PSD2 – Are You Ready for the Next Stage?

One of the questions we have been asked a lot recently here at Travlaw is about the upcoming PSD2 changes, which are due in September 2019. In this article Kate discusses what this is all about, and why those questions are timely!

 PSD2: What is it, In a “Nutshell”

The Second Payment Services Directive (“PSD2”) is an EU Directive that has seen implementation stages. Perhaps most notably for the travel industry (although it affected every walk of life) was the changes to card surcharging earlier this year. Certainly it caused a lot of discussion and angst at the time, in some quarters, but was otherwise well dealt with by the industry. That however, was not the final gift PSD2 had to give!

What Is Happening Now?

As of 14th September 2019, the next stage will come into force (regardless of the impact of Brexit!) and applies to all online transactions where both the payment service provider and the payer’s bank are located within the European Economic Area (EEA), although arguable where only one is based in the EEA, PSD2 should still be complied with.

The main thrust of the new stage is to implement two-factor authentication for online payments above the value of €30: adding an extra step to payment verification requirements. This extra step will ensure that online payments are more secure; reduce the risk of payment fraud; and emphasize security and innovation. The two-factor authentication is also referred to as “Strong Customer Authentication” or “SCA”, for short. This is, we feel, terminology that everyone will soon be well familiar with!

What is SCA, and how will it work?

Businesses typically use one authentication method for card payments and bank transfers, allowing for instant payment and/or access to account details. SCA will end this one-step process.

Now, only when a payer has been verified using two of the following authentications will SCA be satisfied and a payment be authorised:

  1. knowledge (i.e. including passwords, card details, PINs, passphrases or secret answers); and/or
  2. items in possession of the payer (typically mobile phone Apps, smart cards or tokens); and/or
  3. inherence – perhaps better described as an “identifying characteristic”, so fingerprints, facial recognition, voice patterns, DNA and signature etc…

Will SCA apply to every transaction?

In short, “no”. The European Banking Authority has defined the exemptions to the SCA requirement in the following circumstances:

  • Payments below €30

Card transactions below €30 are considered ‘low value’ and are generally exempt from SCA. However, if the customer initiates more than five consecutive ‘low value’ payments or if the ‘low value’ payments exceed €100, SCA will be required.

  • Fixed-amount payments

When a customer makes a series of payments to the same merchant for the same amount (such as subscriptions and membership fees), the initial payment will require SCA but subsequent payments will be exempt from SCA.

Nevertheless, payments made periodically to the same payee where the value changes each time (e.g. a utility bill) will not benefit from the exemption.

  • Trusted beneficiary

Customers will have the option to ‘whitelist’ a merchant that they trust once the first SCA authentication is completed. The customer’s bank will maintain this ‘whitelist’ and subsequent transactions to a whitelisted merchant are likely to be exempt from future SCA.

However, issuers can still reject, challenge or request SCA to a ‘whitelist’ request if there is a high risk of fraud.

  • Phone sales

Card details collected over the phone do not fall within the scope of SCA. The customer’s bank will have the ultimate decision to accept or reject the transaction.

  • Corporate payments

When a transaction is initiated by a business rather than a consumer, and it is processed through a secured dedicated payment protocol, it does not require SCA provided that alternative controls are sufficiently secure. This should include ‘secure virtual payments’, such as virtual cards or B2B cards.

  • Low risk transaction

If a transaction through a real-time risk analysis is deemed to be low risk, SCA may not be required. However, complex conditions are imposed as merchants have to rely on a payment service provider (PSP) (e.g. an acquirer) to act upon their exemption request. The PSP must however, satisfy the additional prescribed conditions.


Worth noting that, like so many laws at EU and UK level in recent times, this is all about consumer protection. This newest element of PSD2 is deliberately designed to increase security measures for online transactions and assist with the development of payments. However, there is no getting away from the fact that the day-to-day impact of the SCA will be to:

  1. Increase IT costs to travel businesses as you adapt your systems to make sure all will run smoothly. We recommend that you check in with your merchant services providers on this, if you haven’t already;
  2. Increase the likelihood of declined payments generally, especially in the early days. Your systems and staff need to be ready to explain and be patient with those booking!

If you are interested to know more about PSD2 or the implementation of PSD2 within your business, feel free to contact or or any other member of our specialist commercial department by calling 0113 258 0033.

The Travlaw Team

NB – The Directive itself can be found at;

This article was originally published on: 17 July 2019

Latest news

Climate Change & Travel Claims: Part 2 – Droughts!

This is the second in a series of articles exploring how climate change is likely to impact the travel industry…

Find out more

Data Breach and Cookie Monster claims

This article on Cookie Policies is Part 2 of a series of articles on all things tech related.  Nick Goodchild…

Find out more

Package Travel Consultation Deep Dives #2: Potential Changes to the definition of ‘Other Tourist Services’

In this, the second article in our deeper dive into various aspects of the proposed amendments to the UK’s package…

Find out more