Guides

PSD2 Compliance

PSD2 is a European regulation for online payment services that was launched by the European Banking Authority. Its goal is to make payments more secure in Europe, increase innovation, and help financial services adapt to new technologies. This page contains guidance that is based on our knowledge and best practices within the payment industry. Please revert with your lawyers and legal counselors regarding the specific impact of the Payment Services Directive 2 (PSD2) on your business.

As of September 2019, the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and PSD2 came into effect. The transition period has been set at 15 months - SCA will be enforced by January 2021.

3D Secure

3D Secure 2 and 3D Secure 1 are both compliant to RTS and to PSD2 SCA. 3D Secure 2 is fully supported by Datatrans. Once 3D Secure is applied by the merchant, updates will be handled by us. 3D Secure 1 is the only available fallback as long as 3D Secure 2 is not broadly enrolled over the EEA regions by issuers, acquirers, and other parties. More information on 3D Secure 2 and its integration can be found in the 3D Secure 2 section of our docs.

📘

Apply 3D Secure during registrations to ensure SCA for recurring transactions

During the registration process, 3D Secure has to be applied to allow later merchant-initiated transactions be out of scope of further strong customer authentication. Any customer-initiated payment will remain in scope of SCA.

Within scope

EBA and PSD2 publish guidelines on banking institutions to EEA countries. Each nation in EEA is free to interpret and adapt it to national law. All transactions that take place wholly within the EU/EEA (with an EEA-based acquirer, and an EEA-based card issuer) fall within the scope of PSD2. Consequently, a merchant falls within the scope of PSD2 and SCA if the following criteria are met:

  • The merchant has a contract with an EU/EEA-based acquirer.

We strongly recommend to all merchants offering goods and services to consumers in the EU/EEA to meet the PSD2 requirements for SCA regardless of their location.

Out of scope

Merchant initiated payments: PSD2 and SCA do not regulate merchant-initiated transactions, therefore it is regarded as out of scope. Please bear in mind that the agreement between merchant and cardholder to setup subsequent merchant-initiated transactions requires SCA.

Mail and telephone orders: As MoTo transactions are triggered by agents on behalf of the cardholder, it is not a customer-initiated transaction and therefore out of scope too.

Anonymous prepaid cards: SCA is not required for anonymous prepaid transactions.

SCA exemptions

PSD2 has defined exemptions that allow transactions to be fully authenticated without the need of SCA. International card schemes defer between issuer and acquirer exemptions: With an issuer exemption, the liability is with the issuer, with an acquirer exemption it is with the merchant.

An issuer can apply an issuer exemption during 3D Secure. If such an exemption is applied, SCA will not be required and the transaction will be completed without the usual SCA authentication step. This is also known as a frictionless flow. With an acquirer exemption, Datatrans asks the issuer for an exemption on behalf of the merchant. If the issuer accepts the acquirer exemption, the authentication will also be frictionless. If the issuer does not accept the acquirer exemption, the customer will have to proceed with SCA to confirm the transaction.

By default, we support two types of exemptions: Low-value and transaction risk analysis (TRA) exemptions. A low-value exemption may be applied for transactions up to 30 EUR. The issuer has to request SCA after any 5 low-value transactions have been made or the total amount for the last low-value transactions exceeds 100 EUR. These thresholds are per card. There's no option for you as a merchant to know if you are to expect SCA or not. Only the issuer knows when their threshold is met.

For TRA exemptions, several threshold amounts exist which are assigned from the acquirer to the merchant in case a TRA exemption is granted. If the currency of the transaction is not EUR, Datatrans will do a currency conversion to check the correct transaction amount in EUR.

You can configure low-value and TRA exemptions in your merchant dashboard for any of our supported card acquirers. Please note that you are obliged to get the acquirer's approval before using SCA exemptions.

Soft declines & SCA exemptions

A soft decline related to PSD2 occurs when a transaction has been declined by the cardholder's issuing bank and requires additional SCA by the customer to validate the payment. This may happen when a transaction is categorized as too risky by the issuing bank to be accepted without enforcing SCA or an acquirer exemption requested by the merchant was declined by the issuing bank. Thus, the transaction requires a successful 3D authentication to authorize the transaction. In case of a soft decline, the cardholder will automatically be redirected by Datatrans to finalize the 3D Secure process.

While this is not an issue for most merchants as we handle soft declines automatically, if you have SCA exemptions activated, you may experience soft declines at a higher rate. If you are using our Mobile SDK or Secure Fields integrations or Split authorizations (deprecated, aka split mode), there will be currently no option to handle automatic redirects to 3D Secure in case of soft declines. Merchants that are using one of these integrations are requested to not use SCA exemptions to avoid higher error rates with card payments. Datatrans will release an update for the Mobile SDKs and Secure Fields to enable better soft decline handling. We encourage merchants using split authorizations however to switch to deferred settlements in the future, as split authorizations are deprecated.