PSD2 SagePay - what requirements

Question

Do I need to change anything within my payment gateway script on my ecommerce website, so it complies with PSD2 requirements on sagepay hosted? I don't take payments on my website, but redirect people to SagePay.

My question is according to Septembers EU law changes.

Answer 1

With any luck, you won't need to make any changes, as SagePay should handle the SCA process for you via 3D secure V2. You will probably already have needed to upgrade your protocol version from 2.x to 3.0 (https://www.sagepay.co.uk/support/12/36/sage-pay-version-3-00-understanding-the-process), and if you have, then SagePay should take care of the 3DS process for you, and hopefully will upgrade that process to 3DS2 when they see fit.

You will need to ensure that you have 3DS turned on in your SagePay account (https://www.sagepay.co.uk/support/28/36/activating-adding-a-3d-secure-rule)

This article: https://www.sagepay.co.uk/support/12/36/3d-secure-explained suggests that "Depending on which payment integration your site uses with Sage Pay you may have to make some changes to the integration, so it is important to flag with your developer/IT that you may need to make some development changes in June / July / August to ensure they will be ready to act for you. Specific details will be available in May." However, it's now June, and I haven't seen any such "specific details".

I'm not involved with SagePay, so I don't have any further knowledge than that - we too have an integration with SagePay, so I'm also waiting for further confirmation from them on what steps will need to be taken.

EDIT January 2022

At some point between June 2019 and January 2022, SagePay, or rather Opayo, have indeed updated their integration and they do require changes in order to fully cater for 3DSv2. Specifically, you will need to upgrade from Version 3.00 of their integration to Version 4.00 and pass some additional data. The migration process is documented here

Essentially you need to send some additional SCA data and "Credential on File" (CoF) data if you intend to do repeat transactions.