is the latest guideline imposed by the European Union regarding the financial industry and payments in general. The purposes of the guideline are to ensure that there is more competition paired with innovation on the European payments market alongside with more flexibility for new entrants.

Under PSD2 the SCA is formed and being implemented in order to authenticate and segregate three elements of the users. These three elements are the knowledge of the user, the particular possession of the user and the inherence of the user. The knowledge of the user can be in the form of passwords, passphrases, pin codes, sequences or secret facts. The possession of the user can be in the form of a mobile phone, a wearable device like a smartwatch, a smart card, a token or a badge. The inherence of the user can be in the form of fingerprints, facial features, voice patterns, iris formats or DNA signatures.

The general focus of the SCA is on online services because of its growth in popularity and usage. The result is that while making payments, a customer is required to present more information than a simple card number and a CVC verification code. The SCA will be applied largely to B2C online transactions within the European Union. This means the SCA is applicable to transactions between banks of businesses and cardholders that are located in the European Economic Area (EEA). The SCA will also apply to the UK even after the Brexit. Business located outside the EEA with a large portion of its client portfolio consisting of European clients are also considered to require to the regulations of the SCA.

The first system of this kind is already present in the payment systems and it is called 3D Secure 1.0. Its task is to verify ecommerce card transactions through redirecting users to a new page where they put in a code in order to identify themselves. With the inauguration of the SCA, the 3D Secure 1.0 system will be updated to a safer and more dynamic version called the 3D Secure 2.0. This new version will help minimise some of the friction that the present system adds into the payment flow.

Even though there is a new update coming for all the bank transfers and some card payments, alternatives to this version exist at present with superior support payment systems. The best examples are Apple Pay and Google Pay. These card-based payments methods have a built-in layer of authentication consisting of either biometric security or passwords. Other existing well build examples of support payment systems are iDeal, Bancontact and Multibanco. These systems need to do only minor changes to their current customer authentication services for more sufficient user experience.


However, there are some exemptions to the rule. The first one is the low value and low risk transactions. These are transactions under 30 euro (per 24 hours or per 5 transactions, the amount can’t be above 100 euro) and payments which are considered low risk based on the average fraud levels of the transaction process. Other more relevant exemptions are the subscription or recurring transactions, the whitelisted merchants, Mail Order and Telephone Order (MOTO) transactions, inter-regional transactions and B2B transactions. Exemptions regarding the card payments are the contactless payments and the in-person card payments.

The start of the Strong Customer Authentication will create new challenges for businesses, but the update of the 3D Secure 2.0 system will ease the blow by making daily transactions much easier, faster and more efficient than before.