Blog / 3DS & PSD2

Why the European Banking Authority has failed with PSD2

The European Banking Authority aimed to level the playing field in payments with PSD2, but they’ve failed to do this - here’s why.

Why the European Banking Authority has failed with PSD2

As we draw closer to the 14th September deadline for the Second Payments Services Directive (PSD2), change is in the air. Outside the payments industry at the start of the year, the noise around ‘PSD2’ was barely a whisper. Now, concern has leaked into the mainstream, with one UK politician calling PSD2 a ‘ticking time bomb’. We’re starting to notice the panic about what PSD2 will mean for the online economy.


PSD2 requires two-factor Strong Customer Authentication
(SCA) on many payments over €30 from 14th September 2019. The European Banking Authority (EBA) has acknowledged that massive numbers of online merchants are not ready for this change. It’s almost as if there’s no way we could have predicted this would happen. After all, when’s the last time everyone ignored a huge sweeping digital change until the last minute with many failing to hit the deadline?

Unclear timelines and conditions

As the online industry won’t be ready for 14th September, the EBA has allowed for some wiggle room. They have specified that national regulators can allow ‘limited additional time’ for organizations to work towards an agreed migration plan.

Confusing consequences for online sellers

For merchants, a delay to PSD2 might seem like a good thing on the surface. However, the EBA’s lack of guidance has added even more confusion to an already complex situation. How long will the delay be? Are there specific industries which might be more or less prepared?

This is likely to result in wildly different approaches to payment authentication and authorisation across Europe for quite some time.

We expect that the migration plans will be around 18 months long, though some national regulators may proceed with no delay and others may push for a 3 year timetable.

Why the EBA has failed in delivering consistent payments across Europe

Post PSD2, when a merchant wants to process an online card payment they will have no idea about how the issuer will handle it. Will a Danish bank enforce SCA on every transaction? If it’s an Italian or a Spanish issuer, should you authenticate or authorise first? The decision of whether or not to use 3D Secure has become much more complex. There’s a much higher chance of payments getting declined through the sheer number of possible approaches.

Therefore, the EBA has totally failed in its attempt to level the playing field in Europe - at least in the short term. In this case, ‘the short term’ could end up being months or years.


How could the EBA have handled this better? Setting a Europe-wide transition period would have given merchants certainty over how issuers will manage payments. This has also been suggested by the European Association of Payment Service Providers of Merchants.

How should merchants manage this uncertainty?

European payments are about to become much more complicated. As a merchant, pre PSD2, the country and issuer of the cardholder were largely irrelevant. Now, the combination of SCA requirements, exemptions, issuer vetoes and now different regulatory approaches per country makes knowing how to process a payment much harder.

Keeping tabs on every country and issuer is a considerable undertaking and will be a huge challenge for merchants operating across Europe.

The important things to consider are:

  • What country the card issuer based in?
  • What policy does the national regulator have?
  • How has the individual card issuer handled payments like this?
  • How likely is it that the issuer will authorise the payment?

This issuer intelligence is critical to how our payment authentication solutions help merchants route each payment to the path of least disruption and the best chance of acceptance - learn more here.

Related content