Skip to content
3D Secure/
/
3DS & PSD2

3D Secure and PSD2

Learn more about 3D Secure authentication and PSD2 regulatory requirements.

What is 3D Secure?

3D Secure (3DS) Authentication is a smart payment security protocol that helps stop fraud in its tracks. By enabling Strong Customer Authentication (SCA), it makes sure only the rightful cardholder approves a transaction, adding an extra layer of safety to online payments.

The latest version of the 3D Secure protocol is called EMV 3-D Secure or 3D Secure 2.2, respectively named Visa Secure for Visa and Mastercard Identity Check for Mastercard. It's fully PSD2-compliant and designed to keep things smooth for customers, using frictionless authentication wherever possible.

As a merchant, you're responsible for proper 3DS 2 handling in accordance with PSD2.

PSD2 compliance & Strong Customer Authentication

The second Payment Services Directive (PSD2) is European legislation that fundamentally changed how online payments work. Implemented in September 2019, PSD2 requires Strong Customer Authentication (SCA) for most electronic payments within the European Economic Area (EEA).

What is Strong Customer Authentication (SCA)?

SCA requires customer authentication using two or more of these independent factors:

  • Knowledge: Something the customer knows. For example, a password or PIN.
  • Possession: Something the customer has. For example, a phone or card.
  • Inherence: Something the customer is. For example, a fingerprint.

PSD2 requirements for merchants

Mandatory SCA applies to:

  • Customer-initiated payments within the EEA.
  • Card payments over €30 (with some cumulative limits).
  • First payments in recurring series.
  • Payments to new beneficiaries.

Exemptions may apply for:

  • Low-value transactions (under €30 with limits).
  • Low-risk transactions (based on fraud rates).
  • Payments to trusted beneficiaries.
  • Secure corporate payments.
  • Recurring payments (after initial SCA).

For more information about exemptions, see Exemptions.

PSD2 penalties for non-compliance

For customers, banks may decline transactions that don't meet SCA requirements.

For merchants, potential consequences include:

  • Higher transaction decline rates.
  • Loss of liability shift protection.
  • Reduced customer conversion.
  • Regulatory scrutiny from payment processors.

Geographic scope and applicability

PSD2 applies when the card issuer and/or merchant is located in the EEA (European Economic Area).

It doesn't apply when:

  • Both the issuer and merchant are outside the EEA.
  • The credit card is a corporate one (in some jurisdictions).
  • The payment is anonymous. For example, made with a prepaid card without identification.

EBA guidelines compliance

The European Banking Authority (EBA) provides specific technical standards that 3DS implementations must follow:

  • RTS on SCA & CSC: Regulatory Technical Standards on Strong Customer Authentication and Common Secure Communication.
  • Dynamic linking: Transaction details are cryptographically linked to authentication.
  • Independence: Authentication factors are independent and cannot be breached by the same vulnerability.
  • Challenge-response: Secure challenge-response mechanisms for customer verification.
  • Transaction monitoring: Real-time fraud monitoring for Transaction Risk Analysis exemptions.

Regulatory reporting and audit

Audit trail requirements

  • Authentication attempts: Success/failure rates for regulatory monitoring.
  • Exemption usage: Track exemption application and approval rates.
  • Geographic data: Issuer and merchant location for scope determination.
  • Transaction details: Amount, currency, and risk assessment data.

Regional variations

Different EEA countries may have:

  • Varying enforcement approaches.
  • Different grace periods for implementation.
  • Specific interpretation of exemption rules.
  • Additional national requirements.

Exemptions

SCA (Strong Customer Authentication) exemptions are special cases where a transaction can be processed without requiring the full two-factor authentication process. These exemptions are designed to balance security with user convenience, particularly for low-risk transactions.

You need to check for allowed exemptions with PXP before you integrate. This is a required step in order to be able to apply exemptions in your authentication/authorisation requests.

The most common SCA exemptions include:

  • Low-value transactions.
  • Recurring payments for the same amount and merchant.
  • Transactions involving trusted beneficiaries that a customer has previously authenticated.
  • Secure corporate payments.

We evaluate exemptions for both Visa and Mastercard.

While these exemptions exist, the final decision to apply them rests with the card issuer. They may still required full authentication if they deem it necessary for security reasons.

Exemption types

Low-value payments (LVP)

Low-value transactions are payments under €30 that may be exempt from SCA requirements. However, there are cumulative limits to prevent abuse:

  • Per transaction limit: Up to €30.
  • Cumulative limit: €100 total or 5 consecutive exempt transactions.
  • Reset condition: Any successful SCA authentication resets the cumulative counter.

Transaction risk analysis (TRA)

Transaction risk analysis allows exemptions based on real-time fraud monitoring and low fraud rates:

  • Low risk threshold: Up to €100 (requires fraud rate <0.13%).
  • Enhanced risk threshold: Up to €500 (requires fraud rate <0.06%).
  • Requirements: Continuous fraud monitoring and risk assessment systems.

Trusted beneficiaries

Transactions with merchants previously marked as trusted by the cardholder:

  • Setup: The customer must authenticate the merchant during initial transaction.
  • Scope: All future transactions with that specific merchant.
  • Management: Customers can add or remove trusted merchants via their bank's interface.

Secure corporate payments

Business-to-business transactions between corporate entities:

  • Application: B2B payments using dedicated corporate authentication.
  • Requirements: Secure corporate payment protocols and processes.
  • Verification: Enhanced due diligence and corporate identity verification.

Recurring payments

Subsequent payments in a series with the same amount and merchant:

  • Initial payment: The first transaction requires full SCA.
  • Recurring payments: Transactions with the same amount to the same merchant can be exempt.
  • Modifications: Any change in amount or frequency triggers a new SCA requirement.

PSD2 requirements continue to evolve. Always consult with legal experts for specific compliance advice, especially for cross-border transactions or complex payment scenarios.

Ready to implement 3DS? See How it works to learn about PXP's implementation.

©2025 PXP Financial. PXP Financial Registered Office: The Corn Mill - 1 Roydon Road - Stanstead Abbotts - Hertfordshire - SG12 8XL - United Kingdom Phone +44 2038850598. PXP Financial is Authorised By The Financial Conduct Authority And Our Financial Services Register Number is 504318.