PSD2 is the second Payment Services Directive designed for countries in the EU and follows on from the original directive which was introduced in 2007.  Coming into full effect on September 14th 2019, PSD2 will tighten regulations and requirements around the handling of payments and card data.

What is PSD2?

The revised Payment Services Directive (PSD2) which comes into force in September will have new requirements for handling cardholder authentication and aims to achieve the following two main goals:

  • Increase the security of card payments: by implementing ‘Strong Consumer Authentication’ (SCA) for ‘Card Holder Not Present’ (CNP Transactions)
  • Increase the level of competition in the payment service sector: By levelling the playing field for payment service providers (including new players) to enhance competition.

What are the main changes in PSD2?

The most important changes for merchants in PSD2 are:

1. New surcharging

You will no longer be able to include a surcharge on B2C payments using personal credit/debit cards, but it will still be permitted to add a surcharge on B2B payments using a company credit/debit cards.

2. Strong customer authentication

PSD2 promotes Strong Customer Authentication (SCA) in online payments by making Two-Factor Authentication (2FA) mandatory. Introducing 2FA will mean your customers will be asked two of the following:

  • The “something known” factor – card details, PIN or static password
  • The “something owned” factor – one-time password, an on-screen QR code to scan
  • The “something inherited” factor – fingerprint, face or iris pattern that is linked to the cardholders registered device

As online transactions have a higher risk of fraud in ‘cardholder not present’ (manually type card information) scenarios as the ‘authentication process’ (confirming the buyer is who they say they are) is weaker. Introducing SCA will mean customers will be better protected against online theft and you will be protected against fraud.

3D Secure Payments

3D Secure 1.0

3D Secure 1.0 was introduced by Visa over a decade ago to strengthen the authentication process for when the ‘cardholder was not present’ scenarios.

3D Secure acts as an added layer of security when taking card payments online. It gives your customers a secure authentication step before they can purchase shopping online; ensuring that they’re using the correct card details to help protect against card payment fraud.

Each card issuer has its own 3D secure name, including:

  • Visa – Verified by Visa
  • Mastercard – Mastercard SecureCode
  • American Express –  American Express Key

When 3D Secure is enabled, customers will be shown an authentication screen after they have entered their payment details, similar to the screenshots above. Here the customer will enter a security question to confirm the cardholder is who they say they are.

3D Secure 1.0 has many problems, including:

  • Merchants could have the option to enable or disable 3D Secure within their payment gateway configuration settings.
  • The authentication process directed customers to a 3rd party site to verify their identity which means it is not served by the website where the user is shopping.
  • Customers only had one authentication method which is normally a password – if they could not remember this, they would abandon the checkout process.

3D Secure 2.0

3D Secure 2.0 has been introduced to improve the existing specifications of 3D Secure 1.0 whilst providing stronger SCA (stronger consumer authentication). As mentioned above, 3D Secure 2.0 will ask customers the following to improve the authentication process:

  • something known” factor – card details, PIN or static password
  • The “something owned” factor – one-time password, an on-screen QR code to scan
  • And the “something inherited” factor – fingerprint, face or iris pattern that is linked to the cardholders registered device

This has many benefits for both customers and merchants, including:

  • Increased security and trust
  • Quicker checkout process
  • Reduced cart abandonment
  • Lower fraud risks

What do you need to do?

It’s important that all merchants affected by the new directive understand the requirements of PSD2 and review their systems and integrations in good time.

Most payment providers have already started contacting their customers who are likely to be affected to advise of the changes required.  As most 3D Secure transactions are handled by the payment provider, merchants who use a hosted payment gateway will be unaffected, whilst merchants using other solutions may require to update their extensions.

Recommendations have been released by Magento, in order to ensure that customer payments are not declined after PSD2 comes into force and affects the following integrated payment gateways:


Magento Commerce 2.X Recommendation: PayPal will handle all changes for the 3D Secure 2.0 payment flow, so continue using the built-in integration as normal.

Magento Commerce 1.X Recommendation: 3DS 1.0 is still supported and merchants will either need to replace PayPal with Braintree or upgrade to at least Magento 2.3.x where 3DS 2.0 is required.


Magento Commerce 2.X Recommendation: The official extension will offer 3D Secure 2.0 prior to the PSD2 deadline or use the Magento integration on version 2.3.3+ or 2.2.10+.  Braintree supports 3D Secure verification out-of-the-box and, starting with Magento 2.3.3, will support 3D Secure 2.0.

Magento Commerce 1.X Recommendation: For merchants still running versions of Magento 1, it’s advised to use the official extension.

Magento Commerce 2.X Recommendation: Use the official extension or the Magento integration versions 2.3.3+ or 2.2.10+ with a 3D Secure provider such as CardinalCommerce.

Magento Commerce 1.X Recommendation: There are no extensions currently available for Magento 1.


Magento Commerce 2.X Recommendation: Use the official CyberSource extension for Magento 2.

Magento Commerce 1.X Recommendation: Use the official CyberSource extension for Magento 1.


Magento Commerce 2.X Recommendation: Use the official eWay extension for Magento 2.

Magento Commerce 1.X Recommendation: Use the official eWay extension for Magento 1.

Other payment solutions

If your payment gateway is not listed above, please contact them directly for their recommendations and guidelines on supporting PSD2.

Next steps

In order for your business to prepare for the PSD2 deadline, we recommend the following course of action:

  • Find out who your payment gateway provider is.
  • Consult with your payment gateway provider if they haven’t already contacted on the steps you need to take.
  • Work with your web developer to help you through the implementation process if you need to enrol in 3DS.

“If you’re unsure whether you’re already enrolled in 3DS, you can confirm the status by logging into your Control Panel, navigating to Merchant Accounts, and checking for the 3DS flags. Note that transactions for card networks that are not yet enabled for 3DS2 will first run on 3DS1 and then automatically begin running on 3DS2 as soon as enabled – with no additional integration work required.” – Braintree

If you need any further assistance, please contact your account manager by raising a support ticket, calling the office on 01785 279920 or use the form below.


Get in touch

We know commerce, let us help you improve customer experience, increase conversion rates, and make that digital change.