On September 14, 2019, Strong Customer Authentication (SCA) became a requirement for businesses processing online payments in Europe. These requirements were part of the Revised Payment Services Directive (PSD2).
In this article, we’ll discuss everything you need to know to be SCA compliant. We’ll cover what SCA exactly is, which transactions are exempt or out of scope, and how SCA applies to your business.
SCA is a European requirement introduced to make online payments more secure and reduce the risk of fraud. This requirement applies to online payments made in the European Economic Area (EEA), Monaco, and the UK.
In short, SCA means shoppers in Europe may need to complete extra levels of authentication when they pay online.
These levels of authentication involve asking customers for two of the three following: something they know, something they own, and something they are.
You can find out which types of information are included in these categories in the image below.
Before SCA, issuing banks could only challenge customers with a single static password. These new dynamic data points verify users’ identities more accurately.
Learn more about SCA and how it fits into PSD2 in this video summary:
Examples of Strong Customer Authentication
With SCA, there are more ways to authenticate shoppers than the traditional ‘something they know’ (like a password). You can now combine other data points, as long as they are from at least two different categories.
Facial recognition or fingerprint (something they are) with your smartphone (something they own)
A code sent to their smartphone (something they own) with a personal password (something they know)
Even though increased authentication is now required, more data points are available to choose from. This should make it easier for the customer to authenticate a payment and, ultimately, lead to fewer drop-offs.
Key dates: when did Strong Customer Authentication come into effect?
The Strong Customer Authentication (SCA) requirements, as part of PSD2, were officially introduced on September 14, 2019. The European Banking Authority later extended this deadline to December 31, 2020 due to lack of industry readiness.
To date, all EEA countries are enforcing PSD2 SCA requirements. In the UK, the final implementation date has been delayed until March 14, 2022.
Since the full enforcement of PSD2, all merchants inside the EEA should be SCA ready.
How does Strong Customer Authentication work in practice?
Implementing SCA differs depending on the payment method.
The protocol 3D Secure provides an extra layer of authentication to verify the customer’s identity. It's supported by most European debit and credit card companies.
Once the customer completes the SCA step, the issuing bank, not the business, becomes liable for any fraudulent chargebacks.
Local payment methods and digital wallets
Apart from 3D Secure, you can also make sure you meet SCA requirements with local payment methods and digital wallets. These have the added advantage of increasing conversion rates in certain markets and use cases.
Across the EEA, we see local payment methods converting well, for example:
Bancontact Mobile in Belgium
iDEAL in The Netherlands
MobilePay, Vipps and Swish in Norway, Sweden, Denmark, and Finland
EPS in Austria
Blik in Poland
MBWay in Portugal
International e-wallets like Apple Pay and Google Pay™ also provide checkout flows that meet the new SCA requirements. For more details, visit our SCA documentation page.
When does Strong Customer Authentication apply?
SCA is required for online European payments. This means both the business and the card holder’s bank are in Europe. We’re also seeing more regions, such as India, start to introduce SCA as a requirement.
But there are some transactions exempt from SCA or out of the PSD2 SCA scope. Below you can find an extensive list of the specific transactions where this is the case.
SCA: exempt or out of scope transactions
SCA exemptions aim to keep the customer journey frictionless for specific payment scenarios. Out of scope transactions are not covered by the PSD2 mandate and don’t require SCA.
Below is a list of the most relevant exempt or out of scope transactions.
Note if you or your acquirer requests an exemption and the request is accepted by the issuer, the liability stays with you. If the exemption is applied by the issuer, the liability shifts to the issuer.
Low risk transactions - Transaction Risk Analysis (TRA)
Transactions through acquirer or issuer whose fraud level is below a certain threshold.
Certain acquirers, like Adyen, look at the risk involved with each ‘in-scope’ transaction, to comply with the TRA requirements. If the acquirer thinks a transaction is low risk, it can request a ‘TRA exemption’ to try to skip SCA.
But, this is only possible if the acquirer or issuer’s fraud rates are below the following thresholds:
0.13% for amounts between €0 to €100 EUR
0.06% for amounts between €100 to €250 EUR
0.01% for amounts between €250 to €500 EUR
In the end, the issuer decides whether to accept this exemption request or still enforce SCA.
Low value transactions
Transactions under €30 and cumulative payments higher than €100 on the same card.
Transactions under €30 EUR are exempt from SCA. But the issuing bank will keep track of how many payments are made using this exemption.
SCA is required if the total amount attempted on the card is higher than €100 EUR, and every five transactions.
Certain trusted merchants chosen by the cardholder.
Customers can assign businesses to a whitelist of ‘Trusted Beneficiaries’. This list is maintained by their bank. Whitelisted merchants, whatever the transaction amount, can be exempt from SCA.
This lets regular customers mostly skip SCA with the businesses they've chosen to whitelist.
Recurring, fixed-amount transactions after first payment.
Recurring, fixed-amount transactions will be exempt from the second transaction onwards. Only the initial transaction requires SCA. But, if the transaction amount changes, SCA will be required for every new amount.
Or, you can also flag these types of payments as a Merchant Initiated Transaction (MIT) which are out of scope of the PSD2 SCA requirements. Find out more about MITs below.
Payments between corporations.
Payments made between two corporations can be exempt from SCA. But, this is only possible when the payment method is a payment instrument dedicated to make such B2B payments.
SCA out of scope transactions
Payments via phone or mail.
Mail Order and Telephone Orders (MOTO) are exempt from SCA in all cases. MOTO transactions are not considered to be ‘electronic’ payments, so are out of the scope.
Merchant Initiated Transactions (MITs)
Transactions without direct customer involvement.
Merchant initiated transactions (MITs) are transactions that don't directly involve the customer. The payment is taken from a saved card with the customer’s prior consent on an arranged date.
For example, some products have a variable cost based on usage, like energy contracts. The first payment, or the first time the card is saved, always needs to be authenticated. But the following payments can skip SCA if marked as a ‘Merchant Initiated Transaction.’
Payments involving non-European businesses or customers.
Inter-regional transactions, also known as one leg transactions, are payments where the issuer or the acquirer of the card is not based in the EEA, Monaco, or the UK.
These types of transactions are also considered out of scope. Meaning European businesses can accept payments from non-European shoppers without PSD2 SCA requirements.
Full list of exempt and out of scope transactions
Many exemptions and out of scope scenarios which depend heavily on the bank, scheme, and regulatory interpretation.
You can find a list of all the exemptions in the official Regulatory technical standards on strong customer authentication and secure communication under PSD2.
What happens if you aren't SCA compliant?
The PSD2 SCA regulations are for banks, not for merchants. Issuing banks that approve non-compliant transactions are violating the law in their home country.
The risk for the merchant is the bank refusing your transactions, which causes lower authorization rates.
How to ensure SCA compliance with Adyen
With Adyen, you can either choose for our Authentication Engine to handle PSD2 SCA compliance for you, or you can manage it yourself.
With the Adyen Authentication Engine, we won’t trigger 3D Secure for out of scope transactions or exemptions. We'll also skip 3D Secure if the issuing bank doesn’t enforce 3D Secure.
If you want to manage PSD2 SCA compliance yourself, Adyen offers two options. You can either:
configure rules with Adyen Dynamic 3D Secure
specify preferences in your API request.
For more information on how to implement any of these options, check out our SCA compliance docs page.