PSD2: EU mandatory strong authentication by the end of 2020: be ready!


Initially scheduled for the 14th of September 2019, then postponed to March 2020, the PSD2 is making a strong comeback. Everyone involved in the payment industry has been working hard to implement this new directive and in particular the development of the 3D Secure version 2.0 authentication protocol. This procedure must be operational on all ecommerce sites before January 1st 2021. A deadline for all the countries of the European Economic Area.

PSD2: going beyond the acronym, what are we talking about? And above all, what are the impacts for you e-merchants? 

What is PSD2?

In plain terms: The Payment Services Directive 2. The objective of this European directive is to "foster innovation, competition and market efficiency" and more specifically to "modernize payment services in Europe for the benefit of both consumers and businesses" according to the EU Commission. The PSD2 aims to guarantee fair and open access to payment markets and to strengthen consumer protection.

In practical terms, it supports efforts to open up banks' information systems to new operators (open banking) and, what's more, it strengthens online payment security to combat fraud and cyber-crime (identity theft).

The PSD2 applies to all online payment services, regardless of whether they are card payments or not - in the Single Euro Payments Area (SEPA) - provided by a bank, a fintech or an e-merchant. It now requires a <b>strong authentication</b> system to be set up.

What is strong authentication?

Authentication is a procedure that is required to enable online payments or so-called sensitive operations (payments, transfers, etc.) to be approved. The stronger the authentication, the greater the security. 

The PSD2 now imposes an SCA (Strong Consumer Authentication) process, i.e. customer identification involving at least two independent factors, such as: 

  • An element known only to the consumer (e.g. a password) ; 
  • An object owned by the consumer (mobile phone, bank card, etc.); 
  • An element that identifies the consumer (such as a fingerprint, voice or facial recognition), enabling secure authorisation.

This new version of the 3-D Secure 2.0 protocol must be implemented by the consumer's bank and is no longer the responsibility of the e-merchant.

What are my obligations as a retailer?

If the protocol depends on the payment providers and more particularly the banks, as an online retailer it is up to you: 

  • check the contractual conditions of your VAD contract;
  • make sure that your payment module is adapted to the new guidelines and has been thoroughly tested;
  • if necessary, carry out IT adaptations to provide the information required by these new infrastructures.

And beware of the timing! These steps must be implemented before the end of 2020.   In view of the high level of commercial activity at the end of the year with private sales, Black Friday and the Christmas holidays, we strongly recommended that you make the necessary changes during the autumn, during October at the latest.

Is there a turnkey solution compliant with PSD2?

Many service providers have already made the required changes and updated their modules. Find our selection on the Addons Market Place.

You can also opt for PrestaShop Checkout, a solution that PrestaShop has been offering for more than a year now in partnership with PayPal. A single module to manage all types of payments (credit cards, local solutions, etc.), easily and securely, from your own interface. This module can be set up in a couple of minutes and allows you to make 100% secure transactions that comply with European standards & 3D Secure 2.

The e-commerce financial dictionary: 

Open Banking

This refers to opening up the banking system under the Payment Services Directive, PSD2, which has been mandatory since 2018. The term refers to greater financial transparency by banks in relation to commercial transactions, with the prior consent of customers. This has enabled applications and services to be developed around financial institutions in order to manage one's budget, combine several bank accounts in a single interface or manage money transfers, among other things.


The term describes innovative, rather new companies using digital technology, mobile technology, artificial intelligence, etc., to provide financial services more efficiently and at a lower cost.

PSD 2 

This is the 2nd Payment Services Directive (succeeding the first version introduced in 2007). The PSD2 is designed to standardise payment regulations within the European Union (EU) while also taking technological developments into account. 

The main measures concern the prohibition of overcharging for payments by debit or credit cards, the opening of the payments market to service companies (open banking), the introduction of strict security requirements for electronic payments and the protection of consumers' financial data. 

VAD Contract 

This is the contract between a merchant and his bank to be able to use a virtual electronic payment terminal (virtual Eftpos terminal), i.e. a payment gateway for processing online transactions, checking the validity of the means of payment, etc. The contract is concluded between the merchant and his bank. This contract is a mandatory step in order to offer payment by bank card on a merchant's website.

Every 2 weeks, get the best ecommerce tips and latest trends in your inbox.

By submitting this form, I agree to the data entered being used by PrestaShop S.A for sending newsletters and promotional offers. You can unsubscribe at any time by using the link in the emails sent to you. Learn more about managing your data and rights.