PSD2: Enabled but not yet excelling

Share this post

Issuer readiness and stability

In order for a transaction to be compliant and successful the Issuer and Acquirer domain both need to enable SCA and apply the 3DS2 protocol. Due to the mandated adoption of 3DS 2, UK issuers have seen an increase in 3DS 2 transactions into their platform. This is adding challenges when it comes to response times, scalability and stability. The data on Netcetera’s platform is in line with the schemes reporting an increasing number of 3DS2 transactions and this will only increase once the UK goes fully live. This is likely to put additional strain on Access Control Server (ACS) providers and lead to potential outages.

A reason for these outages can be attributed to some ACSs lacking major overhaul and scalability since 3DS was introduced in 2000. Changes made in the last 21 years to the protocol have been added onto what are now archaic systems lacking flexibility. As a result of these outages large merchants have reported looking to the schemes stand-in service as alternatives to ensure transactions are not affected. This however comes at additional cost and is not widely implemented, therefor this can merely be a temporary workaround that lacks sustainability.

Navigating the exemption jungle

Up until now merchants have benefitted from the UK ecosystem using sophisticated Risk Based Authentication which allowed them to keep challenge rates to cardholders low. With the pending deadline this is not an option anymore as bypassing SCA will lead to higher declines on transactions from issuers.

Now that the increasing volumes have brought the first issues to light, it would benefit merchants and acquirers to look at SCA exemptions based on their portfolio of cardholders and customers to eliminate friction to the cardholder where it is not needed.

SCA exemptions are defined based on the level of risk, amount, recurrence and the payment channel used for the execution of the payment. These exemptions allow PSPs to achieve the right balance between convenience of the payment experience and fraud reduction.

Data from Netcetera on SCA exemptions so far show that Transaction Risk Analysis and Low Value Payments are the most adopted² (87% for TRA and 11% on Low Value according to Netcetera figures) and it will be interesting to see the impact of further exemptions introduced in version 3DS 2.2 such as recurring transactions, merchant whitelisting and delegated authentication.

The road ahead

With Brexit in the rear-view mirror and the world looking to get back to normal there is an added incentive to ensure issuers, acquirers and merchants are ready come September. Sectors that rely heavily on ecommerce such as travel and hospitality will also look to benefit from 3DS 2.x. The key differentiator in readiness is defined as having the motor running or to have it finely tuned for maximum performance. A prime example of this would be exemptions being enabled on the issuer and acquirer side to see proper results in successful transactions.

Now more than ever, the results in testing have exposed a need for 3DS solutions to be flexible and modular in order to fit into a hierarchy of existing fraud strategy and authentication providers. Initially this would be an investment but is more sustainable than dealing with fraud, scheme fines or an abnormal rate of declines.


1 D. Jordaan, SCA Performance – April 2021, Available at:

2 Netcetera (2021), Webinar: PSD2 SCA being effective – First results,observations and recommendations, Available at:

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?