Strong Customer Authentication (SCA) is the authentication requirement under PSD2 that applies to most online payments in the European Economic Area (EEA). It mandates that customers verify their identity using two of three factors (something they know, have, or are) before completing a transaction.
For merchants, SCA changes how checkout works and who bears liability when fraud occurs. This guide covers the specific requirements, the exemptions that can reduce friction, and how SCA intersects with chargebacks and dispute management.
What Is PSD2?
Under the Second Payment Services Directive (PSD2), Strong Customer Authentication (SCA) mandates multi-factor authentication for electronic payments within the European Economic Area and the UK. The regulation’s primary goal is reducing eCommerce fraud and increasing online payment security. It applies to virtually every card-not-present transaction where both the issuer and acquirer are located in the EEA.
PSD2 is the EU’s framework for regulating payment services across member states. It standardizes how payments work, opens the door to third-party payment providers, and strengthens consumer protections. For merchants, the most operationally significant piece of PSD2 is the SCA requirement, which changes how customers authenticate at checkout.
What Is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a European regulatory requirement under PSD2 designed to make online payments more secure and reduce electronic fraud. To complete a transaction, customers verify their identity using at least two of three independent authentication factors. If you’ve ever been prompted to enter a one-time code sent to your phone after typing your password, you’ve experienced SCA in action.
Knowledge factor
A knowledge factor is something the customer knows. Common examples include a PIN, password, or security question. It’s the most familiar form of authentication for most online shoppers.
Possession factor
A possession factor is something the customer has. A mobile phone receiving an SMS code, a hardware token, or a smart card all qualify. Even if someone knows your password, they can’t complete the transaction without physical access to your device.
Inherence factor
An inherence factor is something the customer is. Biometrics like fingerprint scans, facial recognition, or voice patterns fall into this category. Inherence factors are increasingly common on mobile devices and offer a frictionless way to satisfy SCA.
What Are the PSD2 SCA Requirements?
The core mandate is straightforward: customer-initiated online payments require authentication with two of the three factors above. But there’s more to it than just adding a second step at checkout.
- Two-factor mandate: Every in-scope transaction requires verification from two independent categories. A password plus a fingerprint works. Two passwords do not.
- Dynamic linking: The authentication code generated for a transaction is tied to that specific amount and payee. If either changes, the code becomes invalid.
- Element independence: Compromising one factor can’t compromise the others. Your password being stolen doesn’t give an attacker access to your phone’s biometric data.
PSD2 SCA requirements apply when the customer initiates the payment and both the card issuer and the merchant’s acquirer are in the EEA. Transactions where either party is outside the EEA may still trigger SCA, but enforcement depends on the issuer’s policies.
Authentication factor reference
| Factor | Definition | Examples |
|---|---|---|
| Knowledge | Something the customer knows | PIN, password, security question |
| Possession | Something the customer has | Mobile device, hardware token, smart card |
| Inherence | Something the customer is | Fingerprint, facial recognition, voice pattern |
Source: Merchant Fraud Journal
Who Complies With SCA?
SCA compliance isn’t the responsibility of a single party. Instead, it’s distributed across the payment chain. Highlighting this shared burden, data from a joint EBA-ECB report shows that transactions verified with SCA are significantly safer. Card payment fraud was found to be 17x higher when the payment recipient is located outside the European Economic Area where SCA requirements are not legally enforced.
1. Merchants and online businesses
Merchants ensure their checkout flows support SCA by working with their payment service providers. This typically means enabling 3D Secure 2 and configuring exemption preferences. You don’t authenticate customers directly, but your integration choices determine whether transactions succeed or fail.
2. Issuing banks
The card-issuing bank ultimately decides whether to approve or decline a transaction. Issuing banks are responsible for authenticating the cardholder and determining whether an exemption applies. When a customer sees a challenge screen asking for a code or biometric, that’s the issuer’s authentication flow.
3. Acquirers and payment service providers
Your acquirer or PSP requests SCA on your behalf and manages exemption workflows. They pass transaction data to the issuer and handle the technical handshake that makes 3D Secure work. Most modern PSPs like Stripe, Adyen, and Checkout.com handle this automatically.
Which Transactions Require SCA?
Not every payment triggers SCA. In fact, European data highlights that around 80% of online card fraud in volume terms actually occurs on SCA-exempted transactions, showing just how heavily fraudsters target these loopholes. The requirement applies to specific transaction types:
- Customer-initiated online payments: Card-not-present transactions where the customer is actively completing a purchase
- Electronic remote payments: Any payment initiated via the internet or a connected device, including mobile app purchases and browser-based checkouts
- Access to payment accounts: Logging into online banking or payment apps also requires SCA
The geographic scope matters too. SCA applies when both the issuer (the customer’s bank) and the acquirer (your payment processor) are located in the EEA. A US merchant selling to a German customer with a German-issued card would typically trigger SCA because the issuer is in the EEA.
SCA Exemptions Under PSD2
Not every transaction requires full authentication. Exemptions exist to balance security with customer experience, and using them strategically can reduce checkout friction without sacrificing compliance.
1. Low-value transactions
Payments under €30 can be exempt from SCA. However, there are cumulative limits: after five consecutive unauthenticated transactions or €100 total, SCA kicks in. This exemption works well for quick, small purchases but isn’t reliable for higher-value goods.
2. Transaction risk analysis (TRA)
Payment service providers with demonstrably low fraud rates can request exemptions for transactions up to €500. The thresholds depend on the PSP’s fraud performance—lower fraud rates unlock higher exemption limits. Transaction risk analysis (TRA) is often one of the most powerful tools for reducing friction.
3. Trusted beneficiaries and whitelisting
Customers can ask their issuing bank to whitelist specific merchants. After an initial authenticated transaction, future purchases from that merchant skip SCA. Whitelisting is particularly valuable for repeat customers and subscription businesses.
4. Recurring payments and subscriptions
Fixed-amount recurring charges to the same merchant require SCA only for the first payment. Subsequent charges are exempt as long as the amount stays the same. Variable-amount subscriptions (like usage-based billing) may require re-authentication when the amount changes.
5. Merchant-initiated transactions (MIT)
Transactions initiated by the merchant without the customer present—like delayed charges, usage-based billing, or no-show fees—are out of SCA scope entirely. Merchant-initiated transactions (MITs) don’t require authentication because the customer isn’t there to authenticate.
6. Corporate and B2B payments
Payments made through dedicated corporate payment processes or protocols can be exempt. This typically applies to virtual cards, lodge cards, and centrally managed corporate accounts.
SCA exemption reference
| Exemption Type | Conditions | Who Requests It |
|---|---|---|
| Low-value | Under €30 (cumulative limits apply) | Acquirer/PSP |
| TRA | Based on PSP fraud rate thresholds | Acquirer/PSP |
| Trusted beneficiary | Customer whitelists merchant | Issuer |
| Recurring payments | Fixed amount, same merchant | Acquirer/PSP |
| MIT | Merchant-initiated, customer not present | Not applicable |
| Corporate and B2B | Dedicated processes/protocols (e.g., virtual cards, lodge cards) | Not applicable |
Source: Merchant Fraud Journal
How PSD2, SCA, and 3DS2 Work Together
PSD2, SCA, and 3DS2 often get conflated, but they serve different purposes. PSD2 is the regulation. SCA is the requirement within that regulation. 3D Secure 2 is the technical protocol that makes SCA possible for card payments.
The role of 3D Secure 2
3DS2 is the card network protocol developed by Visa, Mastercard, and other schemes to enable SCA. It replaced the older 3DS1, which was notorious for clunky pop-ups and high abandonment rates. The newer version is designed to be faster, more mobile-friendly, and less disruptive.
How 3DS2 delivers SCA
When a transaction requires authentication, 3DS2 sends rich transaction data to the issuing bank. The issuer analyzes device fingerprint, transaction history, and behavioral signals, then decides whether to approve the transaction silently (frictionless flow) or challenge the customer for additional verification.
The frictionless flow is the goal. When the issuer has enough confidence in the transaction’s legitimacy, the customer never sees a challenge screen. Sharing detailed transaction data with your PSP increases the odds of frictionless approval.
How SCA Impacts Merchants and Conversion Rates
Added authentication steps can increase cart abandonment if implemented poorly. However, well-implemented SCA with strategic exemption use often has minimal impact on conversion.
The key is using exemptions where appropriate and ensuring your 3DS2 integration passes rich data to issuers. The more context the issuer has, the more likely they are to approve transactions frictionlessly. Working with a PSP that optimizes for conversion makes a measurable difference.
Pro Tip: Monitor your authentication success rates and decline reasons. If you’re seeing high challenge rates or soft declines, your PSP may need to adjust how they’re requesting exemptions or passing transaction data.
The Future of PSD2 and Strong Customer Authentication
PSD3 is currently in development and expected to refine SCA requirements while addressing emerging payment methods like open banking and digital wallets. The European Commission has signaled that the next iteration will focus on reducing friction while maintaining security standards.
Beyond Europe, SCA principles are influencing regulations globally. The UK has implemented its own SCA rules post-Brexit, and similar frameworks are being discussed in other markets. Merchants operating internationally can expect authentication requirements to become more common, not less.
Frequently Asked Questions
What is the difference between PSD2 and SCA?
PSD2 is the EU directive that regulates payment services across the European Economic Area. SCA is one specific requirement within PSD2 that mandates two-factor authentication for electronic payments. Think of PSD2 as the rulebook and SCA as one of the rules inside it.
Does PSD2 SCA apply to merchants outside the European Union?
SCA applies when the customer's card issuer and the merchant's acquirer are both located in the EEA. Non-EU merchants selling to European customers with European-issued cards may still need to support SCA. The issuer ultimately decides whether to enforce authentication.
What happens when a payment is declined due to SCA failure?
The transaction is rejected by the issuing bank, and the customer typically sees an error message. They'll need to retry with proper authentication or use an alternative payment method. Clear error messaging helps reduce abandonment—let customers know what went wrong and how to fix it.
Charity Amancio
Charity Amancio specializes in SaaS solutions for global eCommerce businesses, including payments and risk management applications. She bridges the gap between technology and merchant needs, offering practical perspectives on the tools shaping eCommerce. Her insights appear regularly in B2B publications covering the digital commerce space.















