Online Cardholder not Present payments in the European Economic Area (EEA) are changing

Ready or not, new industry standards are likely to be enforced next year – which require your business to enable two factor authentication


New requirements introduced by the second Payment Services Directive (PSD2) mean your customers will be asked for more information when they buy from you online, in an attempt to reduce fraud with new higher security standards for online payments. You may already be meeting these requirements, but if not you’ll need to add a method for meeting Strong Customer Authentication (SCA) to your checkout.


Strong Customer Authentication (SCA) is an extra layer of security, also known as two-factor authentication

It means customers may be asked for two different pieces of information from the following categories when making purchases online:

SCA must be used for all remote electronic transactions unless an exemption applies. For example, low-value payments (equal to/below €30 with further conditions applying), reoccurring transactions (of the same amount) and transactions with trusted beneficiaries (white listing).

When will Strong Customer Authentication be enforced?

Strong Customer Authentication was due to be mandated on and from 14th September 2019. However, the European Banking Authority (EBA) permitted a transition period due to concerns about the industry’s ability to be ready by this date.

The length of this transition period is yet to be formally confirmed.

Merchants should prepare to migrate to EMV 3DS (the evolution of 3-D Secure and the preferred SCA solution) as soon as possible in order to be fully compliant with the PSD2 SCA requirements.

*This information is correct as of 8 October 2019. Please note, dates for SCA enforcement are subject to change.