Table of Contents

A Guide To PSD2 & SCA and How It Will Affect Your Business

If you’re in charge of compliance or mitigating potential fraud in your organization, you need to be up-to-date with what’s been happening over in the European Union. And with good reason! The European Union’s recent Payment Services Directive (PSD2) is a groundbreaking development that is now steadily being enforced throughout Europe. Building off the original PSD directive from 2005, PSD2 has in fact, been around since 2016, but only truly came into effect for many European businesses at the end of 2020.

Here is a quick guide to help you wrap your head around what the new PSD2 and SCA requirements are and how it may impact your business this year and into the future by answering the following questions:

The timeline for the new PSD2 and SCA roll-outs

Although PSD2 officially came into force on 13 January 2018, many banks and financial institutions ran into difficulties implementing all the changes — particularly Strong Customer Authentication (SCA). In the end, the European Banking Authority decided to grant an extension, giving companies in the EEA up until 31 December, 2020 to roll-out their SCA. The Financial Conduct Authority (FCA) then gave an additional extension for UK companies, pushing their final enforcement date to 14 September, 2021.

Why PSD2 and SCA are being enforced and what the new regulations are

PSD2 and SCA - new regulations are being enforced

PSD2 is designed to whip the online payments industry into shape by setting core regulations in three areas — customer rights, third-party access, and security — and includes Strong Customer Authentication (SCA) as one of the core requirements of this directive. Despite this being only a requirement for banks and financial institutions operating in the European Economic Area (EEA), North American businesses will start to feel the impact of PSD2 and SCA throughout 2021 and beyond.

PSD2 was put into place by the European Union to better regulate the online operations of banks and financial institutions throughout Europe in order for customers to receive more transparent and more secure payment processing services. It covers three main areas of online financial transactions, namely:

  1. Stronger security measures — including using Strong Customer Authentication (SCA), outlined as two-factor or multi-factor authentication for specific types of transactions. The additional layers of security help ensure customers, who may easily forget their passwords or even use the same password for multiple accounts, avoid identity-related fraud and theft. This means many organizations are now adopting fully passwordless solutions, allowing their users the ability to check out securely and safely, without the hassle of remembering passwords.
  2. Third-party access to user data — designed to reduce banks’ exclusivity over their customers, by enabling third parties to (securely and with user permission) retrieve data from their banks to speed up the processing of certain transactions and reduce payment friction.
  3. Better rights for the customer — now, financial institutions are required to have greater transparency in key areas of their customer service such as their terms and conditions and enabling the quick resolution of incidents and complaints.

All of these are designed to make financial transactions carried out online more open and more easily scrutinized by regulating bodies. Read more on Security Regulatory Compliance.

How PSD2 and SCA can affect businesses outside the European Economic Area

Though there are many exceptions based on the type of payment, the payment amount (anything less than 30 Euros is normally exempt), and the frequency of the transaction (such as for subscription-based businesses), there are a couple of ways PSD2 and SCA may impact North American businesses moving forward. These can include:

Higher standards in payment security — these new regulations are not only designed to help prevent identity theft but to fight card-not-present (CNP) fraud which has been increasing over the past few years. As these new standards slowly become the norm for European customers, they may feel that something is amiss if trying to purchase from a business that does not have these additional layers of security.

European institutions enforcing SCA worldwide — even though the customer’s bank and card issuer both need to be operating in the EEA for SCA requirements to be mandatory, some European financial institutions may enforce SCA on merchants no matter where they are located. Meaning they could potentially decline payments for transactions where SCA is not involved.

International expansion — if your company is growing quickly (and congrats to you if it is), and you are considering opening a European-based entity or online store, then you will be required to adhere to PSD2 and SCA. Likewise, if you are US-founded and based, but have entities already established within the EEA, you will need to make sure you are fully PSD2 and SCA compliant as soon as possible.

How you can adapt to the new changes

Implementing a fully passwordless authentication solution

Implementing a fully passwordless authentication solution as part of your payment processing security measures will make sure your business is in line with the new PSD2 and SCA requirements. This will ensure your customers are getting the highest level of cybersecurity protection possible, wrapped up neatly in a smooth and totally seamless user experience. Adopting this technology will help businesses not only win customers’ patronage, but their trust, and will keep them and their customers far out of reach of security-related conflicts in the future.

Need to get your business PSD2 and SCA-compliant? Discover how with Transmit Security passwordless authentication today.


  • Alex Brown

    A self-professed technology geek, content writer Alex Brown is the kind of person who actually reads the manual that comes with his smartphone from cover to cover. His experience evangelizing for the latest and greatest tech solutions gives him an energized perspective on the latest trends in the authentication industry. Alex most recently led the content team at Boston-based tech company