3DS v2

Exclusions are transactions that are OUT of scope for PSD2 SCA regulations:

  • Mail order/telephone order
  • One leg journey - Payee's PSP (aka Merchant's acquirer) or Payer's PSP (aka Buyer's payment method issuer) is outside of EEA zone
  • Anonymous prepaid cards up to 150€ (article 63)
  • MIT - merchant initiated transactions

Exemptions are transactions that are IN the scope of PSD2 SCA regulations:

  • Low value transactions
  • Subscriptions
  • Risk analysis
  • Whitelisting
Unless the authentication is an obligatory step (i.e. in case of a card registration or an initial transaction of a series of recurring transactions), issuers can decide to pass on the authentication. In such a scenario the issuer will be liable in case of a charge back.
Add Card value refers to the case when a wallet provider uses 3DS protocol to add a card to their wallet. This will be implemented by the respective wallet provider.

If you use our eCommerce page, PostFinance will take care of all mandatory fields.

If you are integrated in DirectLink, meaning that you have your own payment page, we have a Javascript example available on the support page to collect the mandatory data.

For the optional information collection, refer to our support page on how to integrate with PostFinance.

COF in a nutshell: Customer initiates a first transaction with a merchant with a 3D-S (CIT). From this first transaction experience, the merchant has the possibility to do recurring transactions (subscription or with customer approval -> tokenization), flagged as MIT transactions.

MIT are one of the exemptions foreseen within the 3DSv2., if they fulfill the following cumulative conditions:

  • subsequent transactions of an initial CIT 
  • CIT was done with a mandatory authentication
  • A dynamic ID linking is made between initial CIT and the subsequent MITs

After initial authentication, exemptions/exclusions can apply:

  • Either because of legal recurring exemptions which apply to subscriptions with a fixed amount and periodicity (merchants are indeed advised to authenticate for full amount + provide details about number of agreed payments with card holders)
  • Either because other type of transactions are excluded from SCA scope... at merchant sole risk in case of chargeback (protection limited to authenticated amount) AND need for issuer to accept that risk to be taken:
    • Unscheduled COF: principle of subsequent transactions is agreed with card holder, but amount and/or periodicity is not fixed
    • Industry practices: incremental, no show, etc...

For the transitional period, schemes have defined default ID to be used for subsequent MITs created before introduction of 3DS v2.

Our test platform is ready for you to start testing. A simulator will support all different scenarios.

Testing cards have been provided and can be found on the support site, as well as in the TEST environment (Configuration > Technical Information > Test info).

Please contact us should you wish to start using 3-D Secure version 2 (3DSv2) in production. 

Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

One of the core differences in version 2 is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge).

Separately the Strong Customer Authentication (SCA) required from 1st January 2021 for Europe and from 14th September 2021 for UK, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible. In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before January 1st, 2021 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the cardholder compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

The EBA (European Banking Authority) and national banks in each affected country agreed on a grace period (until at least March 2020). This will give every player in the eCommerce business the opportunity to clarify all details related to this new regulation. However, we still strongly recommend to activate 3DS in your account(s) as soon as possible.

Since our TEST environment is ready, we advise you to start testing your integration as soon as possible.

Click here if you’re using eCommerce. If you’re using your own page, click here.

To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

If the issuer is applying new PSD2 ruleset and 3DS is not active in the merchant's account, the transaction will be rejected with a new error code - soft decline. Therefore, please make sure to have 3DS active for each brand in your account(s). If you are integrated with DirectLink (Server to Server), you will need to implement the soft decline mechanism.

This situation is only possible if you are integrated via DirectLink only (Merchant own page / FlexCheckOut), as in PostFinance hosted payment page page, PostFinance is collecting the mandatory data.

First of all, PostFinance will identifiy the flow to be directed to v1 or v2 based on the card numbers.

If the card is enrolled V2, there are the following possible scenarios:

Mandatory data:

  • If the wrong data is passed, transaction is blocked
  • If some data is missing, PostFinance will direct your transaction to v1 flow
  • If no data is passed, transaction is NOT blocked but diverted to flow v1

Recommended or optional data:

  • if no data is passed, transaction is NOT blocked, but cannot benefit from exemption. 

From 1st January 2020 for Europe and from 14th September 2021 for UK, Strong Customer Authentication (SCA) rules will come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after January 1st you will have to make sure that these technical solutions will work with your online store.

Accepting payments from the world’s largest card networks, Visa, Mastercard and Amex, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that will facilitate the PSD2 Strong Customer Authentication requirements.

We recommend you to use 3-D Secure, since it helps prevent fraud and also protects you from liability in case of any fraud. From January 1st 2020 it will also be a requirement for accepting the payments from major cards.

3DSv2 is inviting merchants to send additional information (mandatory / recommended ... ). All you need to know as a merchant can be found here:


As 3DSv2 introduces frictionless authentication, the time for processing a transaction may be reduced. Conversely, if Strong Customer Authentication is requested, the processing time may be longer.
Along with the platform release in July we have enhanced our transaction overview details. Individual transactions accessible now contain detailed information on which flow (legacy 3DS v1  or 3Dsv2) was applied. More information can be found in our notes for Release 04.133 in the Backoffice via Support > Platform Releases > Release 04.133

In addition to that we have added the new parameter VERSION_3DS to our electronic reporting tool.

The possible values for VERSION_3DS are

V1  (for 3DS v1)
V2C (for 3DS v2 challenge flow)
V2F (for 3DS v2 frictionless flow) 

To add this parameter to your transaction file downloads, follow the instructions as shown in this video:

In a case like this, PostFinance will automatically manage a fallback to 3-D Secure v1.

The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, we pride ourselves on being confirmed PSD2 compliant since 29 May 2018.

One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from 1st January 2021 for Europe and from 14th September 2021 for UK. SCA will require cardholders to authenticate themselves with at least TWO out of the following three methods:

  • Something they know (PIN, password, …)
  • Something they possess (card reader, mobile. …)
  • Something they are (voice recognition, fingerprint, …

This means your customers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

More information about PSD2 can be found here: https://www.europeanpaymentscouncil.eu/sites/default/files/infographic/2018-04/EPC_Infographic_PSD2_April%202018.pdf


If you are accepting local brands available on EU issued cards, you are impacted.

This page is only presented for eCom merchants accepting brands outside Visa, MasterCard or Amex, an not sending the brand to be used to processed with the transaction. Sending the brand under which the transaction should be processed will remove the page.

You need to be compliant if you are accepting Carte Bancaire (France), Bancontact (Belgium) or Dankort (Denmark). The regulation is not naming “brands” but providing a cumulative scope:

  1. Card should be issued in EU.
  2. Brand should not be limited (limited card can be brand issued by one retailer, to buy limited goods or services, only provided to be use on local sectors, etc.)
  3. Merchant should already accept the brand. If merchant is accepting a payment by brand X and brand Y, merchant should allow payer to decide which brand to use when payer is using a card including both brands X and Y.

When compliancy is legally required (merchant is accepting brands included on EU issued cards covered by the regulation), but merchant is not compliant, Member States local authority can fine the merchant. Fine may differ from one country to another.

Compliancy is already required, but not fully put in place by all stakeholders, and each EU member states is free to decide when penalties should enter into force. We advise merchants to be compliant as soon as possible, notably on markets where co-badged cards are heavily used (ex: France for merchants accepting the Carte Bancaire brand).

If you are using the URL redirect (eCom) and accepting brands which could be potentially impacted by the regulation or potentially co-badged with another brand impacted by the regulation, we need to be sure payer will be able to make a choice of brand and then we need to present a selection page. The way to avoid the selection page is to always send the brand under which the transaction must be processed.


If you want to change the PSPID name for an existing production account, please contact your PostFinance Account Manager who will open a new account for you.

The PSPID name of your existing production account cannot be changed, but a new account with a new name can be opened for you.

Please note there will be a fee for this service.

The time to activate a payment method depends on the following factors:

  • It generally takes the acquirer or bank about a week to complete your affiliation. If you already have an affiliation, the activation takes a few days.
  • Some payment methods require additional checks before they can be activated, e.g. in case of 3-D Secure, which is requested directly at VISA or MasterCard (and not at the acquirer). 

With PostFinance Collect, you can activate several payment methods in one go.


If you want to change your invoicing address or the way you pay your invoices, please send an email with your PSPID to our Customer Care department

Our Customer Care team will take care of your request.

Please contact our team who can help you to get a copy of your invoice.


You can only perform refunds on transactions for which the funds have already been transferred to your bank account. A cancellation or deletion can be done before a payment has been fully processed, i.e. before the daily cut-off time at the acquirer, at which point all transactions of the previous day are processed.

You can easily refund a payment with the "Refund" button in the order overview of a transaction (via View transactions). If your account supports it, you can also make refunds with a DirectLink request or with a Batch file upload (for multiple transactions).

Please note that the Refunds option has to be enabled in your account.

Go to Maintain your transactions for more information.

In your PostFinance account menu, you can easily lookup your transactions by choosing "Operations" and then clicking either "View transactions" or "Financial history", depending on the type of transaction results you're looking for.

Go to Consult your transactions for more information.


There are different reasons why you can't refund a transaction. You need to consider the following (with the condition that the Refund option is enabled in your account):

  • The transaction is in an "incomplete" status, such as a pending or erroneous status (9192 etc.) that doesn't allow the refund operation.
  • If the transaction is authorised (status 5), at which point no payment has been made yet. In this case you have to cancel the authorisation instead of refund.
  • The used payment method doesn't support the refund functionality, which can be the case with certain debit cards, web banking methods and "offline" payment methods such as Bank transfer.

Request another admin user on your PSPID to deactivate the 2-Factor authentication for you or contact our Customer Care department for help.