Strong Customer Authentication and 3D Secure v2 – important changes in ecommerce payments

Online shopping

Having developed quite a few ecommerce websites recently, we have to be on the ball when it comes to payment and security legislation and guidelines.

As such we’d like to help spread the news about changes in regulations being enforced in September 2019. This may seem a pain to ecommerce website owners but it’s important stuff, as it aims to better protect online shoppers and reduce online fraud.

Strong Customer Authentication (SCA) is a new regulation taking effect on 14 September, as part of the EU’s Second Payments Services Directive (PSD2). It requires merchants accepting online payments within the European Economic Area to use two independent authentication methods to identify a customer.

These can be:

  • Knowledge – something your customer knows, eg a PIN or password
  • Possession – something your customer has, eg a one-time code text message
  • Inherence – something your customer is, eg fingerprint or face recognition

Apart from a few exemptions, every electronic payment must be authenticated by at least two of these three methods. This is known as multi-factor authentication (MFA) or two-factor authentication (2FA).

Initial research at our end indicates that your payment gateway will handle all of this. In fact support is already there for some gateways and systems as implementation began in April 2019. You may already have seen requests for additional identifying information at when paying for goods online.

However, if you own an online shop or business taking electronic payments, we strongly recommend you check with Paypal, SagePay, Stripe or whoever you use to manage your online payments. They should be able to advise if you need to do anything at your end to comply. If you don’t, your customers may have payments refused, and no-one wants to lose sales!

Further reading