Is PayPal PSD2 compliant?

The European Union’s second payment services directive, commonly known as PSD2, has shaken up the payments industry. Before accepting an online payment from anyone in Europe, banks, payment processors, merchants, and card issuers must first verify the identity of the purchaser.

Although PSD2 has been in effect since September 2019, all players in the payments industry must now implement anti-fraud security measures while allowing merchants to offer seamless online shopping experiences for customers.

More specifically, credit card issuers, payment processors, and merchants were to comply with PSD2 by the end of 2020 or can face possible enforcement actions by EU member states.

(If you’re not exactly sure what PSD2 is, check out our post on PSD2.)

Business owners are particularly keen on finding out whether the payment services they use are compliant. Otherwise, they face the challenge of either dealing with declined payments (and risking the possibility of driving customers away) or searching for a new payment service that’s PSD2 compliant. 

One payment service widely used by business owners is PayPal. Is PayPal PSD2 compliant? Read on to find out.

What does it mean to be PSD2 compliant?

In a nutshell, PSD2 compliance for payment services means using strong customer authentication (SCA) for online transactions. In short, SCA is an authentication process that verifies the identity of the person making a purchase in order to reduce fraud.

A payment service that can perform SCA through an authentication service like 3D Secure 2.0 is considered PSD2 compliant. (If you want to know more about 3D Secure 2.0, check out this post.)

Is PayPal PSD2 compliant?

PayPal complies with PSD2’s SCA mandate; however, as a business owner, you must take extra steps to ensure your PayPal payment process is compliant.

What do merchants using PayPal need to do? 

The answer to this question depends on your integration with PayPal. As an online merchant, you likely use fall into one of two situations:

• You use PayPal Pro (hosted by PayPal).
• You use PayPal Pro (not hosted by PayPal).

Keep reading to see what each situation requires for PSD2 compliance.

PSD2 compliance with PayPal-hosted PayPal Pro

If you’re using a form of PayPal Pro where the payment process is hosted by PayPal, you’re in the clear. In this scenario, when customers are ready to pay, they’re automatically directed to PayPal from your website. Compliance is out of your hands at that point, and PayPal is responsible for ensuring the payment process is PSD2 compliant. 

PSD compliance with PayPal Pro direct

If you’re using a version of PayPal Pro that isn’t hosted by PayPal, you’re responsible for ensuring compliance. In this scenario, customers send their card payment information to you directly, which means you must authenticate them.

You’ll need to update your PayPal payment integration to abide by the card issuer’s (Visa, American Express, etc.) requirements for meeting the PSD2 mandate. PayPal recommends you integrate 3D Secure 2.0 into your checkout process so that you can authenticate customers and meet PSD2’s SCA requirements.

Since you must obtain data from a customer’s card issuer before transmitting 3D secure authentication data to PayPal, the payment processor works with Visa’s Cardinal Commerce to verify someone’s identity through its Cardinal Cruise integration.

Not complying with PSD2 could have a major impact on your business, as Tony Arevalo of Carsurance explains: “I would definitely stop using PayPal, or any payment service, if it didn’t comply with the new directive. PSD2 applies only to Europe (including the U.K.), but when you run a business that serves customers all around the world, compliance is critical to avoid losing them.”

PSD2 is a complex topic regardless of the part you play in the payment space. To help clear things up, we created an in-depth guide on PSD2, including information on the first PSD, SCA, SCA exemptions, and how you can become compliant.