Strong Customer Authentication

Learn about Strong Customer Authentication (SCA), a regulation aimed at reducing fraud and improving security in online payments.


Strong customer authentication (SCA) is a security measure designed to protect online transactions and prevent fraud. SCA requires that customers provide two or more authentication factors to prove their identity when paying online. The most common method of authenticating an online card payment is through 3D Secure.

SCA is mandatory according to the European Union’s Payment Services Directive (PSD2) and applies to online transactions initiated by customers in Europe, but only if both your bank and the bank of the customer are located in the EEA, UK, or Monaco.

List of PSD2 countries
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.


Exemptions

Certain types of transactions can be exempted from SCA. If your customer’s issuing bank approves the exemption, the transaction does not require SCA. Exemptions are intended to provide your customers with a more streamlined checkout experience while maintaining high security.

Low-value

Card issuers can exempt transactions below €30. Your customer’s bank can still require strong authentication if:

  • the exemption has been used five times since the customer’s last successful authentication.
  • the sum of previously exempted payments exceeds €100.

Low-risk

Issuing banks can conduct a Transaction Risk Analysis (TRA) and consider certain transactions as low-risk based on the average fraud levels of the card issuer, the acquirer processing the transaction, or both.

  • You or the acquirer can request a TRA exemption if their fraud levels are below the established fraud thresholds. If the exemption is granted, the chargeback liability remains with you or the acquirer.
  • The card issuer can grant a TRA exemption even if it is not requested. Providing additional information in payment requests increases the probability of getting the exemption. However, if the exemption is granted, the chargeback liability shifts to the issuer.

Trusted beneficiaries

When completing an authentication for payment, your customer can add your business to their list of trusted beneficiaries. The issuer can then exempt subsequent transactions from authentication.

Secure corporate payments

When making transactions with a lodge or virtual card, the card issuer can exempt the transaction from authentication.

Network outage

In case of a network outage,  you can still accept payments without strong customer authentication. The network outage exemption is intended to be a temporary measure and you are expected to comply with SCA requirements as soon as the outage is resolved.

Delegated authentication

You can delegate the responsibility of strong customer authentication to a trusted third party.


Out-of-scope transactions

Some transactions are out of the SCA scope and don’t require strong authentication.

Interregional transactions

If either the cardholder’s country or the acquirer’s country is outside of the European Economic Area (EEA), the transaction does not require strong authentication.

Mail Order or Telephone Order (MOTO)

A transaction where customers provide their card details over the phone, mail, or fax, is called a MOTO transaction. MOTO transactions are not considered electronic payments and they fall outside of the SCA scope.

Merchant-initiated transactions (including recurring payments)

An MIT (Merchant-Initiated Transaction) is a payment made using a saved card when the customer is not present in the checkout flow, such as a recurring payment or subscription. MIT transactions fall outside the scope of SCA because they are technically initiated by you and not the customer.

To use MIT transactions, you must explicitly request a challenge flow. Then the customer must authenticate the card on the first payment and give their agreement or mandate for future charges, similar to requesting an exemption.

Anonymous card

Anonymous cards, such as prepaid cards, fall outside the scope of SCA because they cannot be linked to a specific person.