Strong Customer Authentication (SCA) is changing how businesses process online payments in markets covered by PSD2. If you sell to customers in the EU or UK, SCA rules affect when and how you authenticate buyers, impacting everything from conversion rates to fraud prevention. Here’s what you need to know about SCA, how it works, and how to stay compliant and keep customers moving smoothly through checkout.
What is strong customer authentication?
Strong customer authentication (SCA) is a security requirement introduced under the revised Payment Services Directive (PSD2) by the European Commission. Its aim is simple: reduce fraud and protect consumers during online payments. The regulation mandates multi-factor authentication for most electronic transactions within the European Economic Area (EEA) and the UK.
In SCA authentication, customers need to verify themselves using at least two of three elements:
- Something they know – such as a password or PIN
- Something they have – like a phone or hardware token
- Something they are – biometric data, such as a fingerprint or face scan
This multi-factor authentication approach significantly tightens access to sensitive payment flows and customer data.
With a more rigorous verification, SCA makes it harder for fraudsters to gain access to accounts or complete unauthorised payments. For merchants and payment providers, the challenge is to meet these rules while keeping checkout fast and frustration-free.
When and where does SCA apply?
|
Scenario |
In Scope for SCA |
Exempt / Conditional |
Notes for Merchants |
|
Online customer-initiated card payment |
Yes |
Possible exemptions for low-risk transactions |
Most common SCA scenario; exemptions require issuer approval. |
|
Merchant-initiated payment (e.g., subscription renewal) |
No |
Exempt if the initial transaction was SCA-authenticated |
Keep records of initial authorisation to justify exemption. |
|
In-store contactless payment |
Yes |
Exempt until threshold reached |
SCA triggered after 5 consecutive contactless transactions or cumulative spend limit (e.g., €150). |
|
One-leg-out transaction (cross-border transaction where one part is regulated under the EU payment laws) |
Conditional |
Depends on issuer risk policy |
Even if outside EEA/UK, SCA may apply if issuer requires it. |
|
Chip & PIN in-store payment |
Yes |
No exemption |
Already meets SCA requirements via PIN entry. |
|
Digital wallet payment (Apple Pay, Google Pay) |
Yes |
Meets SCA by design |
Ensure device and biometric setup meets PSD2 standards. |
SCA regulations apply to transactions where both the payer’s and the payee’s banks—or payment service providers—are located within the EEA or UK. For one-leg-out (OLO) transactions, where only one party is based within the region, SCA requirements may still apply depending on risk factors and issuer policies.
Contactless transactions also fall within scope, though exemptions exist. For example, if a consumer pays via contactless card five times in succession, or exceeds a cumulative value threshold, strong customer authentication may be triggered. These measures apply both in-store and online, particularly in e-commerce and mobile payment scenarios.
Customer-initiated payments, like online card transactions, are directly affected. Merchant-initiated transactions, such as recurring billing arrangements, are generally exempted from SCA—provided the initial authorisation met the SCA standards.
How SCA impacts online payments
For every card-not-present payment, merchants need to know whether authentication is required and if an exemption can be applied—often making this decision in real time at checkout. Getting it wrong can lead to failed payments or increased fraud risk.
For subscription and recurring billing models, SCA is typically only needed for the first transaction. Future merchant-initiated transactions (MITs) can be exempt, provided they’re flagged correctly and linked to the initial SCA-approved authorisation.
Antom’s solutions including Auto Debit and Subscription Payments support these online payment flows. Our solutions make it easier to capture the right customer consent, flag exemptions accurately, and manage fallback options if a bank challenges or declines a transaction.
Understanding SCA exemptions
Certain transactions are exempted from SCA, provided the appropriate conditions are met and the issuing bank agrees. These exemptions reduce friction at checkout while still meeting regulatory standards.
Low-value transactions
Payments under €30 can be exempt from SCA. But this isn’t unconditional. If the consumer initiates more than five consecutive low-value payments or the cumulative value exceeds €100, authentication will be requested.
Transaction risk analysis (TRA)
One of the more powerful exemptions, TRA allows payment service providers to request an exemption based on their fraud rates. For low-risk transactions and service providers with strong fraud detection, this path helps reduce friction without compromising security. Issuers remain in control and may still challenge the exemption if fraud risk indicators arise.
Trusted beneficiaries and recurring transactions
Consumers can whitelist trusted merchants with their banks. Once added to a trusted list, follow-up payments to these beneficiaries can be exempted from SCA. Likewise, recurring transactions for a fixed amount to the same merchant after initial authentication are often eligible for exemption.
Merchant-initiated and corporate transactions
Merchant-initiated transactions (MITs), where a merchant pulls funds without customer input, and corporate payments from secure environments are generally outside the SCA scope. But exemptions must be properly flagged using the correct authentication indicators, or they may be rejected by the issuer.
SCA and 3D Secure 2 (3DS2)
The most widely used technology to enable SCA compliance for card transactions is 3D Secure 2 (3DS2). It enables banks to authenticate users through risk-based mechanisms, often without introducing friction at checkout.
3DS2 supports both challenge and frictionless flows. The latter is applied when the issuer is confident in the transaction’s legitimacy and allows it to proceed without further customer input. This smooths the user journey, although the liability shift to the issuer remains intact.
Antom integrates 3DS2 into EasySafePay and checkout solutions, working smoothly across websites, apps, and mobile browsers. This ensures broad compatibility, better UX, and fewer cart abandonments even when SCA enforcement is strict.
Technical and regulatory considerations for SCA compliance
Integrating 3DS2 securely
Antom provides SDK and API-based integration paths for 3DS2. While SDKs reduce the development burden and provide built-in components, APIs offer more control and customisation. Sandbox testing tools are also available to simulate flows before going live.
Managing exemptions efficiently
Some payments can qualify for an exemption from SCA, which makes checkout faster for buyers. But these exemptions come with strict limits. Merchants must keep track of things like the total number of small payments and the thresholds used for transaction risk analysis. Without monitoring these closely, an exemption request might be rejected, leading to failed payments.
Staying updated on PSD2 and local regulations
The European Union is preparing to replace PSD2 with two new rules: a revised Payment Services Directive (PSD3) and a Payment Services Regulation (PSR) that will affect how payment providers operate. PSD3 is expected to be fully implemented around 2026 to 2027. These updates will introduce clearer requirements for strong customer authentication, fraud liability, mobile wallets, biometric payments, and open banking. Merchants should stay alert to new rules and continue regular checks to ensure compliance at both EU and local levels.
Minimising friction while maximising security
SCA can introduce friction, but friction doesn’t need to lead to failure. Optimising the checkout process is key. Strategies include:
- Using biometric authentication – Let customers use Face ID, fingerprint, or device PIN where possible.
- Using trusted beneficiary lists – Encourage repeat customers to mark your business as a trusted merchant so future payments skip SCA prompts.
- Applying Transaction Risk Analysis (TRA) exemptions – Work with your payment provider to dynamically request exemptions for low-risk transactions to avoid unnecessary challenges.
- Streamlining step-up authentication – If an extra verification step is required, keep the process short and within the checkout flow to avoid drop-offs.
- Retrying intelligently – For failed or abandoned authentication, prompt customers to try again without starting over.
Antom helps reduce cart abandonment with Retry and Top-Up features, part of our Revenue Booster solution. These intelligent flows guide users through failed payments without making them start over, improving conversion while staying within SCA regulations.
Conclusion
Strong Customer Authentication (SCA) is an important consideration for global merchants, not only in the EEA and UK. As more regions adopt similar standards, secure authentication becomes central to fighting fraud and protecting customers.
For international businesses, treating SCA as part of a broader payments strategy ensures readiness wherever stricter rules apply. By embedding 3DS2 and managing exemptions effectively, merchants can stay compliant, minimise friction at checkout, and support secure growth worldwide.
