Online Cardholder not Present payments in the European Economic Area (EEA) are changing

Ready or not, new industry standards will be in force this year – which require your business to enable two-factor authentication


New requirements introduced by the second Payment Services Directive (PSD2) mean your customers will be asked for more information when they buy from you online, in an attempt to reduce fraud with new higher security standards for online payments. You may already be meeting these requirements, but if not you’ll need to add a method for meeting Strong Customer Authentication (SCA) to your checkout.


Strong Customer Authentication (SCA) is an extra layer of security, also known as two-factor authentication

It means customers may be asked for two different pieces of information from the following categories when making purchases online:

SCA must be used for all remote electronic transactions unless an exemption applies. Exemptions include, low-value payments (equal to/below €30 with further conditions applying), reoccurring transactions (of the same amount) and transactions with trusted beneficiaries (white listing).

See the SCA authentication flows for further information.

Read more

Find out how Mastercard is helping with these changes.

Learn more

When will Strong Customer Authentication be enforced?

SCA will be required across the majority of EEA countries from 31 December 2020.

Exceptions to this are the UK and France, whereby:

-    France may provide an extra 3 months grace period (i.e. until 31st March 2021) on a case-by-case basis.

-    The UK will maintain a longer transition period until 14th September 2021.

Merchants should prepare to migrate to EMV 3DS (the evolution of 3-D Secure and the preferred SCA solution) as soon as possible in order to be fully compliant with the PSD2 SCA requirements.

Register your interest in the Mastercard Payment Gateway Services solution


*This information is correct as of September 2020.