Last Updated

Strong Customer Authentication for Online Card Payments

Last Updated: 26th September 2019

In 2018, the UK Government passed into legislation the EU Directive known as PSD2 (Payment Service Directive 2). This directive aims to provide better protection for consumers paying online whilst also paving the way for new developments in making online and mobile payments.

The elements covering better consumer protection for online payments are covered by the introduction of Strong Customer Authentication and were to become mandatory on 14th September 2019. In August, the Financial Conduct Authority announced an 18 month delay before compliance was to become mandatory.

The deadline for compliance is now March 2021.

What is Strong Customer Authentication?

Strong Customer Authentication for PSD2 is provided by a development of 3D Secure known as 3D Secure 2.0.

What is 3D Secure?

Many people will be familiar with the current version of 3D Secure through the implementations provided by the two main card issuers, Visa and MasterCard. Visa refer to their 3D Secure implementation as "Verified by Visa" whilst MasterCard call their 3D Secure system as "MasterCard SecureCode".

When 3D Secure is enabled via your website checkout, the customer is redirected to their own bank's website to enter a password (or typically, 3 random characters from their password) as an additional verification that they are who they claim to be.

Typically, this looks something like this (in the case of using a Visa card - Mastercard's equivalent is similar):

Enabling 3D Secure through your website's checkout has, to date, been optional. There are good reasons for using it, not least of which is that, in general, when using 3D Secure, liability for fraudulent transactions moves to the bank if the transaction went through the 3D Secure verification process.

What is 3D Secure 2.0?

3D Secure 2.0 extends the verification process to use 2-Factor Authentication (also known as 2FA). Two-factor authentication requires the customer to confirm their identity using two of the following three classes of verification:

  • Something They Know (for example, a password or a PIN number)
  • Something They Have (for example, a card reader or SmartPhone)
  • Something They Are (for example, fingerprint, voice or facial recognition)

Exactly how a particular bank chooses to verify its customers is down to their own preferences - for example, one bank may offer voice recognition whilst another may not.

Are There Exceptions?

Whereas the use of 3D Secure has been optional in the past, the use of 3D Secure 2.0 will become mandatory. There are, however, exceptions:

  • Transactions below €30 (unless the customer has initiated more than five consecutive low value transactions)
  • Recurring payments (such as subscriptions)
  • Whitelisting (where the customer has added their regular suppliers to a "trusted merchants" list)
  • Low Risk Transactions (where the bank has determined that the particular transaction is low risk based on a real-time risk assessment)
  • Transactions where the merchant or customer are outside the European Economic Area (or, presumably, the UK after Brexit)

In essence, it is down to the issuing bank to decide whether the particular transaction needs to be verified so the website's checkout and Payment Service Provider will always need to assume that the transaction needs to be verified - it is simply that, in some cases, the bank will return an approval without asking the customer to verify their identity.

In order for the bank to make a risk assessment, the Payment Service Provider (for example, SagePay or Pay360) may need to provide more information on the transaction - such as delivery address, nature of the goods etc. and so this may require them to make changes to their APIs.

What Happens Next?

The Payment Service Providers have published information on the implications of Strong Customer Authentication for their individual services. SagePay, for example, have confirmed that their "VSP Server" integration, as used by all axis vMerchant websites, requires no change.

In the meantime, if you are not currently using 3D Secure in your checkout process, we strongly recommend that you do so now - as well as minimising any disruption when SCA becomes mandatory, it does bring the added benefit of shifting liability for fraudulent transactions to the issuing bank. Enabling 3D Secure is usually done via your Payment Service Provider's online portal.

The aim of Strong Customer Authentication for Online Card Payments is to reduce instances of online fraud and so these changes should benefit both merchants and customers alike. We can expect, however, in the short term, that there will be some disruption as online shoppers adjust to new checkout processes and set themselves up with the means to verify their identity on every transaction.

Further Information

SagePay have published a Frequently Asked Questions article at


Call Back
This site uses cookies. By continuing to access this site you are accepting the use of cookies by this site.
Read more about cookies...

Cookies are small text files stored on your device when you access most websites on the internet.

This Website uses cookies in order to make the Website easier to use, to support the provision of information and functionality to you, as well as to provide us with information about how the Website is used so that we can make sure it is as up to date, relevant and error free as far as we can. Further information about the types of cookies that are used on this Website is set out in the box below.

By using this Website you agree to our use of cookies. You can choose to restrict or block cookies set on the Website through your browser settings at any time. For more information about how to do this, and about cookies in general, you can visit Please note that certain cookies may be set as soon as you visit the Website, but you can remove them using your browser settings.

However, please be aware that restricting or blocking cookies set on the Website may impact the functionality or performance of the Website, or prevent you from using certain services provided through the Website. It will also affect our ability to update the Website to cater for user preferences and improve performance.

We don’t sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to law enforcement agencies).

We may sometimes embed content from 3rd party websites such as YouTube. As a result, when you visit a page containing such content, you may be presented with cookies from these websites. We do not control the dissemination of these cookies and you should check the relevant third party's website for more information.

Cookies We Use

Cookie Description
CookieConfirm The presence of this cookie is used to remember the fact that you have confirmed that you are happy to accept cookies
ASPSESSIONIDxxxxxxxx This is a Session Cookie (session cookies are temporary and are erased when you close your browser). It identifies you from one page to the next and is used, for example, to keep track of your logged-in status.
UserID, account, password These cookies are used to remember your login credentials for when you next visit our website. They are only created if you choose the “Remember Me” option on the login page.
_utma, _utmb, _utmc, _utmz These are cookies created by Google Analytics and are used to provide us information on which web pages are the most popular, and the most popular search terms used by visitors arriving at our site.