Designed to enhance the security of online payments, DSP2 is a regulation that imposes strict rules on merchants, particularly strong customer authentication (SCA). This requirement aims to reduce fraud but also impacts customer experience and conversion rates. To ensure both security and seamless transactions, businesses must adopt compliant solutions and tools. Discover how to secure your payments while optimizing your commercial performance.

Understanding DSP2 and Its Impact on Online Payments

DSP2 is one of the measures regulating online payments to ensure security and increase consumer trust.

What is DSP2 and Why is it Important?

The European Payment Services Directive was adopted by the European Union in 2015 and has been in effect since January 2018. Its implementation was gradual until 2021. It aims to strengthen the security of electronic transactions, such as NFC payments, and encourage innovation in the financial sector.

Its goal is to curb fraud, which has surged alongside the rise of e-commerce. According to the Payment Security Observatory, online payment fraud in the European Union amounted to €1.8 billion in 2022, representing 8% of total fraud on card payments.

To address this issue, DSP2 imposes strict rules, such as strong customer authentication (SCA), on payment service providers (PSPs) and merchants. This regulation ensures that each transaction is validated by at least two of the three required authentication factors.

Key Components of DSP2

Strong authentication is not the only security measure mandated by this directive. DSP2 is built on several key pillars:

Opening up the payments market: DSP2 requires banks to grant third-party providers (TPPs) access to customer accounts via secure interfaces (APIs). This measure has driven the growth of Open Banking and new financial services.

Fraud prevention: According to the European Banking Authority, the SCA requirement has already reduced fraud in remote payments by 40%.

Improved transparency: PSPs must now provide consumers with clearer information on fees and payment conditions. For example, Market Pay ensures compliance with this requirement for its contactless NFC payment solution with Paywish.

Name and IBAN verification: Since 2022, payment service providers are required to verify the alignment of the beneficiary's name and the IBAN of the payment account when processing transfer orders within the European Union.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is the primary obligation of the DSP2 directive. Its role is to enhance the security of electronic payments and combat fraud by providing maximum protection for customer data.

SCA Requirements

Strong authentication mandates that merchants and online payment service providers implement a security process requiring two of the following three factors:

Knowledge factor: Password, PIN code

Possession factor: Smartphone, bank card, security token

Biometric factor: Fingerprint, facial or voice recognition

This requirement applies to contactless payments and most online transactions. However, certain operations, such as low-value payments (below €30) or pre-authorized recurring transactions, are exempt.

Implementing this authentication process effectively reduces online payment fraud in Europe. However, it has also complicated the checkout process, contributing to higher cart abandonment rates. To counter these effects, merchants can use solutions like frictionless flow or delegated authentication with 3D Secure 2.

Frictionless flow allows merchants to bypass strong authentication when the risk of fraud is deemed low. This is determined through real-time transaction risk analysis (TRA) by risk management tools. If a payment is considered safe, it can be processed without additional customer intervention.

Delegated authentication enables merchants to authenticate customers themselves instead of relying on banks. This streamlines the user experience through solutions like integrated biometric authentication within merchant apps.

How to Adapt Your Payment System to DSP2

Complying with DSP2 goes beyond meeting the strong authentication requirement. Merchants must adapt their payment infrastructure to ensure both security and a smooth purchasing experience.

Update Your Payment Solutions for DSP2 Compliance

To effectively update your payment system, work with compliant payment service providers (PSPs). PSPs must adhere to DSP2 regulations and offer solutions that integrate strong authentication without complicating the customer journey.

Also, ensure your provider supports the 3D Secure 2 (3DS2) protocol. According to Visa, 3DS2 reduces payment friction caused by SCA by 70% and improves conversion rates.

Consider integrating alternative payment methods. Digital wallets (Apple Pay, Google Pay) and instant transfers via Open Banking offer a seamless authentication process that aligns with the directive’s requirements.

Consequences of Non-Compliance with DSP2

Compliance with DSP2 is mandatory for all e-commerce players. Failure to adhere to this regulation can have serious consequences for your business.

Risk of Penalties and Loss of Trust

From a regulatory standpoint, supervisory authorities can impose penalties for non-compliance with DSP2 security requirements. These fines can be substantial and directly impact the profitability of your online business, particularly if you are just starting out.

Beyond penalties, non-compliance can damage your brand image. An unsecured payment system increases the risk of fraud and cyberattacks. If a customer suffers financial harm due to a poorly protected online store, trust is immediately lost. Poor security management can lead to customer attrition, as users migrate to more secure platforms, ultimately harming your company’s reputation.

Moreover, banks and payment gateways may refuse to approve transactions that do not meet DSP2 requirements. The main consequences include an increase in declined payments and a drop in sales.

From DSP2 to DSP3 (Upcoming Developments)

The adoption of DSP2 marked a significant step forward in securing remote payments, but the financial landscape continues to evolve rapidly. In response to evolving fraud techniques and new online payment habits, the European Commission is preparing DSP3. The goal is to enhance consumer protection and adapt regulations to technological innovations.

This regulation is expected to:

Strengthen supervision of payment service providers.

Expand strong authentication requirements to cover a broader range of transactions, reducing fraud loopholes.

Modernize Open Banking, which has yet to reach its full potential. According to a Juniper Research study, the value of Open Banking-related transactions in Europe is projected to reach 330 million by 2027, up from 57 million in 2023.

DSP3 aims to accelerate this adoption by clarifying banks' obligations and simplifying data access for third-party providers, while maintaining the transparency promised to consumers.