The European PSD2 directive

Your e-commerce secured

We can help you

You can also phone us on +34 910 205 685

What is PSD2?

Find out all the details about the new European regulations

PSD2 is a European regulation for the payment environment that came into force in 2019 and includes a number of policy areas. These include the implementation of SCA (Strong Costumer Authentication) to ensure a higher level of payment security. PSD2 requires customers to make use of two or more security elements when making a payment: information the customer knows (PIN or password); something they possess (their mobile phone or token); or a biometric element (their fingerprint or facial recognition). Another one of the new PSD2 features is the new fields that the POS is forced to send, for example, certain parameters of the customer’s browser.

No hassle

We support you in the process of adapting your virtual POS

Your business must adhere to PSD2 and its specifications, unless you qualify for one of the exceptions or exclusions detailed on this page. To do so, Banco Sabadell provides you with a simple action plan, which changes depending on your current operations and whether you qualify for any of the cases covered by PSD2. This way, your business will comply with this regulation and your operations won’t be rejected.

A customised protocol

We prepare your business for the new payment environment

The PSD2 regulation also requires including new fields for submission, e.g. certain parameters of the buyer’s browser, even in the case of an exception.

Banco Sabadell uses the EMVco protocol, which is the standard for e-commerce payments authenticated in accordance with the 3D-Secure protocol, and which has issued new specifications adapted to the PSD2/SCA requirements. EMVco is also used by the principal card brands (Verified by Visa, Mastercard Secure Code, etc.), which guarantees that it operates correctly.

How PSD2 affects your e-commerce depends on whether you are currently
operating in secure or non-secure shopping

Do you have a commercial business that already processes everything with secure shopping?

Don’t worry about anything

You don’t have to do anything or programme any code to be PSD2/SCA compliant. With your current POS, you can now incorporate two-step authentication for payments made directly, without any additional paperwork or management. Your customers will pay with at least two security features.

Your virtual POS, updated

In addition, for your peace of mind and comfort, Banco Sabadell has already adapted our virtual POS so it can directly obtain the required customer information and autocomplete the new mandatory fields.

Do you have a business that currently processes non-secure purchases? We explain step by step
how to adapt to PSD2 by calling +34 910 205 685.

Check if your virtual POS qualifies for any of the PSD2 exclusions or exemptions

The transactions excluded from applying SCA authentication are:

Payments made with cards issued outside the European Economic Area. The United Kingdom has embraced the SCA regulations and adopted them as its own. The United Kingdom is considered an SCA country.
Payments made by phone, post or email.
Payments made by anonymous pre-paid cards.
MIT (Merchant Initiated Transactions). In transactions initiated only by the merchant (the payer is “absent” at the time of payment) provided there is a pre-existing agreement between the merchant and the buyer. In MITs, however, an SCA authentication is required in the first payment or first purchase.
MITs are considered to be repetitive payments initiated by the merchant in “batch” processes when the amount is variable. This is also true of digital subscriptions without a fixed amount (e.g., providing a card to be charged for SEM campaigns) or extra charges on a car rental, etc.

These excluded transactions are sent by the merchant as non-secure purchases (technically No-3DS). In these, the payment issuing entity can only accept them or reject them, but never require authentication from your customer.

Exceptions to the application of SCA authentication:

As opposed to excluded transactions, with the exceptions, the merchant can only send transaction operations on a secure purchasing channel (3DS). The payment issuing entity will be the one which accepts or rejects them, or requires a customer authentication prior to response. These are the exceptions:

Payments of ≤ €30. The issuing entity will only accept payments from your customers without authentication if, since the last time they were authenticated, the cumulative exempt amount of your customer in previous purchases is ≤ €100 or the number of exempt transactions is ≤ 5.
Recurring payments, that is, regular transactions of the same amount, payment system, periodicity and payee. In this exception, authentication is required for the first transaction. For recurrent transactions initiated prior to September, the regulatory body has permitted the non-application of authentication in the first subscription payment.
TRA exemption (Transaction Risk Analysis). For transactions which clearly have a low risk of fraud, these can be sent under the TRA exemption, provided the overall fraud ratio of the payment entity (i.e., the bank or platform owning the Virtual POS) processing the merchant’s payment is approved and certified by the regulatory body.

The amounts that transactions applicable under this exception must be within the payment entity’s overall fraud ratio:
- Transactions < €500 if the ratio is < 0.01%.
- Transactions < €250 if the ratio is < 0.06%.
- Transactions < €100 if the ratio is < 0.13%.
Payee whitelist. This exception is the only one that merchants cannot request. It only affects issuing entities of payment systems that have enabled protocols in which their customers have informed them of their “trusted merchants” and they have authorised them not to apply authentication when they shop there.

Whether your e-commerce qualifies for any exclusions or exemptions:

Please send an email to tpvvirtual@bancsabadell.com giving your:

Name.
Your company tax ID no.
Company name.
Merchant Number (FUC).

You must inform us of the exclusions and/or exceptions that you consider apply to your virtual business:

“Exclusions”:

Cards issued outside the European area.
Payments made by phone, post or email.
Payments made by anonymous Pre-Paid Cards.
MIT (Merchant Initiated Transactions).

“Exceptions”:

Transactions ≤ €30.
Recurring payments.
TRA exemption.

Remember to include your reasons and, if possible, documentation that supports your request. A specialised department at Banco Sabadell will analyse your request, and if it agrees, it will send you the Virtual POS technical manual with instructions for you to implement the protocol for sending transactions excluded from SCA, or those for which non-authentication is requested because they are an exception to the rule.

What to do if my e-commerce does not qualify for any exclusion or exception?

If you believe that your business does not qualify for any exclusions or exceptions, as of 31 December 2020 only secure purchase terminals set up in your Virtual POS can be used, which means you will no longer be able to operate as a secure merchant.

To abide by the regulations, you will need to contact the Banco Sabadell Technical Support service so that they can validate that the implementation of your POS terminal is the right one for sending secure purchase transactions.

Write to us at tpvvirtual@bancsabadell.com or phone us at 910 205 685.

Do you have any questions?
We're here to help you

Branches and ATMs

Find a branch or request an appointment

Premium service

Exclusive telephone service for customers, attended by business specialists.
962 000 610 from Monday to Thursday from 8 a.m. to 5 p.m. and Friday from 8 a.m. to 3 p.m.

Customer Service Dept

Helpdesk on X

Customer Service Department @Sabadell_Help