• Latest

PSD2 Strong Customer Authentication (SCA): Requirements and Exemptions

September 10, 2019 - Updated On June 26, 2026
Close-up shot of multiple credit cards scattered over a black laptop keyboard. A prominent gold credit card sits in the foreground. Layered on top of the left side is a bright cyan line icon showing a rising bar graph with a percentage sign and an upward-pointing arrow, symbolizing an increase in rates or credit card fraud statistics.

10 Credit Card Fraud Statistics You Can’t Afford to Ignore

July 13, 2026
A Complete Guide to Credit Card Fraud

A Complete Guide to Credit Card Fraud

July 9, 2026
The Merchant’s Guide to eCommerce Fraud Detection

The Merchant’s Guide to eCommerce Fraud Detection

July 8, 2026
Common Dropshipping Supplier Red Flags Every Store Owner Must Know

Common Dropshipping Supplier Red Flags Every Store Owner Must Know

July 3, 2026
8 Dropshipping Scams Targeting Sellers and Buyers in 2026

8 Dropshipping Scams Targeting Sellers and Buyers in 2026

July 2, 2026
How Credit Card Fraud Happens: 10 Common Methods Explained

How Credit Card Fraud Happens: 10 Common Methods Explained

June 25, 2026
Master the basics of Fraud-as-a-Service (FaaS). Discover how this underground economy works and get actionable strategies to defend your business.

A Guide to Fraud-as-a-Service: The New Frontier in Cybercrime

June 23, 2026
What Is a High-Risk Transaction?

What Is a High-Risk Transaction?

June 22, 2026
A woman sitting on a sofa while typing on her laptop and holding a credit card, illustrating the secure online login and verification processes discussed in "What Is Multi-Factor Authentication?".

What Is Multi-Factor Authentication?

June 16, 2026
A laptop on a desk showing a simulated phishing email notification about a locked credit card, used as a visual example of phishing threats and the need for effective merchant fraud monitoring systems.

12 Key Steps to Effective Merchant Fraud Monitoring

June 12, 2026
How to Report Credit Card Fraud as a Merchant

How to Report Credit Card Fraud as a Merchant

June 12, 2026
How to Apply for a High-Risk Merchant Account

How to Apply for a High-Risk Merchant Account

June 9, 2026
  • Contribute
  • Contact Us
  • About
  • Join Us
  • Advertise
Wednesday, July 15, 2026
Merchant Fraud Journal
ADVERTISEMENT
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
Merchant Fraud Journal
No Result
View All Result

PSD2 Strong Customer Authentication (SCA): Requirements and Exemptions

by Charity Amancio
June 26, 2026

Strong Customer Authentication (SCA) is the authentication requirement under PSD2 that applies to most online payments in the European Economic Area (EEA). It mandates that customers verify their identity using two of three factors (something they know, have, or are) before completing a transaction. 

For merchants, SCA changes how checkout works and who bears liability when fraud occurs. This guide covers the specific requirements, the exemptions that can reduce friction, and how SCA intersects with chargebacks and dispute management.

What Is PSD2?

Under the Second Payment Services Directive (PSD2), Strong Customer Authentication (SCA) mandates multi-factor authentication for electronic payments within the European Economic Area and the UK. The regulation’s primary goal is reducing eCommerce fraud and increasing online payment security. It applies to virtually every card-not-present transaction where both the issuer and acquirer are located in the EEA.

PSD2 is the EU’s framework for regulating payment services across member states. It standardizes how payments work, opens the door to third-party payment providers, and strengthens consumer protections. For merchants, the most operationally significant piece of PSD2 is the SCA requirement, which changes how customers authenticate at checkout.

What Is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a European regulatory requirement under PSD2 designed to make online payments more secure and reduce electronic fraud. To complete a transaction, customers verify their identity using at least two of three independent authentication factors. If you’ve ever been prompted to enter a one-time code sent to your phone after typing your password, you’ve experienced SCA in action.

Knowledge factor

A knowledge factor is something the customer knows. Common examples include a PIN, password, or security question. It’s the most familiar form of authentication for most online shoppers.

Possession factor

A possession factor is something the customer has. A mobile phone receiving an SMS code, a hardware token, or a smart card all qualify. Even if someone knows your password, they can’t complete the transaction without physical access to your device.

Inherence factor

An inherence factor is something the customer is. Biometrics like fingerprint scans, facial recognition, or voice patterns fall into this category. Inherence factors are increasingly common on mobile devices and offer a frictionless way to satisfy SCA.

What Are the PSD2 SCA Requirements?

The core mandate is straightforward: customer-initiated online payments require authentication with two of the three factors above. But there’s more to it than just adding a second step at checkout.

  • Two-factor mandate: Every in-scope transaction requires verification from two independent categories. A password plus a fingerprint works. Two passwords do not.
  • Dynamic linking: The authentication code generated for a transaction is tied to that specific amount and payee. If either changes, the code becomes invalid.
  • Element independence: Compromising one factor can’t compromise the others. Your password being stolen doesn’t give an attacker access to your phone’s biometric data.

PSD2 SCA requirements apply when the customer initiates the payment and both the card issuer and the merchant’s acquirer are in the EEA. Transactions where either party is outside the EEA may still trigger SCA, but enforcement depends on the issuer’s policies.

Authentication factor reference

Factor Definition Examples
Knowledge Something the customer knows PIN, password, security question
Possession Something the customer has Mobile device, hardware token, smart card
Inherence Something the customer is Fingerprint, facial recognition, voice pattern

Source: Merchant Fraud Journal

Who Complies With SCA?

SCA compliance isn’t the responsibility of a single party. Instead, it’s distributed across the payment chain. Highlighting this shared burden, data from a joint EBA-ECB report shows that transactions verified with SCA are significantly safer. Card payment fraud was found to be 17x higher when the payment recipient is located outside the European Economic Area where SCA requirements are not legally enforced.

1. Merchants and online businesses

Merchants ensure their checkout flows support SCA by working with their payment service providers. This typically means enabling 3D Secure 2 and configuring exemption preferences. You don’t authenticate customers directly, but your integration choices determine whether transactions succeed or fail.

2. Issuing banks

The card-issuing bank ultimately decides whether to approve or decline a transaction. Issuing banks are responsible for authenticating the cardholder and determining whether an exemption applies. When a customer sees a challenge screen asking for a code or biometric, that’s the issuer’s authentication flow.

3. Acquirers and payment service providers

Your acquirer or PSP requests SCA on your behalf and manages exemption workflows. They pass transaction data to the issuer and handle the technical handshake that makes 3D Secure work. Most modern PSPs like Stripe, Adyen, and Checkout.com handle this automatically.

Which Transactions Require SCA?

Not every payment triggers SCA. In fact, European data highlights that around 80% of online card fraud in volume terms actually occurs on SCA-exempted transactions, showing just how heavily fraudsters target these loopholes. The requirement applies to specific transaction types:

  • Customer-initiated online payments: Card-not-present transactions where the customer is actively completing a purchase
  • Electronic remote payments: Any payment initiated via the internet or a connected device, including mobile app purchases and browser-based checkouts
  • Access to payment accounts: Logging into online banking or payment apps also requires SCA

The geographic scope matters too. SCA applies when both the issuer (the customer’s bank) and the acquirer (your payment processor) are located in the EEA. A US merchant selling to a German customer with a German-issued card would typically trigger SCA because the issuer is in the EEA.

SCA Exemptions Under PSD2

Not every transaction requires full authentication. Exemptions exist to balance security with customer experience, and using them strategically can reduce checkout friction without sacrificing compliance.

An infographic detailing the primary exemptions under PSD2 Strong Customer Authentication (SCA) requirements. The central circle reads "SCA Exemptions Under PSD2" and is surrounded by six teal boxes pointing to the various ways businesses can bypass full PSD2 Strong Customer Authentication protocols. The six exemptions listed are: low-value transactions, transaction risk analysis (TRA), trusted beneficiaries and whitelisting, recurring payments and subscriptions, merchant-initiated transactions (MIT), and corporate and B2B payments. The Merchant Fraud Journal logo sits at the top center.

1. Low-value transactions

Payments under €30 can be exempt from SCA. However, there are cumulative limits: after five consecutive unauthenticated transactions or €100 total, SCA kicks in. This exemption works well for quick, small purchases but isn’t reliable for higher-value goods.

2. Transaction risk analysis (TRA)

Payment service providers with demonstrably low fraud rates can request exemptions for transactions up to €500. The thresholds depend on the PSP’s fraud performance—lower fraud rates unlock higher exemption limits. Transaction risk analysis (TRA) is often one of the most powerful tools for reducing friction.

3. Trusted beneficiaries and whitelisting

Customers can ask their issuing bank to whitelist specific merchants. After an initial authenticated transaction, future purchases from that merchant skip SCA. Whitelisting is particularly valuable for repeat customers and subscription businesses.

4. Recurring payments and subscriptions

Fixed-amount recurring charges to the same merchant require SCA only for the first payment. Subsequent charges are exempt as long as the amount stays the same. Variable-amount subscriptions (like usage-based billing) may require re-authentication when the amount changes.

5. Merchant-initiated transactions (MIT)

Transactions initiated by the merchant without the customer present—like delayed charges, usage-based billing, or no-show fees—are out of SCA scope entirely. Merchant-initiated transactions (MITs) don’t require authentication because the customer isn’t there to authenticate.

6. Corporate and B2B payments

Payments made through dedicated corporate payment processes or protocols can be exempt. This typically applies to virtual cards, lodge cards, and centrally managed corporate accounts.

SCA exemption reference

Exemption Type Conditions Who Requests It
Low-value Under €30 (cumulative limits apply) Acquirer/PSP
TRA Based on PSP fraud rate thresholds Acquirer/PSP
Trusted beneficiary Customer whitelists merchant Issuer
Recurring payments Fixed amount, same merchant Acquirer/PSP
MIT Merchant-initiated, customer not present Not applicable
Corporate and B2B Dedicated processes/protocols (e.g., virtual cards, lodge cards) Not applicable

Source: Merchant Fraud Journal

How PSD2, SCA, and 3DS2 Work Together

PSD2, SCA, and 3DS2 often get conflated, but they serve different purposes. PSD2 is the regulation. SCA is the requirement within that regulation. 3D Secure 2 is the technical protocol that makes SCA possible for card payments.

The role of 3D Secure 2

3DS2 is the card network protocol developed by Visa, Mastercard, and other schemes to enable SCA. It replaced the older 3DS1, which was notorious for clunky pop-ups and high abandonment rates. The newer version is designed to be faster, more mobile-friendly, and less disruptive.

How 3DS2 delivers SCA

When a transaction requires authentication, 3DS2 sends rich transaction data to the issuing bank. The issuer analyzes device fingerprint, transaction history, and behavioral signals, then decides whether to approve the transaction silently (frictionless flow) or challenge the customer for additional verification.

The frictionless flow is the goal. When the issuer has enough confidence in the transaction’s legitimacy, the customer never sees a challenge screen. Sharing detailed transaction data with your PSP increases the odds of frictionless approval.

How SCA Impacts Merchants and Conversion Rates

Added authentication steps can increase cart abandonment if implemented poorly. However, well-implemented SCA with strategic exemption use often has minimal impact on conversion.

The key is using exemptions where appropriate and ensuring your 3DS2 integration passes rich data to issuers. The more context the issuer has, the more likely they are to approve transactions frictionlessly. Working with a PSP that optimizes for conversion makes a measurable difference.

Pro Tip: Monitor your authentication success rates and decline reasons. If you’re seeing high challenge rates or soft declines, your PSP may need to adjust how they’re requesting exemptions or passing transaction data.

The Future of PSD2 and Strong Customer Authentication

PSD3 is currently in development and expected to refine SCA requirements while addressing emerging payment methods like open banking and digital wallets. The European Commission has signaled that the next iteration will focus on reducing friction while maintaining security standards.

Beyond Europe, SCA principles are influencing regulations globally. The UK has implemented its own SCA rules post-Brexit, and similar frameworks are being discussed in other markets. Merchants operating internationally can expect authentication requirements to become more common, not less.

Frequently Asked Questions

What is the difference between PSD2 and SCA?

PSD2 is the EU directive that regulates payment services across the European Economic Area. SCA is one specific requirement within PSD2 that mandates two-factor authentication for electronic payments. Think of PSD2 as the rulebook and SCA as one of the rules inside it.

Does PSD2 SCA apply to merchants outside the European Union?

SCA applies when the customer's card issuer and the merchant's acquirer are both located in the EEA. Non-EU merchants selling to European customers with European-issued cards may still need to support SCA. The issuer ultimately decides whether to enforce authentication.

What happens when a payment is declined due to SCA failure?

The transaction is rejected by the issuing bank, and the customer typically sees an error message. They'll need to retry with proper authentication or use an alternative payment method. Clear error messaging helps reduce abandonment—let customers know what went wrong and how to fix it.

Picture of Charity Amancio

Charity Amancio

Charity Amancio specializes in SaaS solutions for global eCommerce businesses, including payments and risk management applications. She bridges the gap between technology and merchant needs, offering practical perspectives on the tools shaping eCommerce. Her insights appear regularly in B2B publications covering the digital commerce space.

Tags: PSD2Strong Customer Authentication
TweetShareSend
Previous Post

Ebay PayPal Scam Strikes Merchants

Next Post

Card Not Present Fraud Rates Climbing Higher and Higher

Next Post

Card Not Present Fraud Rates Climbing Higher and Higher

Download our latest report:

Our Latest Reports

2024 Fraud Trends Report

2023 Consumer Payments Survey Report

2023 Fraud Trends Report

2022 Chargeback Consumer Survey Report

Fraud Prevention Tactics that Enable Exceptional Customer Experience

Addressing Payment Fraud and The Customer Experience in 2022

2022 Fraud Trends Report

ATO Fraud In Retail Report

2022 Customer Experience Report

3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue

Digital Trust And Safety Report: Combating the Evolving Complexities of Payment Fraud

On-Demand Webinars

New Trends in The Payments Ecosystem

Balancing Customer Experience and Fraud Prevention: What’s the Secret?

Stopping Fraud Across the Customer Lifecycle

Addressing Payment Fraud and the Customer Experience in 2022

 

Get the 2024 Fraud Trends Report

Search Our Site

No Result
View All Result

Our Sponsors

Quick Navigation

  • Home
  • News
  • Join Us
  • About Us
  • Contact Us
  • Advertise
  • Contribute
  • Privacy Policy

The Payments Media Network

Merchant Fraud Journal
Payments Review

Privacy Policy

Our Privacy Policy
Our Terms of Use

Resources

  • Articles
  • eCommerce Fraud Reports
  • eCommerce Fraud Webinars
  • Training and Certifications
  • Jobs Board
  • Associations and Non-Profits
  • Podcasts
  • Vendor Directory

Download the 2023 Fraud Trends Report

No Result
View All Result
  • About Merchant Fraud Journal
    • Interested in Contributing or Guest Posting to Merchant Fraud Journal?
    • Merchant Fraud Journal Editorial Guidelines
  • Advertise on Merchant Fraud Journal
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Contact Us
  • Download Addressing Payment Fraud and Customer Experience Report
  • Download Chargebacks Consumer Survey Report 2022
  • Download Evolving Complexities of Payment Fraud Report
  • Download Fraud Prevention Tactics that Enable Exceptional Customer Experiences Report
  • Download Merchant Fraud Journal 2023 Fraud Trends Report
  • Download Merchant Fraud Journal 2024 Fraud Trends Report
  • Download Merchant Fraud Journal Generative AI Fraud Prevention Checklist for SMBs
  • Download Quantifying the Challenge of Friendly Fraud: Your Post-purchase Strategy for the Future
  • Download the 2020 Chargeback and Representment Report
  • Download the 2020 Merchant Fraud Journal Vendor Guide
  • Download the 2021 Fraud Trends Report
  • Download the 2022 Fraud Trends Report
  • Download the 2023 Consumer Payment Trends Report
  • Download the 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue Report
  • Download the MFJ 2022 Customer Experience Report
  • Download the MFJ ATO in Retail Report
  • Home
  • Home Elementor
  • Job Dashboard
  • Join The Merchant Fraud Journal Community
  • Merchant Fraud Journal Advertising Agreement
  • Merchant Fraud Journal Advertising Agreement – Signifyd
  • MFJ Fraud Trends Report Giveaway
  • News
  • Post a Job
  • Privacy Policy
  • Resources
    • #9978 (no title)
    • 2020 Chargeback Representment Guide for Merchants
    • 2020 Vendor Guide
    • 2023 Consumer Payments Survey Report
    • 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue
    • Addressing Payment Fraud and the Customer Experience in 2022
    • Associations and Non-Profits
    • ATO Fraud In Retail Report
    • Balancing Customer Experience and Fraud Prevention: What’s the Secret?
    • Chargebacks Consumer Survey Report 2022
    • Digital Trust & Safety: Combating the Evolving Complexities of Payment Fraud
    • eCommerce Fraud Reports
    • eCommerce Fraud Webinars
    • Fraud Prevention Tactics that Enable Exceptional Customer Experiences
    • Fraud Prevention Training and Certifications
    • How to Build a Recession Proof Chargeback Prevention Strategy
    • How to Reduce Customer Friction During Holiday Sales Season
    • How to Stop Fraud During the 2022 Holiday Season
    • Jobs Board
    • Merchant Fraud Journal 2023 Fraud Trends Report
    • Merchant Fraud Journal’s Fraud Trends 2020 Report
    • Merchant Fraud Journal’s Generative AI Fraud Prevention Report: A Checklist for SMB Companies
    • Merchant Fraud Journal’s Fraud Trends 2021 Report
    • Merchant Fraud Journal’s Fraud Trends 2022 Report
    • MFJ’s 2022 Customer Experience Report
    • Podcasts
    • Prevent High-Velocity Fraud Attacks During the 2021 Holiday Season
    • Quantifying the Challenge of Friendly Fraud: Your Post-purchase Strategy for the Future
    • Stopping Fraud Across the Customer Lifecycle
    • The surprisingly easy way to secure your payment data, reduce your risk, and win the war on ecommerce fraud
    • Vendor Directory
    • Webinar – Addressing Payment Fraud and the Customer Experience in 2022
    • Webinar – Mitigating Fraud and Risk on the ACH Network
    • Win January Chargeback Disputes
  • Subscribed
  • Terms and Conditions

© 2021 Payments Media Solutions Canada Inc.

Not enough quota to unlock this post
Unlock left : 0
Are you sure want to cancel subscription?