PSD2, SCA, and 3DS2: Understanding The Basics Of European Regulations

Making sense of the complex payment regulations in Europe can be confusing. In this post we explain the basics of PSD2, SCA, and 3DS2.

Payment regulations in Europe are becoming increasingly complex as regulators hone their focus on digital technologies. For merchants and merchant aggregators, compliance with payment regulations is vital for avoiding costly fees, maintaining relationships with card networks, and ensuring security.

As digital payments have skyrocketed in popularity, European payment authorities are beginning to re-examine key regulatory requirements to reflect the risks of new technological advancements.

If you operate in European markets, keeping up with changes to payment regulations is crucial.

Old and New Regulations

The Payments Services Directive (PSD) that began as far back as 2005 when first conceived released a major update in 2018 and it was repealed and replaced by PSD2. PSD2 brought new requirements for payment transactions and anyone doing e-commerce in Europe and forced them  to make changes to their payment stack.

The credit card brands also come into play in regard to upcoming regulations as well. Visa, Mastercard and others implemented mandates around 3D Secure 2 (3DS2), which is something you’ll need to know about as well.

There is certainly a lot of information out there and it can be complicated, so this piece aims to simplify it. We’ll break current mandates down into a basic overview. If you would like to dig deeper into each topic, source links are provided. This article will focus on card not present payments, but the regulations can affect card present transactions as well.

What are PSD2, SCA, & 3DS2?

The two main players in the European regulatory landscape are the European Banking Authority (EBA) and the PCI Security Standards Council (SSC). These authorities are responsible for regulating and enforcing key regulations like PSD2, SCA, and 3DS2.

The EBA is an independent EU authority responsible for the PSD2 regulation — which includes the SCA requirement — while the PCI DSS is the main authority that oversees the 3DS2 regulation.

Here is a quick breakdown of the basic goals and requirements of each of these regulations:

• PSD2: The Payment Services Directive (PSD) is a set of regulatory rules focused around payments in the European region. Originally adopted in 2007, the first iteration of PSD aimed to better regulate payments in Europe. The second iteration of PSD, called PSD2, went into effect in 2016 with full compliance expected by 2018. Regulators designed PSD2 to create a more integrated and efficient payments market in Europe. PSD2 went under legislative review in 2023. The third iteration of the PSD (PSD3), along with a new regulation called the Payment Services Regulation (PSR) are currently in development and are expected to have implementation deadlines in 2026. However, no official timeline is yet available. 
• SCA: Strong Customer Authentication (SCA) is a specific requirement of PSD2 that came into effect in 2019. SCA encompasses a strict set of requirements that must be applied when an electronic payment is initiated by a payer. The SCA process is designed to validate user identity for payers and determine whether the use of a payment instrument is properly authorized. With the upcoming changes to PSD2, we are likely to see adjustments to SCA requirements as well.
• 3DS2: 3D Secure is a multi-factor authentication protocol that helps to confirm a payer’s identity during a transaction and acts as an additional layer of fraud prevention. This protocol is a major component of PCI compliance and was first used by Visa before becoming a broader standard for all major card networks. 3D Secure 2.0, or 3DS2 for short, was developed to provide a more frictionless and simplified authentication process. Early adoption of 3DS2 began in 2017, with most major card networks halting support for 3DS1 in 2022.

A Closer Look At The Regulations

With the European regulatory landscape for merchants and merchant aggregators becoming increasingly complex and dynamic it’s important to take a look at each regulation individually. Each shift is prompting significant changes in several key areas of compliance, with its own unique set of challenges. Breaking everything down allows a simpler path to a solution.

PSD2

To understand the Payments Services Directive and PSD2 you need to understand that its creation stems from initiatives of the European Union. Why? To establish a Single Euro Payments Area, or SEPA, and regulate how payment services should operate in Europe (not to be confused with SEPA Direct Debit).

Its purpose is to increase competition by ensuring participation by banks and non-banks alike. It also ensures consumer protection by controlling the obligations between users and providers.

PSD2 dictated rules that European providers must follow in January 2017, however it did not become a law until December 31st, 2020. One of the biggest changes with this regulation was that banks now have to open up their systems and data to third parties.

This will bring about new use cases and applications to fulfill a part of the competitive goal. Some openness was already happening, but this set the requirement in stone. It also introduced new requirements for user identification in order to reduce fraud. This was done to protect consumers, and banks for that matter, in this new age of openness.

SCA: Strong Customer Authentication Under PSD2

The most important component or change for user identification coming with PSD2 is the requirement of Strong Customer Authentication. This requirement dictates that consumers must authenticate using additional parameters.

Gone are the days of only a username and password. This was something the user knew or in many cases could not remember. One step authentication is becoming more and more insecure, as it only requires something “known” which could be obtained or hacked with relative ease.

Now, customers will need to identify themselves with two of three categories. The categories are knowledge, possession, and inherence. Often referred to as, something you know, something you possess, and something you are.

Source: Our Preferred Partner Stripe

Since this is a banking regulation, this obviously encompasses payments as well, since banks are effectively behind all of the payment transactions. Of course merchants are concerned about this because already transactions have a set success rate. What happens when additional requirements are placed on users to complete an online transaction? Most assume that success rates will fall.

3DS (3D Secure)

3-D Secure (3DS) has been in existence for some time now, utilized in Europe as well as a firm requirement in other countries like India and South Africa. It was implemented as a secure authentication method for online transactions.

Later, EMV 3-D Secure was developed by EMVCo, the same organization that developed smart chips for credit cards. EMVCo is overseen by EMVCo’s six member organizations - American Express, Discover, JCB, Mastercard, UnionPay, and Visa.

Each brand adopts the current 3D secure protocol into their services, and has branded this service differently. Visa is Verified by Visa, Mastercard is Mastercard SecureCode, American Express is SafeKey, etc.

The first generation of the service provided for authentication of the user by the issuing bank (consumers were often redirected to the bank website to enter in a pin). This caused a rise in cart abandonment and a decline in success rates which limited adoption and merchant satisfaction.

3DS2 (3D Secure 2)

A new standard, 3D Secure 2, was created in 2015 by EMVCo and is now being promoted as a solution for SCA under PSD2. The main advantage is reduced friction in the user experience — to help solve for the aforementioned cart abandonment problem. The specification also calls for it to meet the standards needed for SCA in order for it to co-exist with the European requirements.

3DS2 will require merchants to send additional data with each transaction, so that the bank can determine if the cardholder is the actual transactor. If the data matches what the bank requires, then the transaction can continue on a “frictionless” flow and will not need user input. This will have to match with exemptions and what is allowable for SCA to qualify once SCA is in place.

If the data is not acceptable, and the transaction also didn’t meet an acceptable exemption, then the bank will respond with a “challenge” for user authentication. If challenged, 3DS2 has an improvement over 3DS removing the explicit redirect. The challenge can be presented in the customer application, or in the bank’s application on a mobile device if installed, providing for a better user experience.

A Closer Look at the Impact of the PSD2 SCA Regulation 

The PSD2 SCA regulation has significantly transformed digital payments in Europe over the last decade. Compliant merchants have implemented the required changes at a surface level but how many understand the underlying objectives and mechanics of SCA? 

The primary goal of PSD2 SCA is to enhance payment security and consumer trust while also minimizing the impact on digital purchasing experiences. Striking that balance has proven a challenge for regulators in their quest to increase payment security across the EU without disrupting business. 

Multi-factor authentication is a requirement for most online transactions under SCA. Traditional payment flows rely on static credentials like passwords or stored card numbers. The PSD2 SCA regulation calls for a more layered approach to verifying each customer’s identity. It gives you the structure needed to drastically reduce fraud without derailing customer experiences.

PSD2 SCA has driven payment gateways, acquirers, and third-party providers to upgrade their authentication systems to support richer data exchange and new authentication flows, like 3DS2. This has simultaneously increased productivity and introduced friction where legacy systems are still in place.

Additionally, digital commerce has increasingly shifted into a mobile environment. Implementing SCA across different types of devices and platforms has added new layers of complexity to the process. Many merchants have discovered that what works in a browser doesn’t always translate to a seamless app experience. Resolving this friction requires a renewed focus on authentication design, especially around exemptions, customer recognition, and behavioral analytics.

The PSD2 SCA requirements are a moving target. European regulators continue to refine their stance on  enforcement and exemptions. Treating compliance as a one-time technical project is no longer enough. Merchants must view PSD2 SCA as a living regulation that changes alongside fraud tactics and technological advancements. 

Payment stakeholders must develop adaptable systems and work with partners who can handle continual compliance updates. 

What are the PSD2 SCA Requirements?

The concept of SCA is simple. All you need to do is verify a customer’s identity using multiple factors. 

Yet, implementing such capabilities can be far more intricate. 

As we covered, PSD2 SCA requires the user to provide information from two out of three categories: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). An example that satisfies these PSD2 SCA requirements is a customer entering a password and a one-time passcode sent to the customer’s phone. 

A biometric like a fingerprint or facial scan could replace one of those factors. The regulation mandates that these factors be mutually independent and secure so that the risk that one compromised element can affect the overall authentication is minimized.

One of the biggest impacts of the SCA PSD2 framework is its influence on payment flows. Merchants that rely on recurring billing or offer subscription services must structure their flows to comply with exemptions or secure initial authorization that meets PSD2 SCA requirements. If done improperly, transactions may be declined or challenged.

Exemptions to SCA are also tightly governed and play a pivotal role in strategy. Common exemptions include low-value transactions, recurring payments after the initial authentication, and transactions to trusted beneficiaries. However, even when the merchant invokes an exemption, the issuing bank has the final say and can override the request. 

If you are using third-party service providers, such as payment platforms or tokenization services, you must ensure that your partners are up-to-date with PSD2 SCA requirements. A common pitfall that traps merchants occurs when these third parties do not support the latest authentication protocols or fail to pass the necessary data fields required for exemption qualification.

You should also consider fraud monitoring. SCA requirements allow for Transaction Risk Analysis (TRA) exemptions, but only for payment service providers that meet strict fraud rate thresholds. This has encouraged some acquirers to invest in advanced fraud detection tools to reduce false declines and improve authorization rates while staying compliant.

Knowing what qualifies as compliant behavior under PSD2 SCA is a strategic objective that requires coordination across product, compliance, engineering, and customer experience functions.

How are PSD2, SCA, & 3DS2 Changing?

The evolving PSD2 regulation is set to be centered around enabling instant payments across the E U.

Since their origins, PSD2 and 3DS2 have been deeply tied, as 3DS2 is often applied to develop solutions for the SCA requirement. As a result, any changes to the PSD2 regulation inherently impact 3DS2.

With this in mind, let’s look at the current PSD2 timeline and the progress regulators are making:

• Initial Consultations (May 10th, 2022): In May 2022, the European Commission launched two official consultation-reviews of PSD2. These consultations involved both stakeholders and the general public, with the goal of gathering evidence for the application and impact of PSD2. The Commission launched these consultations as part of an ongoing effort to better enable and regulate open finance in the EU.

• First Legislative Proposal (October 26^th, 2022): In October 2022, the European Commission adopted the first legislative proposal for providing instant payment capabilities to all citizens and businesses with bank accounts in the EU. As part of the proposal, the Commission outlined the goal to make instant payments in the EU affordable, secure, and frictionless.
• PSD2 Study (February 2nd, 2023): In February 2023, the European Commission carried out a study on the impact of PSD2, looking specifically at the regulation’s relevance, effectiveness, efficiency, coherence, and EU-added value. This study included recommendations for PSD2 revisions across the topics of consumer protection, open banking, and scope and exclusions.
• Legislative Proposal Adoption (2023): The next step in the PSD2 regulatory process is for the European Commission to adopt an official legislative proposal that is either a revision of PSD2 or an entirely new iteration of the Payment Services Direction (popularly referred to within industry speculations as PSD3).  This proposal adoption is expected sometime in 2023, at which point the Commission will provide specific information on new requirements and deadlines.

The changes to PSD2, SCA, and 3DS2 in 2023 are yet to be finalized but we can say with confidence that any changes are sure to deal with instant payments. In the PSD2 study discussed above, researchers and regulators highlighted several key findings that give us potential insights into new regulations, including:

• More balanced payment service provider requirements for SCA, licensing, and transparency
• Increased cost efficiency in open banking, API development, and SCA implementations
• Greater standardization of regulatory implementation processes for EU Member States
• Clarified expectations for interactions between PSD2 regulations and MiCA regulations
• Improved collaboration between supervisory authorities

In terms of instant payments specifically, the 2023 PSD2 study and the earlier 2022 legislative proposal identify four key points of interest that are likely to shape the final regulatory changes:

• Making instant payments universally available across the EU
• Preventing payment service providers from charging additional costs or fees for instant payments
• Increasing security measures to improve the detection of errors and fraud in instant payments
• Boosting the efficiency of instant payment sanction screenings

All-in-all, the main takeaway is that changes to PSD2, SCA, and 3DS2 will be centered around enabling instant payments in a way that is financially inclusive, affordable, and secure.

Achieving PSD2 Compliance in 2025

PSD2 compliance will always reflect current times. 

Evolving technologies lead to new payment risks for businesses and regulators to tackle. Forward-thinking merchants and payment service providers must consider both the current PSD2 requirements and the potential changes and challenges that will arise once PSD3 is finalized. Improved integration of authentication flows is sure to be a hot-ticket item in future iterations of the regulation. 

We are also witnessing regulators lay down the law when it comes to instant payments. In January 2025, the Instant Payments Regulation was updated to require payment service providers in the Euro area to charge the same or lower free for instant payments as for regular transfers. These themes of fair pricing and cost management will undoubtedly show up in other legislative fields as well, such as during the development of PSD3 and PSR . 

Success in 2025 and beyond will require more than just technology. Merchants will need to train teams, build workflows, and collaborate closely with their chosen partners. Establishing a comprehensive compliance roadmap that includes periodic assessments of SCA PSD2 requirements will ensure continued alignment as these regulations change. 

We expect to see a convergence of regulations in the coming years as well. There is a growing interest among regulators to align current standards with other frameworks such as MiCA (Markets in Crypto-Assets). Paying attention to the throughlines in each of these regulations can help you build a compliance strategy that meets each different requirement as efficiently and cost-effectively as possible.

Achieving PSD2 compliance in 2025 will be less about reacting to rules and more about strategically integrating compliance into the product development lifecycle. Those who succeed will be the ones who view PSD2 SCA as a long-term investment.

PSD2 Exemptions

Ah, but what about the exemptions you ask? What if I just exempt all my transactions? Not so fast. If all of them could be exempted then that really defeats the directive, so only a few types will be allowed. And even those have uncertainty as the different participants work with the EBA to determine exactly how they will be implemented.

Here are the exemptions that are allowed under PSD2 rules around SCA (subject to additional details around the directive’s exact requirements).

• Article 12 - Unattended terminal for transport and parking
• Article 13 - Trusted beneficiaries: This is generally where the consumer has already whitelisted the merchant to run transactions
• Article 14 - Recurring transactions: Similar to 13, this is where the consumer has already given permission for the merchant to run subsequent recurring transactions
• Article 15 - Credit transfers to self: Where the consumer and the payee are the same and both accounts are the same service provider
• Article 16 - Low-value transactions: Where the amount of the remote electronic payment transaction does not exceed €30 and the cumulative amount of previous remote electronic payment transactions initiated since the last challenge does not exceed €100 or 5 consecutive individual remote electronic payment transactions.
• Article 17 - Secure corporate payment processes and protocols
• Article 18 - Transaction risk analysis: PSPs are allowed to notify authorities that they intend to use real time risk analysis to qualify certain transactions if they can show that the overall fraud rate is less than the required threshold. The thresholds are: 0.13% to exempt transactions below €100, 0.06% to exempt transactions below €250, and 0.01% to exempt transactions below €500.

Each exemption is separate, and only one needs to be requested even if multiple are eligible. As with any kind of exemption it is likely that some will carry more weight than others, but we believe this is something that will develop over time.

All that to say that even still if a PSP or a merchant request an exemption, the issuer might override that exemption and request SCA. Since the issuer has the most information, and a full view of the payers usage, they remain the authority in determining whether to require them to authenticate or not. Non-exemption can occur even for transactions where the consumer is not currently engaged in the flow, like the case with recurring transactions. Merchants will need to be prepared that there can be an “off-session” flow to have customers authenticate transactions that were not exempted whether it be SMS or email to pull them back to the application.

In the end all parties are invested in making sure the consumer is able to pay when they want to, and that fraud is reduced.

What Regulations Are Next?

Although the deadlines for the current iterations of PSD2 and 3DS2 have already come to pass, changes to these regulations are on the horizon. To stay ahead of regulatory changes, merchants and merchant aggregators need trustworthy compliance providers to optimize their payment systems.  

Spreedly offers the payment orchestration capabilities needed to not only stay in line with the latest compliance requirements but to also focus efforts on developing your core value.

With Spreedly, you can minimize your compliance burden thanks to our Level 1 PCI Compliance and built-in 3DS2 solution. Our team helps future-proof your payments strategy by supporting a diverse approach to compliance that considers both global and region-specific regulatory changes.

Make Spreedly your trusted partner to ensure success with PSD2, SCA, and 3DS2 compliance. Connect with our security team today to get started.