If you’re reading this from anywhere within the EU, then you’ve probably heard about the updated Payment Services Directive (aka – PSD2).  PSD2 is going to change how European customers, merchants and banks interact. We’ll have much more to say about it in the future, but, for now, we want to turn the conversation to what isn’t being discussed.

PSD2 Explained

PSD2 mandates changes in how fraud review must be conducted on intra-EU transactions. The bulk of these transactions will be reviewed by Strong Customer Authentication (SCA). This is likely to be 3D Secure 2.0, which many people know as “two-factor authentication.” A smaller subset of transactions will be eligible for exemptions that allow them to be reviewed by Transaction Risk Analysis (TRA). TRA looks at orders for indicators of risk. Riskified’s core solution would be classified as TRA. Much of what you’ve heard has been about the benefits of PSD2 and the advantages of 3DS 2.0, but that’s not the whole story.


Here are some important points relevant to PSD2’s implementation of which you may not be aware:

1. 3DS 2.0 will lead to significant cart abandonment

Strong Customer Authentication – the likeliest option of which is 3DS 2.0 – is a high-friction verification method that leads to extensive cart abandonment. Customers who have already committed to a purchase are faced with another step to complete, and that often leads to drop off. While it’s reasonable that 3DS 2.0 will improve on the prior version, Riskified sees cart abandonment rates of roughly 10-20% for 3DS 1.0. The SCA requirement of PSD2 may help safety and security, but it will almost certainly hurt revenue for EU merchants.

2. PSD2 applies only to EU-to-EU transactions

While PSD2 directs that “best efforts” be applied for transactions where one party is in the EU and one party outside, the regulation will only be strictly enforced when both the issuer and the acquirer are based in the European Union. There are many EU-to-EU transactions, but today’s global economy means that a significant number of transactions – even for many EU merchants and shoppers – will not need to comply with PSD2. EU merchants selling to non-EU customers, for example, won’t have to comply. And all merchants based outside of the EU can sell to anyone without PSD2 concerns.

3. Some EU-to-EU transactions are exempt from SCA

SCA will not be required in all EU-to-EU payments. Certain transactions will be eligible for TRA instead of SCA. This exemption is restrictive and based on order value and fraud rates, but it’s extremely important, and merchants should request the TRA exemption whenever possible. Riskified’s TRA solution is frictionless, so when a legitimate customer selects “buy,” that purchase is completed without the possibility of cart abandonment. We expect merchants to push their acquirers to review as many transactions as possible via TRA, and we’ve built a solution to help them do just that.


The PSD2 timeline for implementation is still a little ways off (September 2019), but EU merchants would be wise to begin thinking about it. As you’ve heard us say many times before – the best approach will prioritize the customer experience and avoid adding friction.

That means pursuing TRA whenever possible to avoid high-friction verification. Transaction Risk Analysis will continue to have a role in the post-PSD2 world, and Riskified’s solution will help merchants maximize the number of orders reviewed by TRA, while optimizing on the fly to keep that rate as high as possible.

We expect PSD2’s implementation to be tumultuous, but no matter how it shakes out, Riskified will continue to provide EU merchants with solutions that drive online revenue and maximize approvals.

To learn more about our solution for maximizing TRA under PSD2, contact us.