axis payroll Year End Updates are now available »

Strong Customer Authentication for Online Card Payments

Last Updated: 1st February 2022

In 2018, the UK Government passed into legislation the EU Directive known as PSD2 (Payment Service Directive 2). This directive aims to provide better protection for consumers paying online whilst also paving the way for new developments in making online and mobile payments.

The elements covering better consumer protection for online payments are covered by the introduction of Strong Customer Authentication and were to become mandatory on 14th September 2019. In August 2019, the Financial Conduct Authority announced an 18 month delay before compliance was to become mandatory. A further 6 month delay, due to the exceptional circumstances around the Covid-19 crisis, was announced by the FCA in April 2020. A further delay was announced in May 2021 which means that, at the time of writing (01/02/2022), the following timescales apply:

  • In the UK, the deadline for eCommerce compliance is now 14th March 2022.
  • In the European Economic Area (EEA), the deadline for eCommerce compliance remains 31st December 2020.

What is Strong Customer Authentication?

Strong Customer Authentication for PSD2 is provided by a development of 3D Secure known as 3D Secure 2.0.

What is 3D Secure?

Many people will be familiar with the current version of 3D Secure through the implementations provided by the two main card issuers, Visa and MasterCard. Visa refer to their 3D Secure implementation as "Verified by Visa" whilst MasterCard call their 3D Secure system as "MasterCard SecureCode".

When 3D Secure is enabled via your website checkout, the customer is redirected to their own bank's website to enter a password (or typically, 3 random characters from their password) as an additional verification that they are who they claim to be.

Typically, this looks something like this (in the case of using a Visa card - Mastercard's equivalent is similar):

Enabling 3D Secure through your website's checkout has, to date, been optional. There are good reasons for using it, not least of which is that, in general, when using 3D Secure, liability for fraudulent transactions moves to the bank if the transaction went through the 3D Secure verification process.

What is 3D Secure 2.0?

3D Secure 2.0 extends the verification process to use 2-Factor Authentication (also known as 2FA). Two-factor authentication requires the customer to confirm their identity using two of the following three classes of verification:

  • Something They Know (for example, a password or a PIN number)
  • Something They Have (for example, a card reader or SmartPhone)
  • Something They Are (for example, fingerprint, voice or facial recognition)

Exactly how a particular bank chooses to verify its customers is down to their own preferences - for example, one bank may offer voice recognition whilst another may not.

Are There Exceptions?

Whereas the use of 3D Secure has been optional in the past, the use of 3D Secure 2.0 will become mandatory. There are, however, exceptions:

  • Transactions below €30 (unless the customer has initiated more than five consecutive low value transactions)
  • Recurring payments (such as subscriptions)
  • Whitelisting (where the customer has added their regular suppliers to a "trusted merchants" list)
  • Low Risk Transactions (where the bank has determined that the particular transaction is low risk based on a real-time risk assessment)
  • Transactions where the merchant or customer are outside the UK and the European Economic Area

In essence, it is down to the issuing bank to decide whether the particular transaction needs to be verified so the website's checkout and Payment Service Provider will always need to assume that the transaction needs to be verified - it is simply that, in some cases, the bank will return an approval without asking the customer to verify their identity.

In order for the bank to make a risk assessment, the Payment Service Provider (for example, Opayo) may need to provide more information on the transaction - such as delivery address, nature of the goods etc. and so this may require them to make changes to their APIs.

What Happens Next?

Payment Service Providers have published information on the implications of Strong Customer Authentication for their individual services and we continue to monitor this information for updates that may affect our clients.

In the meantime, if you are not already using 3D Secure in your checkout process, we strongly recommend that you do so now - as well as minimising any disruption when SCA becomes mandatory, it does bring the added benefit of shifting liability for fraudulent transactions to the issuing bank. Enabling 3D Secure is usually done via your Payment Service Provider's online portal.

The aim of Strong Customer Authentication for Online Card Payments is to reduce instances of online fraud and so these changes should benefit both merchants and customers alike. We can expect, however, in the short term, that there will be some disruption as online shoppers adjust to new checkout processes and set themselves up with the means to verify their identity on every transaction.

Specific Information for Websites using Opayo

All axis vMerchant / Opayo (SagePay) integrations use a method called "VSP Server", or "Server" for short. Opayo have confirmed (see link to their Frequently Asked Questions article below) that Server integrations require no change and fully support both 3DSv1 and 3DSv2.

Opayo have previously sent emails to their clients suggesting that some alterations will be required to the custom templates used by Server integrations. We have confirmed that the latest versions of the custom templates work correctly using 3DSv2 and we are helping all of our axis vMerchant clients to ensure, where necessary, that their custom templates are up to date.

Since 3D Secure only applies to online transactions, the introduction of Strong Customer Authentication does not affect axis diplomat's integration with Opayo - without modification, it will, for example, still be able to authorise payment against a web transaction placed using Authenticate & Authorise regardless of whether it was placed using 3DSv2 or not.

If you have not currently enabled 3D Secure on your account, you should do so now. If you do not, your website may encounter problems processing payments from cards issued within the EEA.

Further Information

Information on the UK's Current Deadline for Implementing Strong Customer Authentication can be found on the Financial Conduct Authority's website here:

Opayo have published a general information page on Strong Customer Authentication, a Frequently Asked Questions article and a Support Note on enabling 3D Secure.


Call Back
This site uses cookies. By continuing to access this site you are accepting the use of cookies by this site.
Read more about cookies...

Cookies are small text files stored on your device when you access most websites on the internet.

This Website uses cookies in order to make the Website easier to use, to support the provision of information and functionality to you, as well as to provide us with information about how the Website is used so that we can make sure it is as up to date, relevant and error free as far as we can. Further information about the types of cookies that are used on this Website is set out in the box below.

By using this Website you agree to our use of cookies. You can choose to restrict or block cookies set on the Website through your browser settings at any time. For more information about how to do this, and about cookies in general, you can visit Please note that certain cookies may be set as soon as you visit the Website, but you can remove them using your browser settings.

However, please be aware that restricting or blocking cookies set on the Website may impact the functionality or performance of the Website, or prevent you from using certain services provided through the Website. It will also affect our ability to update the Website to cater for user preferences and improve performance.

We don’t sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to law enforcement agencies).

We may sometimes embed content from 3rd party websites such as YouTube. As a result, when you visit a page containing such content, you may be presented with cookies from these websites. We do not control the dissemination of these cookies and you should check the relevant third party's website for more information.

Cookies We Use

Cookie Description
CookieConfirm The presence of this cookie is used to remember the fact that you have confirmed that you are happy to accept cookies
ASPSESSIONIDxxxxxxxx This is a Session Cookie (session cookies are temporary and are erased when you close your browser). It identifies you from one page to the next and is used, for example, to keep track of your logged-in status.
UserID, account, password These cookies are used to remember your login credentials for when you next visit our website. They are only created if you choose the “Remember Me” option on the login page.
_utma, _utmb, _utmc, _utmz These are cookies created by Google Analytics and are used to provide us information on which web pages are the most popular, and the most popular search terms used by visitors arriving at our site.