PSD2 & Strong Customer Authentication for High-Risk Merchants

Introduction: Why PSD2 Hits High-Risk Merchants Harder Than Anyone Else

When the European Commission introduced the Payment Services Directive 2 (PSD2) and its cornerstone security requirement, Strong Customer Authentication (SCA), the intent was straightforward: reduce online payment fraud, protect consumers, and create a more secure digital payments ecosystem across Europe.

For mainstream e-commerce businesses, SCA added a layer of checkout friction. For high-risk merchants in the EU, the stakes are significantly higher.

High-risk payment processing already operates under tighter scrutiny than standard e-commerce. Chargeback ratios, fraud rates, and transaction patterns in verticals like iGaming, adult content, nutraceuticals, forex, and subscription services are monitored more closely by acquiring banks and card networks. When SCA requirements apply, and particularly when they are implemented incorrectly, the consequences ripple through approval rates, chargeback liability, and ultimately account stability.

Understanding PSD2 and SCA is not a compliance checkbox for a high-risk merchant account operating in the EU. It is a commercial imperative. This guide explains exactly what PSD2 requires, how SCA works in practice via 3D Secure 2 (3DS2), which exemptions matter most for high-risk verticals, and what the upcoming PSD3 transition means for merchants operating across the EU in 2026.

What Is PSD2? The Regulatory Foundation

PSD2, the Revised Payment Services Directive, is the EU’s foundational payments regulation, which came into force in January 2018 and began full SCA enforcement by late 2021. It governs how payment services operate across the European Economic Area (EEA), covering everything from the roles of payment service providers (PSPs) and acquiring banks to open banking access and, most directly relevant here, transaction security.

PSD2 operates through two primary mechanisms relevant to high-risk merchants:

• Strong Customer Authentication (SCA): a mandatory multi-factor verification requirement for most customer-initiated electronic payments within the EEA
• Dynamic Linking: a requirement that authentication codes are tied specifically to the transaction amount and payee, preventing fraudsters from hijacking authentication tokens for different transactions

For the high-risk merchant provider and acquirer ecosystem, PSD2 also introduced expanded liability frameworks, meaning who bears financial responsibility when a fraudulent transaction occurs is directly tied to whether SCA was correctly applied or a legitimate exemption was claimed.

In 2026, PSD2 remains in full enforcement across the EU. The European Commission’s proposed replacement, PSD3 alongside Payment Services Regulation 1 (PSR1), is progressing through the legislative process, with full implementation expected around 2026 to 2027. PSD3 will not eliminate SCA; it will strengthen and clarify it further.

What Is Strong Customer Authentication?

Strong Customer Authentication is PSD2’s mechanism for verifying that the person initiating a payment is the legitimate account holder. SCA requires authentication using at least two of three independent factors:

• Knowledge: something the customer knows (a password, PIN, or passphrase)
• Possession: something the customer has (a mobile device, hardware token, or smart card)
• Inherence: something the customer is (biometric data: fingerprint, facial recognition, voice recognition)

These two factors must be independent, meaning a breach of one factor does not compromise the other. For online card payments, this most commonly manifests as a one-time passcode sent to the customer’s registered mobile number (possession factor) combined with a PIN or password (knowledge factor).

SCA applies to all customer-initiated electronic payments where both the payer’s and payee’s PSPs are located within the EEA or UK. For high-risk merchants in the EU processing card-not-present transactions, which is the overwhelming majority of transactions in iGaming, adult, forex, and digital subscription businesses, SCA is the default requirement unless a valid exemption is applied.

3D Secure 2 (3DS2): The Technical Bridge Between SCA and Your Checkout

The practical mechanism through which high-risk payment processors and payment gateways deliver SCA compliance is 3D Secure 2 (3DS2), the EMVCo standard that replaced the older, more friction-heavy 3DS1 protocol.

3DS2 represents a fundamental improvement over its predecessor for high-risk merchants specifically, because it allows processors to transmit up to 150 data elements about each transaction to the issuing bank in real time. This rich data, device fingerprint, IP address, transaction history, shipping and billing address match, velocity signals, allows the issuing bank to assess risk and make a decision:

• Frictionless flow: the issuer approves the transaction silently in the background, with no disruption to the customer’s checkout experience
• Challenge flow the issuer requires the customer to actively verify their identity (OTP, biometric, or bank app authentication)

For a high-risk merchant account, the goal is to maximise frictionless flows for genuine customers while ensuring challenge flows only activate where the issuer genuinely requires them. A payment gateway that implements 3DS2 poorly, sending insufficient data, not handling soft decline codes correctly, or failing to trigger the right authentication flow, will see unnecessary checkout abandonment and failed payments.

The dynamic linking requirement under PSD2 is built into properly implemented 3DS2: authentication codes are transaction-specific and cannot be reused or redirected to a different payee or amount, directly addressing the man-in-the-middle fraud vectors that PSD2 was designed to prevent.

SCA Exemptions: The Strategic Layer Every High-Risk Merchant Must Understand

Not every EU transaction requires a full SCA challenge. PSD2 defines a set of exemptions that, when correctly applied by the acquirer or PSP, allow transactions to be processed with reduced or no authentication friction. For high-risk merchants, especially those with subscription billing, high transaction volumes, or returning customers, understanding these exemptions is critical to maintaining conversion rates.

Low-Value Transaction Exemption

Transactions below €30 may qualify for an SCA exemption. However, cumulative limits apply: if a single payer completes five consecutive low-value exempt transactions, or if their cumulative total exceeds €100, SCA is automatically required on the next transaction. For high-risk payment businesses with frequent small transactions, microtransactions in gaming, for example, tracking these cumulative thresholds is an operational necessity.

Transaction Risk Analysis (TRA) Exemption

The TRA exemption allows acquirers and PSPs to request SCA-free processing for transactions that their risk models classify as low risk. Eligibility thresholds are tied to the PSP’s overall fraud rate:

• Transactions up to €100 – exempt if the acquirer’s fraud rate is below 0.13%
• Transactions up to €250 – exempt if the acquirer’s fraud rate is below 0.06%
• Transactions up to €500 – exempt if the acquirer’s fraud rate is below 0.01%

For high-risk merchant providers, maintaining fraud rates within these thresholds is challenging, which is exactly why the TRA exemption is less frequently available to merchants in high-risk verticals than to standard e-commerce. This reinforces why specialist high-risk payment processors with robust fraud prevention infrastructure matter: their platform-level fraud rate directly affects which TRA thresholds their merchants can access.

When an acquirer applies a TRA exemption and the issuing bank declines it, returning a soft decline code indicating SCA is required, the payment gateway must be capable of detecting that response and immediately re-initiating the transaction with a full 3DS2 challenge flow. PSPs and merchants that cannot handle soft declines correctly lose those transactions entirely.

Recurring Transaction Exemption (Merchant-Initiated Transactions)

For high-risk merchant accounts operating subscription or recurring billing models, nutraceuticals, adult content platforms, SaaS, iGaming subscriptions, the recurring transaction exemption is the most commercially significant.

SCA is required for the customer’s first payment in a recurring series. Subsequent transactions, provided they are for the same amount, to the same merchant, and correctly flagged as merchant-initiated transactions (MITs), are generally exempt from SCA. This exemption is broadly supported by European issuing banks and is critical to the economic viability of subscription businesses in the EU.

The key operational requirement: the initial SCA-authenticated transaction must be correctly flagged and the MIT reference must be maintained in subsequent payment requests. Incorrect flagging causes issuer rejections on recurring charges, a particularly damaging failure mode for subscription-based high-risk businesses that rely on predictable monthly revenue.

Trusted Beneficiary (Whitelisted Merchant) Exemption

Customers can whitelist specific merchants with their issuing bank, identifying them as trusted payees for whom SCA is not required on subsequent transactions. For high-risk merchants in the EU with strong brand recognition and high repeat purchase rates, returning players on an iGaming platform, loyal subscribers on a digital content site, this exemption represents a meaningful reduction in checkout friction over time.

Corporate Payment Exemption

Business-to-business payments made through secure corporate payment processes may be exempt from SCA. For high-risk payment providers serving B2B clients, forex platforms, financial services, bulk travel booking, this exemption reduces friction for corporate customers operating through dedicated payment channels.

The Chargeback Liability Shift: Why SCA is Non-Negotiable for High-Risk Merchants

Perhaps the most commercially critical consequence of SCA for high-risk merchant accounts is the liability shift that correct authentication triggers.

When a transaction is processed with a successfully completed 3DS2 authentication, liability for fraudulent chargebacks shifts from the merchant to the issuing bank. The merchant is protected, the bank that authenticated the customer bears the financial responsibility for the fraud loss.

When SCA is required but not applied, or applied incorrectly, the merchant retains full chargeback liability. For high-risk merchants in the EU where fraud and friendly fraud rates are elevated, this liability exposure is not abstract. It translates directly into chargeback losses, elevated dispute ratios, and the account health consequences that follow.

This liability shift mechanism makes 3DS2 implementation not just a compliance requirement but a financial protection strategy. The right high-risk merchant provider implements 3DS2 in a way that maximises frictionless authentication for genuine customers, minimises incorrectly challenged transactions, and always correctly handles the authentication retry flow when soft declines occur.

What PSD3 Means for High-Risk Merchants in 2026

The EU’s next regulatory evolution, PSD3 and the directly applicable Payment Services Regulation (PSR1), is moving through legislative process in 2026, with full implementation expected in 2026 to 2027. Key developments that high-risk merchant accounts should track:

• Clarified SCA exemption criteria: PSD3 aims to reduce inconsistency in how exemptions are applied across member states, which has created unequal friction for merchants selling across multiple EU markets
• APP fraud liability rules: PSR1 introduces tighter requirements around authorised push payment scams, with liability shifting to the payer’s PSP where a fraudster impersonates the payment provider. This has compliance implications for high-risk payment processors operating in financial services or crypto verticals
• Mandatory fraud data sharing: PSPs will be required to operate risk-sensitive transaction monitoring and participate in structured fraud intelligence sharing, raising the baseline compliance obligation for every high-risk merchant provider operating in the EU
• SCA accessibility requirements: PSD3 will require that SCA methods are not reliant on a single device or mechanism, improving inclusivity but also introducing new technical requirements for payment gateway authentication flows
• Full harmonisation of conduct rules: PSR1 replaces most of PSD2’s conduct obligations with a directly applicable regulation, eliminating the transposition variability that has created compliance inconsistencies between EU member states

For high-risk merchants in the EU, the direction of travel is clear: compliance requirements are tightening, liability frameworks are expanding, and the technical bar for payment gateway infrastructure is rising. Businesses that invest in proper SCA implementation now, with a specialist high-risk merchant provider who actively monitors regulatory developments, will be best positioned for the PSD3 transition.

Practical SCA Compliance Checklist for High-Risk Merchants

Before assessing whether your current payment gateway and high-risk merchant account provider are genuinely SCA-compliant, use this checklist:

• Native 3DS2 integration: not a redirect to 3DS1 as a fallback; full 3DS2 with 150+ data element transmission
• Soft decline handling: the gateway must detect soft decline codes and retry with a full challenge flow automatically
• Correct MIT flagging: recurring and subscription transactions must be correctly classified and referenced to the original SCA-authenticated authorisation
• TRA exemption eligibility: confirm your processor’s platform-level fraud rate and the TRA thresholds you can access
• Dynamic linking compliance: authentication codes must be transaction-specific and correctly generated per EBA RTS
• Exemption optimisation: your processor should actively manage exemption strategy to maximise frictionless flows without crossing fraud thresholds
• Audit trail documentation: every SCA decision (applied, exempted, or out of scope) must be recorded for regulatory audit purposes
• PSD3 readiness monitoring: your high-risk merchant provider should be actively tracking PSD3 and PSR1 developments and communicating implications to your account

Final Thoughts: SCA is Both a Compliance Obligation and a Commercial Advantage

For high-risk merchants in the EU, PSD2 and Strong Customer Authentication are not bureaucratic burdens to minimise, they are frameworks that, when implemented correctly, deliver real commercial benefit. The chargeback liability shift protects revenue. Frictionless 3DS2 flows maintain conversion rates. Correct exemption strategy reduces checkout abandonment. And a robust SCA implementation demonstrates to acquiring banks that your business takes fraud prevention seriously, which directly supports high-risk merchant account stability.

The businesses that struggle with PSD2 are those whose payment gateway and high-risk merchant provider implemented 3DS2 superficially, checking the compliance box without optimising the exemption logic, handling soft declines incorrectly, or failing to maintain MIT flags in subscription billing.

Choose a specialist high-risk payment processor that treats SCA as a strategic advantage for your business, not just a regulatory requirement, and the transition to PSD3 becomes a manageable evolution rather than a disruptive obligation.

Operating a high-risk merchant account in the EU and need a specialist payment provider with genuine SCA expertise? Speak with an expert today.

high risk merchant accounthigh-risk merchant paymentPayment Gatewaypayment providerPSD2 compliance