It pays to be prepared for PSD2

We’re ready for Strong Customer Authentication and here to help you upgrade your online checkout.

What is PSD2?

The Second Payment Services Directive (PSD2)

New European Union directive replacing the First Payment Services Directive, which regulates payment services in Europe. Part of PSD2 includes new security requirements will impact online businesses accepting card payments. Currently, PDS2 regulation will be enforced in the UK, regardless of the outcome of Brexit.

Strong Customer Authentication (SCA)

PSD2 introduces strict security requirements for the initiation of electronic payments in order to reduce the risk of fraud. These requirements include strong customer authentication, which is an authentication process that validates the identity of the user of a payment service or a payment transaction, which will be compulsory in the EEA on the 14 September 2019. Most payments will need at least 2 forms of authentication – or form factors* – to process a payment from institutions (banks) that issue credit and debit cards. SCA enforcement will not be enforced in the UK until March 2021, and there is also an enforcement delay in some other countries. However, as it phases in payments from customers outside the UK may be affected. So, you’ll need to make sure your systems are up to date.

3-D Secure (3DS)

3D Secure is a card industry authentication protocol that allows card issuers to authenticate their cardholders during checkout.

*There are 3 types of form factors:


Knowledge: Something you know such as a password.


Possession: Something you have such as a one-time code generated by a security token or access through a trusted device, such as an SMS.


Inherence: Something that you are and is unique to you, such as a voice or fingerprint.

At least 2 of these form factors will be required in order to process the online payment. Banks will need to start declining payments that require SCA and don’t meet these criteria, or are not otherwise exempt from the regulation. SCA enforcement is expected to come in gradually, but businesses can expect the first banks to start declining payments without two-factor authentication from 14 September 2019.

What do I need to do?

If you’re an online business accepting payments with PayPal, just select your solution below and we’ll help you become regulation-ready – so you can continue to accept quick, easy and secure payments.

PayPal Pro hosted
PayPal Pro direct

You’ll need to update. Here’s why

Change is coming. Are you ready?

If you’re using PayPal Pro direct to accept card payments on your website, you’ll need to update your payment integration to meet the card issuer's PSD2 obligations. PSD2 applies to all European Union organisations involved in online payment services – and will still apply to the UK on departure from the EU.

Missed deadline could lead to declined payments. The requirement to perform SCA comes into effect on 14 September 2019. Even though there is some enforcement delay by many European regulators for online card payments, many card issuers are working towards compliance to make sure their systems are fully operational by the deadline.

Here’s what to do

We recommend you integrate 3DS authentication to your checkout immediately to comply with PSD2 and the SCA requirements.

PayPal has partnered with CardinalCommerce®, a wholly-owned subsidiary of Visa® focused on authenticating digital transactions, to provide 3DS authentication using a CardinalCommerce® integration. Their service will provide 3DS, allowing the card issuer to authenticate their customer prior to sending PayPal your sale transaction.

If you do not have the required level of authentication, your transaction may be declined.

3DS installation: do it yourself

If you directly integrated PayPal Pro to your website, then you can add the CardinalCommerce® solution yourself or work with a developer.


Register your account with CardinalCommerce.


Update your checkout to support 3DS authentication of the cardholder.


Test your integration using Cardinal's testing facilities.


Update to share the information you received in step 2.

3DS installation: technology partner option

If your business website is through a technology partner, it may have a 3DS authentication option you can enable.


Please contact your website provider directly to get an update.

If you continue to browse, we'll use cookies that make our site work, improve performance and customise your experience. If you accept, we'll also use cookies to personalise ads. Manage your cookies