Fill in the form to arrange a demo
Written by Mike Wakeling Group Product Manager
« Go back
01 Oct 2019  |  Compliance

PSD2: What Actually Happened on September 14 2019

2 minute read

Like many companies, we waited with bated breath to see what would happen on September 14. We’d made sure our checkout and recurring payments were both fully PSD2 compliant (just in case the banks drastically changed their approach to Strong Customer Authentication overnight) and stayed up until 2am to see the new regulations come in. Here’s what happened.

So what actually happened?

In short… not very much! We’d done plenty of testing and preparation and were up until 2am in the UK to see the new PSD2 regulations take effect on our subscription renewals, which all went off without a hitch!

Since the new authentication regulations under PSD2 have been enforced, we’ve seen some change in the proportion of payments requiring Strong Customer Authentication (SCA). Currently, we’re seeing a 10% increase in payments by end-users in the EU requiring either 3DS1 or 3DS2. However, given over 80% of payments in the EU used 3D-Secure version 1 (3DS1) or version 2 (3DS2) already, this is no big change for buyers.

“We’re seeing a 10% increase in payments by end-users in the EU requiring either 3DS1 or 3DS2”

Before September 14, it had been reported that many banks would not be ready for 3DS2 in time, and this is exactly what we’re seeing. Support and usage of 3DS2 by issuing banks is extremely low, with just 1% of 3DS authentications currently taking advantage of 3DS2 - the rest using 3DS1.

Of the 3DS2 authentications we’re seeing, around 60% of them are frictionless, giving the end user a seamless experience. The 3DS2 frictionless flow is much less intrusive than its 3DS1 counterpart, which still loads the bank’s website and often requires an interaction. The other 40% of 3DS2 authentications require the end user to complete a “challenge”, usually in the form of a code sent by SMS, or a push notification from the bank’s app.

“Support and usage of 3DS2 by issuing banks is extremely low, with just 1% of 3DS authentications currently taking advantage of 3DS2 - the rest using 3DS1”

How have recurring payments been affected?

Unsurprisingly (given the limited change in behaviour towards authentication), banks are not requiring Strong Customer Authentication for recurring payments where the subscription started before September 14. Whether this is because they have not changed their logic, or because they are honoring grandfathering is yet to be seen. 

What happens next?

At Paddle, we’re optimising our 3DS flows further. Given the limited uptake of 3DS2, we’ve improved our 3DS1 flow by showing the issuing bank’s website within our checkout, rather than in a popup window. We’re also working on improving our dunning emails when authentication is required for recurring payments, just in case banks start getting more strict with these.

We’ll be monitoring the trends in this area in the coming months and working closely with our payment partners in order to give end users the best checkout payment and authentication experience possible.