Happy Business Starts Here

Zuora Staff

This community post will help our customers understand the new PSD2 regulation, how it impacts them, and what they need to do to prepare.


What is PSD2 and when does it go into effect?

PSD2 is an extensive revision of the European Union’s “Payment Services Directive” regulations. PSD2 will be going into effect on September 14, 2019.


PSD2 objectives are the following:

  • Standardize regulations and integrate the market for payment services across EU countries
  • Ensure fair competition and transparency
  • Open payment services ecosystem and reduce bank monopoly on providing services by mandating that, upon account holder consent, they make account data available by API to third-party service providers

What is SCA and why is it important?

SCA stands for Strong Customer Authentication and is one of the mandates of PSD2 that is most applicable to Zuora customers in the European Union. The SCA regulations are designed to protect consumers. While many tools exist to reduce fraud, one of the most effective is authentication – validating a customer’s identify before they pay online. 


With SCA, all electronic transactions will need authentication, using at least two of three possible methods:

  • Knowledge: something only the user knows, such as a password
  • Possession: something only the user possesses, such as a token or mobile phone
  • Inherence: something the user is, such as a biometric (e.g. fingerprint recognition)

Zuora recommends using 3DS2 (3DS v2) to provide your customers with the best authentication experience for European customers. 3DS stands for 3D Secure, an open standard used by major credit card brands to authenticate cardholders. 3DS can dramatically reduce fraud and increase authorisation approvals and is one of the primary ways for Payment Services Providers to comply with the SCA mandate.


3DS vs 3DS2 - what’s the difference and why is it important?


3DS (3DS v1)

3DS2 (3DS v2)

Why is it important?

For payment cards only

Also supports mobile and digital wallets

Greater flexibility and support for mobile e-commerce

Designed for web desktop

Streamlined for mobile interaction models/devices

3DS2 adoption expected to be greater because it is easier to use

Requires 3rd-party pop-up screen to authenticate

No 3rd-party pop-up screen

Authentication pop-up screen adds friction to checkout process. 3DS2 reduces that friction

Higher false declines

Modified authentication flow

reduces false declines

Customers likelier to abandon transaction or use a different

payment method

No merchant opt-out or exceptions

Lower-value transactions exempted from validation, depending on the merchant's fraud rate

Greater flexibility and alignment of the protocol to the risk of a particular transaction

10 data points captured

Up to 150 data points captured

Issuer can make better decisions about the validity of the transaction with more data, preventing both fraudulent transactions as well as false positives


How will Zuora help my organization comply?

Zuora provides seamless integration with your payment gateways, simplifying and automating collections. Zuora plans to integrate to each gateway’s 3D Secure 2 capabilities. If your gateway is compliant, Zuora will be complaint as well. 


As part of your comprehensive PSD2-compliant solution, Zuora intends to provide the following:

  1. SCA-compliant implementation of 3DS2 (3DS v2) with your 3D Secure gateway 
  2. Hosted Payment Pages updated to support 3DS2, where applicable. Our HPM will redirect to the gateway’s 3D Secure URL and that service will determine if a challenge question is required. If challenge question fails, payment method will not be stored in Zuora, if it passes, payment method with CAVV and XID to be included with payment request.
  3. If using direct POST, customer will work with MPI of choice and pass the CAVV and XID via API to Zuora to store with payment method. 

What will I have to change in my tenant?

  1. Update your HPM page configurations
    1. Note: We will support 3DS2 via embedded iFrame as long as the gateway the customer is using is 3D Secure compliant. 
    2. If you use direct POST support, merchant will need to work with their MPI provider of choice and pass the necessary IDs down to Zuora via API. Zuora will store these and pass it to the gateway via our integration. 
  2. Update your gateway configurations to use a version that supports 3DS2.
    1. Note: Some integrations may support 3DS2 without requiring an update.

Zuora will be providing updates as soon as information and integration details are available from our Payment Gateway partners. For questions, please post in the comment section below or reach out to your gateway provider directly.