Strong Customer Authentication, PSD2 and PCI DSS are three distinct regulations that overlap in European online payments. Confusing them leads to compliance gaps: those who implement only the SCA (Strong Customer Authentication) of PSD2 believe they are covered, but ignore PCI DSS requirements on card data protection. This article clarifies the differences, overlaps and how 3DS2 fits into this framework.
SCA, PSD2 and PCI DSS: three regulations, one objective
PSD2 (Payment Services Directive 2) is a European regulation that requires payment service providers to apply SCA for online transactions in the European Economic Area. SCA requires at least two of three authentication factors: something the cardholder knows (PIN, password), something they possess (smartphone, physical token) and something that biometrically characterises the user (fingerprint, facial recognition). Its purpose is to reduce fraud in online payments.
PCI DSS, on the other hand, is a technical standard defined by PCI SSC that governs card data protection throughout the entire transaction lifecycle: collection, transmission, processing and storage. It does not deal with cardholder authentication, but with how card data is handled by merchant, processor and acquirer systems. The two frameworks have complementary objectives but do not replace each other: complying with SCA does not mean being PCI compliant and vice versa.
3DS2 and PCI DSS: how they integrate technically
The 3DS2 (3-D Secure version 2) protocol is the technical mechanism through which SCA is implemented for card-not-present payments. During the 3DS2 flow, additional transaction data (IP address, device fingerprint, cardholder history) is transmitted to the issuer's ACS (Access Control Server) for risk assessment. If the risk is low, the transaction proceeds without cardholder interaction (frictionless flow); otherwise a second factor is requested (challenge flow).
From a PCI DSS perspective, the 3DS2 flow does not reduce the merchant's perimeter: the PAN is still handled during initial tokenization and must be protected according to the standard's requirements. However, combining 3DS2 with PCI Proxy EU tokenization allows optimising both: the token is used in recurring charges without requiring SCA again (thanks to exemptions for merchant-initiated transactions), and the PAN never transits through the merchant's systems.
SCA exemptions and impact on the PCI perimeter
PSD2 provides several SCA exemptions that merchants can request from the issuer. The main ones are: transactions below €30 (low value transactions), transactions with a low fraud rate (transaction risk analysis), recurring transactions of fixed amount (merchant-initiated transactions) and payments made by trusted senders. Using exemptions must be agreed with the PSP (Payment Service Provider) and acquirer.
SCA exemptions for merchant-initiated transactions have a direct impact on PCI perimeter management in recurring payments. When the merchant initiates a charge on a previously cardholder-authorised token, no new SCA is required, but the token must be valid and the initial authorisation must have included consent for future charges. PCI Proxy EU supports this flow natively, enabling management of subscriptions and plans in compliance with both SCA and PCI DSS.
Frequently asked questions
If I implement 3DS2 am I PCI DSS compliant?
No. 3DS2 responds to PSD2 SCA requirements, not PCI DSS requirements. They are two separate frameworks. PCI DSS requires protection of card data (PAN, CVV, magnetic stripe data) throughout the lifecycle, regardless of which authentication protocol is used. A merchant can implement 3DS2 correctly and at the same time have serious PCI gaps, for example by storing PANs in cleartext in the database.
Do SCA exemptions increase fraud risk?
SCA exemptions are designed to reduce friction on low-risk transactions, not to lower overall security. Liability for chargebacks in case of fraud shifts to the issuer when they approve the exemption. For the merchant, the main risk is applying exemptions on high-risk transactions: it is necessary to monitor fraud rates and calibrate the exemption strategy with the PSP.
Is PCI Proxy EU compatible with the 3DS2 flow?
PCI Proxy EU supports the 3DS2 flow in both frictionless and challenge mode. The token generated at the time of the first transaction includes the information needed for subsequent merchant-initiated charges without requiring new SCA. The service is compatible with the main European processors supporting 3DS2 and with issuer APIs managing the ACS.
Want to manage SCA and PCI DSS with a single integration? Discover how PCI Proxy EU supports the 3DS2 flow and tokenization. Discover PCI Proxy EU.