Skip to main content


PSD2, SCA & 3DS: What SaaS Businesses Need To Know About Compliance

If you sell a product or service online, you’ve likely heard of the second Payment Services Directive (PSD2) that takes effect in the EU on September 14, 2019.

Adam Feber image

Adam Feber

July 31, 2019

If you sell a product or service online, you’ve likely heard of the second Payment Services Directive (PSD2) that takes effect in the EU on September 14, 2019. Unless you enjoy stressful situations, we urge all businesses to start their preparation planning sooner rather than later—even those that are not immediately impacted.  

Failing to understand and comply with PSD2 could cripple your ability to process transactions and collect revenue. Below are the common questions and answers that will help you better prepare for the impending deadline:

  • Which businesses are impacted?

  • What exactly is PSD2?

  • How do you prepare for the deadline?

  • What is Maxio doing to ensure compliance?

Which businesses are impacted?

On September 14, 2019, PSD2 will begin impacting businesses that have a merchant account in the European Union (EU) and process payments for customers that have cards issued from an EU bank. We anticipate PSD2 regulation to be enforced in the UK, regardless of the outcome of Brexit.

Not you? Don’t stop reading yet…

At the center of PSD2 compliance is Strong Customer Authentication (SCA), which we will explain in the next section. It is recommended that every business—even businesses outside of the EU—educate themselves on how to collect SCA when requested, as all banks could start asking for it at any time.

What exactly is PSD2?

PSD2 is a new European Economic Area (EEA) regulation that requires Strong Customer Authentication (SCA) as a means to increase security and authorization rates while decreasing online payment fraud. 

SCA will need to be collected prior to processing a payment by authenticating two of three possible identification traits—something the customer owns, knows, or is.


3D Secure (3DS) has become the most common, globally accepted security protocol that collects and confirms SCA. 3DS was initiated and created by Visa and MasterCard and may be familiar to some merchants through these card networks’ brand names such as Visa Secure and Mastercard Identity Check. But PSD2 turns 3DS into a requirement vs. a nice-to-have. 

Keep reading to understand how to enable 3DS, which transactions will require SCA, which transactions may be exempt, and the changes that will impact both current and future customers.  

How do you prepare for the deadline?

Here is the cliff notes version of how it all works and what the process looks like:

  • When a customer initiates an online transaction, the issuing bank will flag transactions that require SCA based on a number of criteria 

  • Your payment gateway will receive this request and initiate 3DS in order to authenticate the customer

  • Businesses must be using a PSD2 compliant billing solution that supports 3DS workflows to present, capture, and pass the SCA identification traits back to the payment gateway’s 3DS service

  • Once SCA is confirmed, it is sent back to the issuing bank to successfully process the transaction 


Because payment gateways are ultimately on the hook for initiating 3DS and establishing SCA, all the major players are either working on or have already delivered a solution to enable 3DS. Step #1 starts with contacting your payment gateway to learn more about enabling 3DS. 

Your payment gateway will likely charge a small fee to use their 3DS service, but it’s important to understand that not all subscription transactions will require SCA, even after PSD2 goes into effect.

Grandfathered Existing Customers Exemption 

Someone or something that is ‘grandfathered’ means that they are exempt from a new law or regulation. In the case of PSD2, transactions for existing paying customers will not require SCA in order to be renewed after September 14, 2019, as long as a previous relationship is established using the new Stored Credentials framework

Merchant-Initiated Transaction Exemption

A Merchant Initiated Transaction (MIT) happens when payment is initiated by the merchant—not the customer—with a saved card. SCA will usually be required for the initial transaction after September 14, 2019, but subsequent payments technically fall outside the scope of SCA. Marking a payment as a “merchant-initiated transaction” acts as an exemption request, but it will still be up to the bank to decide whether SCA will be required.

The caveat is that if a transaction is not processed for a customer within a year, then any preexisting grandfathered or MIT exemptions will be invalidated, and that customer will have to reauthenticate. This one year rule creates additional complications for annual subscriptions that may renew outside of the exemption grace period. We will cover suggested ways to handle this use case in the next section. 

Other Exemptions

  • Amount Exemption: Transactions less than €30 will be exempt from SCA

  • Whitelisted Merchants Exemption: Some issuing banks will support whitelisting, where customers can add trusted companies to a ‘skip SCA’ list 

  • Low-Risk Exemption: If you have low fraud rates, the bank will allow higher transaction values (up to €500) without requiring SCA

  • Recurring Payments Exemption: A new SCA is not required for subscription renewals when the transaction amount is exactly the same from one due date to the next

What is Maxio doing to ensure compliance?

While payment gateways do a lot of the heavy lifting, customer-facing billing solutions like Maxio are required to integrate with these gateways’ 3DS services and modify signup/renewal workflows for merchants that enable 3DS. 

Work is nearing completion for our updated PSD2 compliant gateway integrations. As of now, supported gateways will include Braintree, Cybersource, Payment Express, QuickPay, and Stripe.

Other updates that ensure compliance:

  • For existing “grandfathered” customers, we’ve been working with Visa and our shared gateway partners above to ensure that these credentials are stored correctly so that existing subscriptions continue to process successfully. Learn more about the


    Stored Credentials framework here

  • If you use our API or Maxio.JS to process transactions, you’ll need to make some minor updates to your implementation. Detailed guides and documentation will be published soon for guidance.

  • Hosted Maxio pages like our Public Signup Pages




    subscriptions created through our user interface will include native support for 3DS workflows.

  • If you use Maxio Direct to process transactions, 3DS support is TBD. If this is you, we recommend updating your signup workflows to use Maxio.JS and our API, or Public Signup Pages. 

  • Subscription imports will allow merchants to include a previously-stored transaction to establish a previous relationship.

  • For any renewals that require SCA, Maxio will send an email to the customer where they can authorize the transaction using your gateway’s 3D Secure service.

Our sales and support teams are well trained and ready to answer any question you may have. Stay tuned for additional communication and documentation around these updates and what actions Maxio merchants should take to prepare for the September 14, 2019 deadline.

Join the newsletter

Get actionable insights from industry experts delivered to your inbox.

What are your biggest financial challenges?

You can’t expect to build a highly profitable SaaS company through manual processes alone—especially when it comes to managing your finances.

This guide shows you how Maxio automates accountants, controllers, and SaaS finance leaders' day-to-day workload, and how it can eliminate your financial headaches for good.

Download the Guide