Device Type: desktop
Skip to Main Content Skip to Main Content

How to Stay Ahead of PSD2 With Two-Factor Authentication

This article was updated on May 17, 2023

PSD2 is about to change how payments are handled if you’re doing business in the EU. If you are in the EU or deal with payments in the EU, PSD2 will affect you. To ensure you’re prepared, let’s first explore PSD2 in some detail.

Illustration of retail transaction security measures in the EU

So what is PSD2?

The European Parliament adopted a proposal from the European Commission to replace the old Payment Services Directive (PSD). The new directive provides improved consumer protection for online payments. Security in PSD2 is governed by Secure Customer Authentication (SCA) rules, which dictate that banks use strong multi-factor customer authentication for electronic transactions. Secure two-factor authentication (2FA) meets this requirement.

Secure Customer Authentication and 2FA

SCA actually mandates the use of two-factor authentication (e.g. Vonage Verify API) for all financial transactions above €30. This is expected to come into force in late 2020/early 2021.

Currently, most consumers make an online purchase by logging into an account and entering their credit card information—a simple enough process but one that comes with risks. Hacking user credentials and passwords is easy for an amateur fraudster. SCA is meant to protect consumers from account takeovers. Once SCA takes effect, every “card not present” transaction that touches the European Union will require extra steps.

Two-factor authentication for SCA is a different flavor of 2FA from what we typically provide. It means that along with the PIN code, companies also have to provide the amount of the transaction and identify the payee (usually a merchant). Once PSD2 becomes law, there will be an increase in the number of 2FA transactions required by e-commerce and finance industries.

In What Situations Is SCA Required?

PSD2 requires that payment service providers use strong customer authentication when a payer:

  • Accesses their payment account online

  • Initiates an electronic payment transaction

  • Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses

So under SCA, if a user makes an online transaction, unique info will be required—typically something the user knows (password) and something the user possesses (a phone or, more specifically, a one-time passcode sent to a phone)—in order to be compliant. Standard 2FA makes a business compliant, free from violations and fines.

Enter Verify API for Strong Customer Authentication

Businesses should be aware that with multi-factor authentication, there will be additional steps and, therefore, some attrition. Most transactions will convert as normal, but customers will abandon a small percentage of transactions because of this additional step. Ensuring a seamless, reliable, and easy 2FA process for users will be critical to combat this.

In our current iteration of Verify, Vonage’s 2FA solution, we’re offering the same endpoint with expanded API parameters that include ‘amount’ and ‘payee’. Thus customers can use the Verify API and include these parameters to send a 2FA message that meets SCA under PSD2 requirements. Because the requirements affect multiple industries and leaders within the value chain, 2FA for SCA has broad applicability. The implementation will be critical to:

  • Merchants (eCommerce)

  • Finance or Fintech (banks facilitating payments or tech companies who provide money transfer services)

  • Payment service providers (PSP)

Verify is a flexible, easy, and highly successful 2FA solution known for its global scope and the highest successful conversion rates.

How to Integrate 2FA Channels

Vonage offers two ways of providing 2FA: 

  1. Generate One-Time PINs (OTPs) to deliver them to your customers’ devices 

  2. Use our channels to deliver OTPs generated by your system

Both options give you the ability to quickly provide strong customer authentication that is PSD2 compliant and keep customer accounts private. Verify offers placeholders, which can be used to comply with PSD2 authentication requirements by inserting names into messages that deliver OTPs or to confirm transactions.

Learn more about PSD2 and Strong Customer Authentication in our Whitepaper.

Also, check out our Verify documentation after creating a free account, and get ahead of PSD2.


Deskphone with Vonage logo

Parlez avec un expert.