Online payments, as we know them, are changing. After September 14, 2019, all businesses and financial institutions in the EU and EEA states must comply with the regulatory technical standards (RTS) of the revised EU Payment Services Directive (PSD2), which has been in effect since January last year, and is tightening the rules and requirements for payment and card management. EBA – European Banking Authority will not enforce any action for companies doing business in Europe as of September 14, 2019, if they take the necessary steps to achieve compliance. The FCA – Financial Conduct Authority (UK) has opted for an 18-month extension and other national regulators will announce the mandatory implementation deadline at a later date. What is PSD2 – Cardholder Authentication? It is a directive (PSD) of the European Parliament that requires all payment providers to provide secure customer authentication (SCA), when performing payment services in the internal market, as a way to prevent card payment fraud. How is strong customer authentication implemented? With “3D Secure” – represents three domains that are part of the transaction: 1. Something that the user is (e.g., biometrics), 2. Something the user has (card, smart device), 3. Something the user knows (password, PIN, one-time code). The new directive enforces the use of 3D Secure for online payments and contactless POS payments. 3D-Secure provides 2FA (Two Factor Authentication): the first authentication is the CVV – Card Verification Value Code (is a three or four digit number on the back of the credit card); the second authentication is a bank prompt (SMS with a code to be entered on the bank’s website). Contactless POS payments already have SCA implemented, meaning that the terminal requires a PIN for every five contactless transactions or when the amount of contactless payments exceeds € 100. For online payments, 3D Secure is required for every payment (one-time and periodic payments) over € 30. Changes: Customers without 3D Secure-enabled cards will no longer be able to make online purchases for amounts greater than € 30; For any recurring payment over € 30, an immediate payment will be required (not required until now) – the amount will depend on the merchant (minimum value is 1 cent); Merchants will not be able to make initial recurring payments over € 30 without the customer, as 3D-Secure will be required. 3D Secure will not be required for all the following payments. Some limits may still be set. All merchants will need to have 3D Secure enabled.