On the 14th September 2019, PSD2 comes in to force. If you receive payments online from your customers, you should understand what changes to expect, and whether or not action will be required on your part to comply with the law and to avoid significant loss of income.

Let’s start with a little glossary

The Revised Payment Services Directive is the second iteration of the ‘Payment Services Directive’ (PSD), a European Union (EU) directive first introduced in 2007 to regulate payment services and providers. The directive was introduced to break the banks’ monopoly on payment services, encouraging innovation and improved security.

Strong Customer Authentication is essentially the same as the Two Factor Authentication you may already be familiar with if you have ever had to receive a code by email or SMS in order to log in to an online service. Its purpose is to improve security by requiring two of the following three things:

  • Something the person knows (such as a password)
  • Something the person has (such as a mobile phone or device)
  • Something that the person is (such as a fingerprint or their face)

3D Secure is a term used to describe additional authentication during an online payment. You may remember when 3D Secure first appeared in 2001 as “Verified by Visa” and many online card payments required a password? The interruption to the checkout process was hugely disruptive – damaging to businesses and frustrating to customers, but merchants were obliged to implement it or risk not being protected against fraudulent transactions. 3DS2 aims to address many of the shortcomings of 3D Secure 1 by introducing less disruptive authentication and a better user experience.

Frictionless Authentication

3D Secure 2 allows businesses and their payment provider to send more data elements on each transaction to the cardholder’s bank. This includes payment-specific data like the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history.

The cardholder’s bank can use this information to assess the risk level of the transaction and select an appropriate response:

  1. If the data is enough for the bank to trust that the real cardholder is making the purchase, the transaction goes through the “frictionless” flow and the authentication is completed without any additional input from the cardholder.
  2. If the bank decides it needs further proof, the transaction is sent through the “challenge” flow and the customer is asked to provide additional input to authenticate the payment.

Although a limited form of risk-based authentication was already supported with 3D Secure 1, the ability to share more data using 3D Secure 2 aims to increase the number of transactions that can be authenticated without further customer input.

Example flow of authenticating a payment using 3D Secure 2 with fallback support for 3D Secure 1

Frictionless Authentication

Even if a transaction follows the frictionless flow, your business will benefit from the same liability shift as for transactions that pass through the challenge flow.

Better user experience

Unlike 3D Secure 1, 3D Secure 2 was designed after the rise of smartphones and makes it easier for banks to offer innovative authentication experiences through their mobile banking apps (sometimes referred to as “out-of-band authentication”). Instead of entering a password or just receiving a text message, the cardholder can authenticate a payment through the banking app by just using their fingerprint, or even facial recognition. We expect many banks to support these smoother authentication experiences with 3D Secure 2.

The second improvement in user experience is that 3D Secure 2 is designed to embed the challenge flow directly within web and mobile checkout flows—without requiring full page redirects. If a customer authenticates on your site or webpage, the 3D Secure prompt now by default appears in a modal on the checkout page (browser flow).

Source: Stripe – https://stripe.com/en-fr/guides/3d-secure-2

How does this affect you and what actions are required of you as an online merchant?

As always, this depends on the platform that you use to sell online. The chances are that you will only have to take any significant action to comply with PSD2 if you host your own website (e.g. WordPress). In most other cases, it will be the responsibility of the website service provider to update their payment processes, and many have already done so. Your responsibility is only to check that the payment processing will be compliant. You can usually do this by browsing their forum or by asking their support team. A few examples include Squarespace, Wix, Shopify, Big Commerce, Etsy, eBay, Amazon, Eventbrite.

If you have a web hosting package and accept payments via a WordPress website for example, you will need to establish what payment gateway you use to receive the payments and if it has been implemented in a compliant way. At time of writing, Stripe are ahead of the curve, and the official Stripe plug-in for Woocommerce is already compliant. Do check your own implementation is up to date and compliant. If you use any PayPal off-site payment methods, no changes should be required as the payments are not processed on your website, but at present (5 August 2019), PayPal Pro (on site payments) is still not compliant.


So you’ve got a great product you’re sure the world would flock to buy? It sounds like you are probably ready to start selling online. You may be baffled by the array of choices facing you before you even start, or perhaps you had no idea they even existed. Unless you have already done extensive research and evaluated the many options, read on, this article is for you!

There are many ways to sell online

The countless e-commerce options available fall broadly in to three models, each with their pros and cons and each suitable for a particular set of circumstances. What do I recommend to my clients? Jump to the end to find out! 

1. Online Marketplaces & Social Media

ecommerce marketplace logos

  • How does it work
    You join the platform and are able to list your products for sale on their website. Visitors to that website are able to purchase your products using the platform’s own payment system. You can have a URL that will lead directly to your products, but it will not be on your own domain.
  • Examples
    Facebook, eBay, Amazon and Etsy

Curated Stores

These are a sub-set of marketplaces and share some of the same characteristics, though the rigorous selection process means they are not an option for most sellers. Usually, as with other marketplaces, they will not hold your stock and you will be directly responsible for fulfilling orders. A fascinating and growing sector to keep an eye on.

2. Turnkey Websites

E-commerce turnkey websites

  • How does it work
    You join the platform and are able to use it to create your own website with your own domain. Your website will be hosted on the platform’s servers and you will only be able to access your assets (images, product data, etc.) using the admin interface that they provide.
  • Examples
    Shopify (specifically for e-commerce),  BigCommerce (specifically for e-commerce), Squarespace / Wix / Etc. (general website tools with limited e-commerce functionality)
  • More info
  • I use

3. Self-Hosted Websites

ecommerce self hosted websites

  • How does it work
    You arrange your own domain and hosting with a web hosting company and install, configure and maintain the e-commerce platform software, usually with the assistance of a web designer or developer. You have direct access to all of your assets (images, database, etc.).
  • Examples
    Woocommerce, Magento, Prestashop and OpenCart
  • More info
  • I use

What do I recommend to my clients?

To answer this question, first I would have to get a feel for their products, their budget and their skills. The answer will be either an online marketplace, Shopify, Woocommerce, or perhaps a combination of approaches. It often makes sense to sell through more than one channel and Shopify, for example, makes it very easy to combine selling via your own store with other channels such as Facebook and other online marketplaces.

I would ask the following:

  • What are / will you be selling and to whom?
  • Have you any special design and / or functionality requirements?
  • What’s your setup budget?
  • How tech literate are you?
  • How much time and money can you spend on an ongoing basis?
Very low budget, low tech skillsOnline marketplace
Dip your toe in the water, test your market and take it to the next level when you’re in profit.
Very low budget, decent tech skills, plenty of timeShopify or your choice of turnkey website without my help, possibly also online marketplace depending on your products and ability to generate traffic to your own site.
Low budget with low tech skills and / or little timeShopify with my help to set up, possibly also online marketplace.
Moderate budget and requiring high quality design and / or particular functionalityShopify with full set up and a custom theme developed by me, possibly also online marketplace.
At this point you will be confident that your sales will soon cover the setup costs, you want things to be done properly and professionally and you expect every stage in the customer’s journey to be carefully managed.
Moderate budget and certain circumstances, such as an existing WordPress site or particular functionality (such as gift vouchers) that is not currently well catered for by ShopifyWoocommerce with full set up and a custom theme developed by me, possibly also online marketplace.
At this point you will be confident that your sales will soon cover the setup costs, you want things to be done properly and professionally and you expect every stage in the customer’s journey to be carefully managed.
High budget (€15k +), large and complex catalogue, complex requirements for customisation, security, etcThis may require a larger web development agency.

The primary reason I recommend Shopify over Woocommerce in most situations is this:

All security and technical functionality is taken care of by the platform

Only with bitter experience will the significance of this point become clear. The stress, expense and damage to sales that a malfunction or security breach can bring to a website owner should never be underestimated. To mitigate against this on a self hosted website requires expertise and some expense and is impossible to guarantee. Of course, problems can befall a platform like Shopify too, but when they do, you can be assured that they will have extensive backup systems in place and a large team of skilled professionals immediately on the case to resolve the problem. Additionally, Shopify is typically quicker to set up, easier to build custom themes for, and requires no ongoing maintenance, making both the initial and ongoing investment smaller than for a self-hosted website.

And finally

No article on e-commerce would be complete without mentioning the vital ground work that must be done before you can hope to make any sales online, and the enormous investment of time and usually money required to reach customers. Shopify provides an exceptional educational resource, full of well researched, well informed articles: https://www.shopify.co.uk/guides

Their blog is also well worth subscribing to, whether or not you choose to subscribe to their services: https://www.shopify.co.uk/blog

If you are ready to embark on the adventure that is e-commerce, or if you’re at the very beginning of your journey and just thinking about creating your brand, get in touch to find out how I can help you to make it all happen.