Payment Services Directive 2 (PSD2) is a European (EU) directive designed to produce safer and more innovative payments services. PSD2 triggers a “challenge” when cards have yet to be validated by the Secure Card Authentication process, or if the bank senses a suspicious purchase, based on card volume and cost of goods.
Note: Because this is strictly an EU and UK directive, it does not impact anyone outside of the European region and the United Kingdom. However, the entire portal must be set up so that PSD2 requirements are met, even for non-EU and non-UK buyers.
When a transaction is made using an international card online, the issuing bank that owns the credit card can “challenge” the transaction by asking the cardholder to perform two-factor authentication (2FA) to prove they are the person making the purchase. Below are two videos to show a successful challenge and a failed challenge.
Video 1: Success (password: 8455)
Video 2: Fail (password: 8455)
After the first successful challenge, transactions on that card typically won’t be challenged again, because the bank knows programmatically that the card has already been verified. While a successful challenge should reduce challenge requests, it’s 100% at the discretion of the bank to issue those requests.
When the cardholder is delivered the challenge, they will be sent, via text message, a security code to enter for verification.
The bank uses the phone number associated with the card account to text the security code. If a challenge request is issued, only the cardholder can verify the transaction.
The cardholder enters the security code into the request form. If the security code matches, the transaction will proceed. If the security code doesn't match, the user can ask for another code or submit the order for processing later.
Oftentimes, a brand will attempt to buy on behalf of the buyer or the cardholder. With international transactions, buying-on-behalf is not allowed for first time card use and the brand should be aware that the possibility of a challenge request should discourage them from doing so whenever possible. A brand may send a draft order to a buyer to avoid buying-on-behalf and challenge requests.
If you run into a challenge request while attempting to buy-on-behalf, the transaction will be declined. You can’t call the cardholder or reach out to the cardholder to get security information, as it falls out of compliance. However, you can submit the order for later processing and request the buyer complete the transaction.