Strong Customer Authentication (SCA)

SCA represents the most significant operational change to European card payments in a generation. For PSPs, acquirers, and merchants routing volume through EU/EEA issuers, SCA compliance is a non-negotiable technical and business requirement that materially affects authorization rates and checkout conversion.

The Authentication Factors

SCA requires at least two of three independent elements:

• Knowledge: Something only the user knows — a password, PIN, or security question answer
• Possession: Something only the user has — a registered mobile device, a hardware token, or a card (chip)
• Inherence: Something the user is — fingerprint, face recognition, voice recognition

The two factors must be independent: a breach of one must not compromise the other. A password and a security question are both knowledge factors and do not satisfy the two-factor requirement.

3DS2 as the Primary Mechanism

For card-not-present transactions, 3D Secure 2 (3DS2) is the primary technical mechanism for meeting SCA requirements. It passes rich transaction context to the issuer, enabling risk-based decisioning. Many issuers can authenticate low-risk transactions frictionlessly (without a challenge step), preserving conversion while meeting the regulatory standard.

3DS2 authentication shifts liability for fraud-related chargebacks from the acquirer to the issuer — a significant commercial incentive for merchants to implement it regardless of SCA mandate status.

Exemptions

SCA exemptions are critical to checkout conversion optimization. Key exemptions under PSD2 RTS:

Low-value exemption: Transactions under €30 (with limits on consecutive exemption use — every fifth transaction or when cumulative exempted spend exceeds €100 must be authenticated).

Transaction Risk Analysis (TRA): PSPs and acquirers with fraud rates below defined thresholds can apply TRA exemptions for transactions up to €500. This is the most commercially valuable exemption for high-volume merchants.

Merchant-initiated transactions (MITs): Recurring charges where the cardholder is not present (post initial authenticated authorization) are exempt. Subscription billing and card-on-file charges rely heavily on this.

Trusted beneficiaries: Cardholders can whitelist specific merchants with their issuer, exempting those merchants from future SCA.

SCA Outside the EU

SCA is an EU/EEA-specific regulatory requirement. However, its influence is spreading:

• The UK retained and implemented its own SCA rules post-Brexit, closely mirroring the EU framework with some timeline differences
• Australia has no direct equivalent, though the RBA has signaled interest in stronger authentication standards
• Southeast Asia has no SCA mandate, but several markets have their own authentication requirements: Singapore’s MAS requires two-factor authentication for high-value transfers, and Bank Negara Malaysia has similar requirements for internet banking. These are bank-centric rules, not PSD2-equivalent merchant-facing mandates

For PSPs operating globally, SCA logic must be applied selectively based on the issuing bank’s country of registration, not the merchant’s location or the cardholder’s billing address.

Operator Implications

Non-compliant transactions sent to EU issuers without SCA where required will be declined with a soft decline code, requesting authentication. Implementing a proper exemption engine — requesting exemptions where eligible and falling back to 3DS2 challenge when declined — is essential to maintaining authorization rates in EU markets.