STRONG AUTHENTICATION

From now on, your account is even more secure with the Strong Authentication System.

This concept, which derives from the Payment Services Directive (PSD2), introduces an additional security step in online financial operations. In other words, the information printed on the card (card number, validity date, CVV/CVC) are not considered valid elements for the purposes of strong authentication.

Strong authentication has already been implemented by MB and MB WAY systems since September 2019. However, regarding online card payments, and due to the complexity of the underlying systems, the European Banking Authority (EBA) established that banks/payment service providers must implement strong authentication before 31 December 2020.

For further information, click here.

CALM DOWN... WHAT IS PSD2 AFTER ALL?

PSD 2 is a European directive that establishes a series of new authentication provisions, offering customers greater security. This means that the authentication procedure must be carried out by using two or more elements that, at least, belong to two of the following categories:

SOMETHING
THE CUSTOMER KNOWS

PASSWORD OR PIN

SOMETHING
THE CUSTOMER HAS

TELEPHONE OR PHYSICAL TOKEN

SOMETHING
THE CUSTOMER IS

Touch and Face ID

To every rule there is an exception

Some transactions do not necessarily require explicit authentication of the payer. In some cases, they can be authorized without prior authentication or pass through a frictionless flow, which means that the client does not need to be authenticated with the issuer.

Transactions outside the scope of PSD2:

  • Merchant-initiated transactions: transactions in which there was a prior agreement between the customer and the merchant, in order to allow payments to be made without the customer's participation. Example: subscription/instalment payments;
  • MOTO (Mail Order, Telephone Order) transactions: orders by mail or telephone, which do not require the direct involvement of the customer;
  • Interregional transactions (OLO: One Leg Out): any transaction where the issuer or buyer is located outside the European Economic Area.

Transactions not requiring strong authentication:

  • Low amount;
  • Low risk;
  • When the customer has indicated that the merchant is a “trusted beneficiary”;
  • Payments with corporate cards.

Please note that the customer's bank may substitute the exemption request.

Available methods

PayPay makes the following payment methods available to merchants:

Payment method Authentication method Requires additional actions
MULTIBANCO Depending on the bank (homebanking) No
MB WAY MB WAY application (PIN, fingerprint, etc.) No
Credit/Debit card 3D Secure 2.0 Prior submission of additional data is recommended

MORE SECURITY WITH
3D Secure 2

3D Secure 2 (3DS2) is the technology adopted by banks and payment service providers to comply with Strong Authentication in online card payments.

3DS 2.0 eliminates the redirection of the customer to bank page. This means that the payment processor gathers the information about the transaction and sends it to the bank, guaranteeing a smoother integration, always with greater security.

PAYPAY IS
ALWAYS WITH YOU

PayPay will be in charge of collecting the necessary data to initiate the payment, in case it is not sent. Therefore, you will not have to do anything.

In case you use any of the PayPay e-commerce plugins, you will also be provided with an update to support 3DS Secure 2.

NEW FIELDS TO BE INTEGRATED
card payments

In order to comply with the PSD2 Directive, PayPay will collect and send the following information:

Designation Required Responsible for sending
Cardholder name Cardholder (via PayPay site)
Billing Address Cardholder (via PayPay site) / Merchant (via Integration/API)
Consumer e-mail Cardholder (via PayPay site) / Merchant (via Integration/API)
Shipping address Merchant (via Integration/API)

Browser information (language, time zone, window size, etc.)

Automatically collected by PayPay

AS SIMPLE AS ALWAYS

INTEGRATIONS VIA API SOAP

E-commerce extensions