It pays to be prepared for PSD2

We’re ready for Strong Customer Authentication and here to help you upgrade your online checkout.

What is PSD2?

The Second Payments Services Directive (PSD2)

New European Union directive replacing the First Payment Services Directive, which regulates payment services in Europe. The new security requirements will impact online businesses accepting card payments. While becoming compulsory in September 2019, payment service providers like card issuers will start implementing come April 2019.

Strong Customer Authentication (SCA)

The PSD2 text introduces strict security requirements for the initiation of electronic payments in order to reduce the risk of fraud. These requirements include strong customer authentication, which is an authentication process that validates the identity of the user of a payment service or a payment transaction, which will be compulsory on the 14th September 2019. Most payments will need at least 2 forms of authentication – or form factors* – to process a payment from institutions (banks) that issue credit and debit cards.

3-D Secure (3DS)

Authentication service offered by the card payment industry, which performs SCA.

*There are 3 types of form factors:


Knowledge: : Something you know such as a password.


Possession: Something you have such as a one-time code generated by a security token or access through a trusted device, such as a SMS or text message.


Inherence: Something that you are and is unique to you, such as a voice or finger-print.

At least 2 of these form factors will be required in order to process the online payment.

What do I need to do?

If you’re an online business accepting payments with PayPal, just select your solution below and we’ll help you become regulation-ready – so you can continue to accept quick, easy and secure payments.

PayPal Pro hosted
PayPal Pro direct

You’ll need to update. Here’s why

Change is coming. Are you ready?

If you’re using PayPal Pro direct to accept card payments on your website, you’ll need to update your payment integration to meet the card issuer's PSD2 obligations. PSD2 applies to all European Union organisations involved in online payment services – and will still apply to the UK on departure from the EU.

Missed deadline could lead to declined payments. The requirement to perform SCA comes into effect on 14 September 2019. However, many card issuers are working towards compliance from April 2019 to make sure their systems are fully operational by the deadline.

Here’s what to do

We recommend you integrate 3DS authentication to your checkout by April 2019 to comply with PSD2 and the SCA requirements.

PayPal has partnered with CardinalCommerce®, a wholly-owned subsidiary of Visa® focused on authenticating digital transactions, to provide 3DS authentication using a CardinalCommerce merchant plug-in (MPI) integration. This plug-in will activate 3DS, applying the required level of authentication before a cardholder’s funds are released prior to sending PayPal your sale transaction.

If you do not have the required level of authentication, your transaction will be declined.

3DS installation: do it yourself

If you directly integrated PayPal Pro to your website, then you can add the CardinalCommerce merchant plug-in yourself or work with a developer.


Register your account with CardinalCommerce.


Update your checkout to support 3DS authentication of the cardholder.


Test your integration using Cardinal's testing facilities.


Update to share the information you received in step 2.

3DS installation: technology partner option

If your business website is through a technology partner, it may have a 3DS authentication option you can enable.


Please contact your website provider directly to get an update.

Cookies help us customise PayPal for you, and some are necessary to make our site work. Cookies also let us show you personalised offers and promotions, both on and off our site. Of course, you're in control. You can manage your cookies at any time.