PSD2 and Strong Customer Authentication: what will change on 14 September 2019

26 April 2019

Business Insight

New European regulations on Strong Customer Authentication and shared norms for open and secure communications  will go into effect on 14 September 2019, as part of the Payment Services Directive 2 (PSD2).


These new regulations have two main goals:

  • Ensure effective and secure communication among the different parties involved in the realms of account information, payment initiation and confirming fund availability;
  • Secure transactions with two-factor identification, where previously an SMS received by mobile phone would suffice to authenticate credit and debit card payments (3DS protocol).

How is PSD2 defining the new norms for strong client authentication?

Let us recall that directives such as PSD2 need to be separately transposed into each member country’s legislation. EU Regulations, on the other hand, constitute immediately applicable local law; their function is to harmonise the various norms established within the PSD2 framework. Indeed, the Regulatory Technical Standards (RTS) were prepared by the European Banking Authority (EBA) and adopted by the European Commission to describe in concrete terms—and thus standardise—the strong client authentication process that must be implemented by member States.

As the guarantors of secure payments, the RTS define strong client identification as combining at least two identification factors, among which:

In what cases is Strong Customer Authentication required?

Member States ensure that every Payment Services Provider (PSP) applies Strong Customer Authentication when the payer:

What are the exceptions?

To simplify the framework, RTS set out nine ‘exemptions. The PSPs of payer and beneficiary are solely entitled to apply these exceptions, according to the nature of the online payment at issue. The idea behind these exemptions is to achieve a fair balance between the need for stronger security in online payments, and the need for such payments to be user-friendly and broadly accessible for the online retail sector.

These exemptions from Strong Customer Authentication were established based on the risk levels, transaction amount, recurrent quality and payment method used for completing the transaction.

The exemptions include three that directly concern online payments:


Regarding the last of these exemptions, the cut-off transaction amount will depend on the rate of fraud reported by the PSP as follows:

Average fraud rates in France currently stand at around 0.16% for domestic transactions and 0.3% for cross border transactions.


How does Lemonway fit in?

If one were to single out one domain where Lemonway makes no concessions, payment security would be it. That’s why we welcome these new regulatory standards as good news that reflect a trend toward increased security and—ultimately—greater peace of mind for end clients. Due to our positioning on the payments chain, we do not directly participate in choosing or defining authentication criteria. Nonetheless, our experts are always available to answer questions or requests for information!