SCA compliance

Last updated: November 5, 2025

The European Union's second Payment Services Directive (PSD2) sets requirements for authenticating online payments in Europe, known as Strong Customer Authentication (SCA).

SCA is a form of multi-factor authentication that verifies customer identity to increase the security of online payments. The customer must provide at least two of the following three elements:

Something the customers knows, like a password or PIN
Something the customer has, like a mobile phone or wearable device
Something the customer is, like their fingerprint or facial recognition

SCA is required for online customer-initiated transactions (CITs) within the European Economic Area (EEA) and the United Kingdom (UK).

For online card payments, SCA applies only to payments where both the issuer and acquirer are located within the EEA and the UK.

For online card payments, apply 3D Secure (3DS) authentication. The latest version of 3DS offers frictionless and challenge authentication flows and certain exemptions from SCA for a smooth checkout experience.

Card-based digital wallets like Apple Pay and Google Pay have multi-factor authentication built in to their payment flows, offering a frictionless checkout experience that supports SCA.

Many common European alternative payment methods (APMs) are also subject to SCA. For example, like Bancontact, iDEAL, and Multibanco.

The following types of payment fall outside the scope of SCA:

Anonymous prepaid card payments, like gift cards
Mail Order or Telephone Order (MOTO) payments
Subsequent (not initial) merchant-initiated transactions
One-leg-out (OLO) payments, where either you or the customer's bank are based outside the EEA or the UK

A merchant-initiated transaction (MIT) is where you request the payment with a customer's previously saved card. Scheduled and unscheduled MITs of a fixed or variable amount (for example, subscriptions and automatic top-ups) are out of scope for SCA.

However, you must perform SCA during the initial payment when the card is saved or when the cardholder makes the first payment in a series. You also need to obtain the customer's agreement to charge their card at a later date.

Information

Always flag MITs in your payment request. For more information, see Pay with stored card details.

Payments can be exempt from SCA if they meet certain criteria. Exemptions are supported by 3DS protocols 2.1 and 2.2.

Exemptions can improve the customer experience because:

More payments are approved with the 3DS frictionless flow.
They can undergo the 3DS challenge flow instead of their payment being declined, resulting in a higher acceptance rate.

Amounts under 30 EUR are considered low-value payments (LVPs) and may be exempt. However, the issuer may still apply SCA if:

Within a 24-hour period, this exemption has been used five times since the customer's last successful authentication.
The total value spent on the card without SCA exceeds 100 EUR.

The transaction risk assessment (TRA) exemption requires you to perform a robust risk analysis, and your payment service provider (PSP) must meet specific fraud thresholds.

Corporate payments made with virtual and lodge cards (typically used for business travel expenses), or from central travel accounts, are exempt.

The customer can add a merchant to a trusted list after the initial SCA, so that all subsequent payments to that business are exempt.

To request to be added to a trusted list, in your initial payment request, set the 3ds.exemption field to trusted_listing_prompt. Then, for subsequent authentication requests, set 3ds.exemption to trusted_listing.

To request an SCA exemption, in your payment request:

Set 3ds.enabled to:
- true for exemption during authentication
- false for exemption during authorization
Specify the exemption type in the 3ds.exemption field.

The issuer decides whether the requested exemption applies. They assess the payment's risk and decide to do one of the following:

Exemption decision Description

Exemption decision	Description
Accept the exemption.	The issuer allows the payment to be completed without SCA. Note There is no liability shift. This means you are liable if the payment is fraudulent.
Reject the exemption during authentication.	The payment is not declined, but the customer must undergo SCA.
Reject the exemption during authorization.	You receive a `20154` response code and must retry the payment with both of the following: The `3ds.enabled` field set to `true` The `3ds.challenge_indicator` field set to `challenge_requested` or `challenge_requested_mandate` If you requested the exemption using the standalone authentication Sessions API or a third-party provider, you must also flag any successful authentication exemption in the authorization message. Set `3ds.enabled` to `true`. In the `3ds.exemption` field, specify the exemption that was applied during authentication.

Accept the exemption.

The issuer allows the payment to be completed without SCA.

Note

There is no liability shift. This means you are liable if the payment is fraudulent.

Reject the exemption during authentication.

The payment is not declined, but the customer must undergo SCA.

Reject the exemption during authorization.

You receive a 20154 response code and must retry the payment with both of the following:

The 3ds.enabled field set to true
The 3ds.challenge_indicator field set to challenge_requested or challenge_requested_mandate

If you requested the exemption using the standalone authentication Sessions API or a third-party provider, you must also flag any successful authentication exemption in the authorization message.

Set 3ds.enabled to true.
In the 3ds.exemption field, specify the exemption that was applied during authentication.

Card schemes support the following exemptions at authentication and authorization.

Information

American Express handles the trusted merchant list exemption itself, so you do not need to request it.

Scheme	Low-value payment	Transaction risk assessment	Secure corporate payment	Trusted merchant list
Authentication
Visa
Mastercard
American Express				N/A
Diners Club (DCI)
Authorization
Visa
Mastercard
American Express				N/A
Diners Club (DCI)

SCA affects different business scenarios and payment types as follows:

Payment type	SCA applicability	Payment request fields
Ecommerce
The customer enters their card details at checkout for one-off online payment.	Yes, unless an exemption applies.	`"3ds.enabled": true` or `3ds.exemption` `"source.store_for_future_use": false`
The customer uses stored card details to make a one-off online payment.	Yes, unless an exemption applies.	`"3ds.enabled": true` or `3ds.exemption` `"source.stored": true` if providing the full card details using the API
The customer enters their card details at checkout, which are stored for future use.	Yes	`"3ds.enabled": true` `"3ds.challenge_indicator": "challenge_requested_mandate"`
Subscriptions
The initial payment that starts the subscription. This can be a zero-dollar authorization or a card verification.	Yes	`"3ds.enabled": true` `"merchant_initiated": false` `"3ds.challenge_indicator": "challenge_requested_mandate"` `"payment_type": "Recurring"`
Subsequent subscription payments.	No. These qualify as merchant-initiated transactions (MITs), which are out of scope for SCA.	`"payment_type": "Recurring"` `"merchant_initiated": true` `"previous_payment_id"` `"source.stored": true` if providing the full card details
Unscheduled MITs
The initial payment where the customer agrees to the terms and conditions of subsequent payments. This can be a zero-dollar authorization or card verification.	Yes	`"3ds.enabled": true` `"merchant_initiated": false` `"3ds.challenge_indicator": "challenge_requested_mandate"` `"payment_type": "Unscheduled"`
Subsequent payments as agreed in the initial terms and conditions.	No. These qualify as MITs, which are out of scope.	`"source.stored": true` `"merchant_initiated": true` `previous_payment_id` `"payment_type": "Unscheduled"`
MOTO payments
Payments made by mail order or over the phone.	No. MOTO payments are out of scope.	`"payment_type": "moto"`
Incremental authorizations
The first payment, where the customer agrees to later merchant-initiated authorizations.	Yes, unless an exemption applies.	`"3ds.enabled": true` or `3ds.exemption`
Subsequent merchant-initiated incremental authorizations.	No. These qualify as MITs, which are out of scope.	`"merchant_initiated": true` `previous_payment_id`
Travel and hospitality indirect sales
Payments processed by the travel or hospitality service provider.	Yes. However, you can flag these as MOTO payments, which are out of scope.	`"payment_type": "moto"`

Information

For more information about the additional fields required for payments using stored cards, see Pay with stored card details.

To implement 3DS and comply with SCA, provide the following fields in your payment requests:

Field name Description

Field name	Description
`3ds.enabled` boolean	Whether or not to apply 3DS authentication to the payment. This can be one of: `true` – Apply 3DS. Use this when requesting exemptions during authentication. `false` – Do not apply 3DS. Use this when requesting exemptions during authorization.
`3ds.challenge_indicator` string	Your preference for whether or not to perform a 3DS challenge. The decides whether to challenge the customer. If you also provide `3ds.exemption`, it overrides `3ds.challenge_indicator`. This can be one of: `no_preference` (default) – You have no preference whether or not to challenge the customer. `no_challenge_requested` – You do not want to challenge the customer. `challenge_requested` – You want to challenge the customer. `challenge_requested_mandate` – The customer must be challenged due to local requirements.
`3ds.exemption` string	Request an SCA exemption for the payment. The decides whether or not it applies. If the requested exemption is not supported or enabled, `3ds.challenge_indicator` is used as a fallback. This can be one of: `low_value` – Request the low-value exemption. `secure_corporate_payment` – Request the secure corporate payment exemption. `transaction_risk_assessment` – Request the transaction risk assessment (TRA) exemption. `trusted_listing` – Request the trusted merchant list exemption. `trusted_listing_prompt` – Request to be added to the trusted list exemption.

3ds.enabled

boolean

Whether or not to apply 3DS authentication to the payment.

This can be one of:

true – Apply 3DS. Use this when requesting exemptions during authentication.
false – Do not apply 3DS. Use this when requesting exemptions during authorization.

3ds.challenge_indicator

string

Your preference for whether or not to perform a 3DS challenge. The decides whether to challenge the customer.

If you also provide 3ds.exemption, it overrides 3ds.challenge_indicator.

This can be one of:

no_preference (default) – You have no preference whether or not to challenge the customer.
no_challenge_requested – You do not want to challenge the customer.
challenge_requested – You want to challenge the customer.
challenge_requested_mandate – The customer must be challenged due to local requirements.

3ds.exemption

string

Request an SCA exemption for the payment. The decides whether or not it applies.

If the requested exemption is not supported or enabled, 3ds.challenge_indicator is used as a fallback.

This can be one of:

low_value – Request the low-value exemption.
secure_corporate_payment – Request the secure corporate payment exemption.
transaction_risk_assessment – Request the transaction risk assessment (TRA) exemption.
trusted_listing – Request the trusted merchant list exemption.
trusted_listing_prompt – Request to be added to the trusted list exemption.


1{
2  "source": {
3    "type": "token",
4    "token": "tok_f6z4mnoububudpqnvhwa5ff27u"
5  },
6  "amount": 2000,
7  "currency": "USD",
8  "3ds": {
9    "enabled": true,
10    "challenge_indicator": "challenge_requested_mandate"
11  },
12  "success_url": "https://example.com/payments/success",
13  "failure_url": "https://example.com/payments/failure"
14}


1{
2  "source": {
3    "type": "token",
4    "token": "tok_f6z4mnoububudpqnvhwa5ff27u"
5  },
6  "amount": 2000,
7  "currency": "USD",
8  "3ds": {
9    "enabled": false,
10    "exemption": "low_value"
11  },
12  "success_url": "https://example.com/payments/success",
13  "failure_url": "https://example.com/payments/failure"
14}


1{
2  "source": {
3    "type": "token",
4    "token": "tok_f6z4mnoububudpqnvhwa5ff27u"
5  },
6  "amount": 2000,
7  "currency": "USD",
8  "3ds": {
9    "enabled": true,
10    "exemption": "low_value"
11  },
12  "success_url": "https://example.com/payments/success",
13  "failure_url": "https://example.com/payments/failure"
14}

If you requested an exemption during authorization that the issuer rejects, you receive a 20154 soft decline code in the response. This means SCA is required to complete the payment.

You must resend the payment request with:

The 3ds.enabled field set to true
Optionally, the 3ds.challenge_indicator field set to challenge_requested_mandate

Information

For more information, see Authenticate payments.

SCA compliance

SCA applicability

SCA compliance

Out-of-scope payments

Merchant-initiated transactions

Information

SCA exemptions

Exemption types

Low-value payments

Transaction risk assessment

Secure corporate payments

Trusted merchant list

Request an exemption

Issuer decision

Note

Exemptions using a third-party authentication provider

Exemptions per scheme

Information

Business scenarios

Information

3DS with the Payments API

3DS request examples

Information