PSD2 and strong customer authentication: is your platform in order?

26 April 2019

Business Insight

Over the last few years, strong authentication systems have been gradually introduced on e-commerce sites and marketplaces, depending on the number of transactions. From now on, all transactions over 30 euros must be subject to double authentication, by the Payment Services Directive 2 (PSD2). This regulation aims to reduce online payment fraud and make banking more secure to protect consumers. What is strong authentication? How to be in order? Here are some explanations.


How PSD2 sets new standards for strong customer authentication

Strong authentication is part of a range of measures included in the European Payment Services Directive 2 (PSD2). Entering into force in January 2018, – but deployed in 2021 – this regulation covers two main objectives:

  • Ensure efficient and secure communication between the players involved in account information services, payment initiation, and confirmation of funds availability.
  • Secure transactions with two-factor authentication, where until now only an SMS received on the mobile phone was sufficient for authenticating card payments (3DS protocol).


The deployment schedule was spread out over time because European directives such as PSD2 require transposition into all national legislation. The regulations, on the other hand, are immediately applicable in local law and are intended to harmonise the various standards put in place under the PSD2.

The Regulatory Technical Standards (RTS) were prepared by the European Banking Authority (EBA) and adopted by the European Commission to define in concrete terms – and thus harmonise – the strong customer authentication process to be implemented by the Member States.

Well aware of the scale and complexity of such compliance, the Banque de France had decided in 2019 to grant an additional three years to ensure that all actors affected by strong authentication could benefit from a secure solution by 2022.


Strong authentication: what is it?

As payment guarantors, the technical regulatory standards define strong customer authentication as a combination of at least two authentication factors, including:

  • Knowledge authentication factor: something your customer knows. A password, a secret question, a secret code, an authentication number…
  • Possession authentication factor: something your customer owns. A mobile phone, a connected device, a smart card…
  • Inherent authentication factor: something that characterises your customer. Fingerprint, facial recognition, voice recognition…

Thus, to validate a banking transaction, the customer must open the application of his bank, thanks for example to the facial recognition (inherence) to fill in a code received by SMS which proves that he has his phone (possession). Using two authentication factors is more secure than using only one.

Initially, in force only for payments of more than 2,000 euros, strong authentication has gradually become mandatory for smaller amounts. In France, since 15 April 2021, it has been mandatory for payments of more than 100 euros. By 15 May 2021, it will be required for payments over 30 euros.


When should strong customer authentication be implemented?

It is not up to the marketplace operator to decide when to use strong authentication, but to the card issuer, i.e., the issuing bank. Thus, Member States shall ensure that a Payment Service Provider (PSP) applies strong customer authentication in the following cases:

  • When the customer accesses his account online
  • When initiating an electronic payment transaction
  • When he/she acts, through a means of remote communication, that may involve a risk of payment fraud or any other fraudulent use

Strong authentication: what exemptions?

To alleviate this burden, the NTRs have also defined nine “waivers”. Only the PSPs of the payer and the payee can make use of these waivers, depending on the nature of the payment made online. The idea behind these derogations is to strike the right balance between the interest of strengthening the security of online payments and the need for user-friendliness and accessibility of payments in the e-commerce sector.

These exceptions to the principle of strong customer authentication were defined based on the level of risk, the amount, the recurring nature, and the means used to execute the payment transaction.

Among the exemptions, three directly concern online payments. Thus, strong authentication is optional for:

  • Recurring transactions of the same amount, same beneficiary – typically for subscriptions, for example
  • Transactions of less than 30 euros, if the sum of the previous transactions do not exceed 100 euros or 5 transactions
  • Transactions between EUR 30 and EUR 500, provided that the fraud rate of the acquiring or issuing bank performing the risk analysis is below a certain threshold.

For this last point, the value of the transaction depends on the fraud rate notified by the PSP. Here are the different thresholds for the application of strong authentication, depending on the amount:

  • 100 euros.
    • 13%: online payment by card
    • 015%: remote transfers
  • 250 euros
    • 06%: online payment by card
    • 01%: remote transfers
  • 500 euros
    • 01%: online payment by card
    • 005%: remote transfers

The current average fraud rate is around 0.16% for French operations and around 0.3% for cross-border operations.

Good to know: The choice of whether to grant an exemption is ultimately up to the bank issuing the card.


What about Lemonway?

If there is one area where Lemonway does not compromise, it is payment security. Therefore, we welcomed these regulatory standards as positive news that will increase the level of security and confidence of end customers.  Due to our position in the payment chain, we are not directly involved in the choice and definition of authentication criteria. However, our experts are at your disposal for any information request!

Marketplace : choose your PSP