SCA compliance guide

On September 14, 2019, new requirements for authenticating online payments were introduced in Europe as part of the European Union’s second Payment Services Directive (PSD2), aiming to make payments more secure for cardholders.

These requirements, known as Strong Customer Authentication (SCA), apply to customer-initiated online payments and online banking transactions made within Europe.

On this page we’ll take a look at SCA and how we can help you meet it. We’ll explore the sorts of payments it affects and what possible exemptions you can use to offer a frictionless checkout experience for your customers.

SCA is a sort of multi-factor authentication, verifying the identity of the cardholder and increasing the security of online payments. The customer has to provide at least two of the following three elements to satisfy it:

• Something the customers knows (like a password or PIN)
• Something the customer has (like a mobile phone or wearable device)
• Something the customer is (like their fingerprint or facial recognition)

Strong authentication is required for customer-initiated online payments within Europe. For online card payments, SCA applies only to transactions where both your business's bank and the cardholder's bank are located in the European Economic Area (EEA) or the United Kingdom (UK).

• SCA applies if your business's bank and your customer's bank are in the EEA or the UK.
• SCA does not apply if your business's bank and/or your customer's bank is outside the EEA or the UK.

• If your business's bank and your customer's bank are in the EEA, the deadline for SCA readiness was December 31, 2020.
• If your business's bank and your customer's bank are in the UK, gradual enforcement began in June 2021. Full enforcement began on March 14, 2022.

Some transactions fall outside the scope of SCA, meaning they do not require strong authentication.

Scheduled and unscheduled merchant-initiated transactions (MITs) of a fixed or variable amount originating from the merchant, where you make the payment with a customer's previously saved card (like subscriptions and automatic account top-ups) are out of scope.

However, you will need to perform SCA when the card is saved or when the first payment in a series is made by the cardholder. You also need to get an agreement from the customer to charge their card at a later date.

In addition, you must include additional parameters in your payment request to clearly identify such transactions as merchant-initiated. Learn more in our stored card details guide.

Payments made by mail order or over the phone (MOTO) fall outside the scope of SCA.

One leg out (OLO) payments – transactions where you and/or the customer's bank are based outside the European Economic Area (EEA) or the UK – are out of scope.

If a customer uses an anonymous prepaid card, like a gift card, they do not need to go through SCA.

For transactions that are in scope of SCA, you can request exemptions from strong authentication if the transactions meet certain criteria.

However, the customer's bank has the final say on whether or not the requested exemption applies. They will assess the risk of the payment and decide whether to accept the exemption, or reject it and request strong authentication for the transaction.

• Bank accepts exemption. If the customer’s bank accepts the requested exemption, the transaction can be completed without strong authentication.
• Bank rejects exemption. If the customer’s bank does not allow the exemption, you will receive a 20154 response code, meaning that you will need to apply 3DS authentication to the transaction to meet SCA requirements.

The 3DS 2.1 and 2.2 protocols support exemptions. Aside from allowing you to remain SCA-compliant in PSD2-mandated regions, exemptions can also help to provide customers with a seamless experience as more transactions can be approved through frictionless authentication.

Additionally, if an issuer declines an exemption, the customer will have to go through the challenge flow instead of having their transaction declined, resulting in a higher acceptance rate.

Exemptions can either be requested during authentication with "3ds.enabled": true, or authorization with "3ds.enabled": false.

If the bank accepts the exemption, whether it was requested during authentication or authorization, then the transaction can be completed without SCA.

If the bank rejects an exemption requested during authentication, the transaction is not declined but the customer will have to go through SCA.

If the bank rejects an exemption requested during authorization, you will receive a 20154 response code and the payment will need to be retried with 3DS authentication applied and "3ds.challenge_indicator": "challenge_requested_mandate" set to meet SCA requirements.

Payments below €30 are considered low-value and may be exempt. However, the customer’s bank may still trigger strong authentication if, within a 24-hour period, this exemption has been used five times since the customer's last successful authentication or the total value spent on the card without SCA exceeds €100.

The transaction risk assessment (TRA) exemption allows for certain transactions to be exempted from SCA, provided that a robust risk analysis is performed and the PSPs meet specific fraud thresholds. TRA is key to delivering frictionless payment experiences for low-risk transactions.

The customer may add a merchant to a trusted list after the initial strong authentication, meaning all subsequent payments to that business will be exempt.

To request to be added to a trusted list, the first transaction must have the trusted_listing_prompt exemption. Subsequent authentication requests can then be sent with the exemption set to trusted_listing.

Corporate payments made with virtual and lodge cards (typically used for business travel expenses) or from central travel accounts are exempt.

The best way to comply with SCA for your online card payments is to use 3D Secure (3DS) authentication—an authentication protocol supported by the major card schemes.

3DS adds an extra layer of security for online card payments, the cardholder being prompted by their bank to verify their identity (typically a password, SMS code, or fingerprint check) before the payment can be completed.

The latest version of 3DS—3D Secure 2 (3DS2)—is the best way to authenticate online card payments and comply with the SCA requirements. It offers more flexible authentication flows and the ability to request exemptions from SCA, meaning a smoother checkout flow for your customers.

Digital wallets and some local European payment methods should also support SCA:

• Card-based digital wallets like Apple Pay and Google Pay have multi-factor authentication built in to their payment flows, offering a frictionless checkout experience that supports SCA.
• Many common European payment methods, like Bancontact, iDEAL, and Multibanco, should also follow the SCA requirements.

To show the impact of strong authentication, we’ve outlined below how it affects different business models and transactions.

To implement 3D Secure authentication and comply with SCA, you need to add the following fields to your payment requests. See our 3D Secure API integration guide for more details.

1{
2  "source": {
3    "type": "token",
4    "token":"tok_f6z4mnoububudpqnvhwa5ff27u"
5  },
6  "amount": 2000,
7  "currency": "USD",
8  "3ds": {
9    "enabled": true,
10    "challenge_indicator": "challenge_requested_mandate"
11  },
12  "success_url": "http://success.com",
13  "failure_url": "http://failure.com"
14}