How to meet the new PSD2 SCA requirements

November 27, 2019

The rules of credit card processing are changing very soon in Europe and these changes will affect any merchant doing business in the European Economic Area (EEA). The EEA consists of all 28 member companies of the European Union as well as the three EEA EFTA Countries: Iceland, Liechenstein and Norway.

The new Strong Customer Authentication (SCA) regulations were initially scheduled to go into effect September 14, 2019, but in October the European Banking Authority announce that the new SCA requirements should be fully enforced by December 31, 2020. They will create new rules for merchants when it comes to authenticating online payments. These new regulations are part of the revised Payment Services Directive (PSD2). The revised Payment Services Directive was designed by the countries of the European Union in 2015 to regulate the payments industry.

The 31 members of the EEA


In a world of ever-increasing cyber security threats, the objective behind these new requirements is to reduce fraud and increase security in online payments. SCA is designed to increase the security of online credit card transactions for both merchants and their customers. SCA can meet that goal by achieving the following:

  • Reduce potential for online fraud
  • Lower the cost of processing fraudulent transactions
  • Increase consumer confidence when using credit cards in online transactions

According to the new regulations, Strong Customer Authentication is defined as:

“…an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). These must be independent from one another, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.”

The regulation also requires that payment service providers “use strong customer authentication where a payer:

  • accesses its payment account online;
  • initiates an electronic payment transaction;
  • carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.


The effort to pass the new Strong Customer Authentication regulations dates to January 31, 2013. On that date, the European Central Bank (ECB) issued its recommendation to increase security for online payments. Following that, the European Commission drafted a proposal to update the Payment Services Directive, the result was PSD2 which added in the Strong Customer Authentication. This will be a “legal requirement for electronic payments and credit cards.” The EU recently extended the deadline to December 31, 2019.


Cybersecurity is something every country is prioritizing and for good reason. The statistics are staggering. The Erjavec Group, a leading global information security advisory firm with offices in the United States, Canada and the United Kingdom, recently released its Official Annual Cybercrime Report. It predicts that the global cost of cybercrime will hit $6 trillion in 2021, up from $3 trillion in 2015.

The National Crime Agency says cybercrime accounts for 50% of all crimes in the United Kingdom. And according to the European Agency for Network and Information Security, “information theft, loss or attack” is now the biggest crime against an organization, surpassing physical threat in 2017. And according the Imperva 2019 Cyberthreat Defense Report, 78% of the organizations surveyed had been affected by a cyberattack. The growing cyber threats were a driving force behind the new SCA Requirements.


Strong Customer Authentication requires merchants to use at least two of the following three elements when authenticating a purchase:

  • Something the customer knows: password, passphrase, pin, sequence or secret fact

  • Something the customer owns: mobile phone, wearable device, smart card, token or device

  • Something the customer has: fingerprint, facial features, voice pattern, iris format, DNA

Red Maple is fully prepared to help merchants meet these new SCA requirements with StagedPay. StagedPay is Red Maple’s revolutionary, cloud-based solution for merchants processing Card Not Present (CNP) transactions. StagedPay provides merchants with a system that complies with Strong Customer Authentication (SCA), by using an email or phone number as a means of verifying identity for credit card transactions and enhancing credit card security.

Watch StagedPay Capabilities from Media Insiders on Vimeo.

  • Two-Factor Card Entry. StagedPay provides a patent-pending method of tokenizing card holder information via two-factor entry. Merchants collect part of the card number while allowing the card holder to enter the remaining part of the card information in a secured portal in the cloud. Customers enter the first part of the credit card number on the website or via telephone when ordering from a live representative. They can then enter the rest of the numbers via text, email or another phone call.

    Secured Cloud-Based Portal. StagedPay also provides merchants with a white label, secured portal for their customers to manage their methods of payment (cards, wallets and bank accounts) while also providing merchants the ability to upload invoices for payment.

For those merchants using StagedPay, the software also provides merchants with a drastic reduction in PCI scope as well as these additional features and benefits. Visit to learn more.

  • eCommerce applications
  • Customer Engagement applications
  • Back Office Systems
  • Mobile applications
  • Retail applications
  • Robust API for integration

With September only a few months away merchants who do business in the EEA have a limited time to find a reliable and secure solution that meets the new SCA requirements. We would love to help you with this transition to ensure you are meeting the requirements. Our team is available to answer any questions regarding the regulations and how to be sure your company meets the requirements.

You can call us at 972.980.6963 or send us an email. Or, to learn more about StagedPay or see how it works, schedule a free demo.

Red Maple is an international software publisher founded in 1997, with more than 500 customers worldwide. Red Maple’s software solutions are typically paired with cloud-based software, including Microsoft Dynamics™ 365. The software focuses on three main areas of functionality: credit card processing, sales commissions and sales contracts.

Get the most out of Microsoft Dynamics

Find out how you can expand MS Dynamics' capabilities with our turnkey software solutions.

Find out if our Microsoft Dynamics extensions and solutions are a good fit for your corporation by scheduling a free demo.

<< back to blog