Applicability: European Economic Area (EEA), Switzerland, and United Kingdom
In this guide, we'll discuss the European requirement known as Strong Customer Authentication (SCA), introduced by the second Payment Services Directive (PSD2), and the types of payments it covers. We'll also introduce the available exemptions that can be applied on behalf of merchants to create a smooth checkout experience.
Strong Customer Authentication (SCA) is a European regulatory requirement designed to reduce fraud and make online and contactless offline payments more secure. To accept payments and meet SCA requirements, you need to build additional verification into your checkout flow. SCA requires verification of at least two of the following three factors:
| Factor | Description | Examples |
|---|---|---|
| Knowledge | Something the customer knows | Password, PIN code |
| Possession | Something the customer has | Mobile phone, hardware token |
| Inherence | Something the customer is | Fingerprint, facial recognition |
For the original text of the SCA requirements, please refer to the Regulatory Technical Standards (RTS). Banks must decline payments that require SCA but fail to meet its standards.
Strong Customer Authentication applies to customer-initiated online payments and contactless offline payments within the UK or European scope. All electronic payments (i.e., card payments and bank transfers) require Strong Customer Authentication (SCA), unless an exemption can be applied or the transaction is considered outside the scope of SCA, such as merchant-initiated transactions (e.g., direct debits).
For online card payments, these requirements apply to transactions where both the merchant and cardholder's bank are located in the European Economic Area (EEA).
The most common method for authenticating online card payments is 3DS authentication—an authentication standard supported by most European bank cards. Applying 3DS authentication typically adds an extra verification step after checkout, where the bank prompts the cardholder to provide additional information to complete payment, such as sending a one-time verification code to their phone or performing fingerprint verification in their mobile banking app.
3DS 2.0 authentication is the primary method for authenticating online card payments and meeting SCA requirements.
One benefit of applying Strong Customer Authentication (SCA) when multi-factor authentication succeeds is that merchants can avoid liability issues arising from fraudulent disputes.
The following diagram illustrates how SCA and exemptions work together in the payment flow:
Not all payments fall under the multi-factor authentication scope of Strong Customer Authentication (SCA). Some payments are eligible for regulatory exemptions, and others are outside the scope of SCA implementation. When the cardholder's bank requires and accepts an exemption, merchants are responsible for resolving liability issues arising from fraudulent disputes.
During payment processing, payment service providers like Onerway can apply for exemptions. The cardholder's bank then receives this request, evaluates the transaction's risk level, and ultimately decides whether to approve the exemption or still require authentication.
Benefits of using exemptions:
Onerway uses machine learning to determine the best exemption approach for each situation, helping you provide the smoothest possible checkout experience for your customers. We've designed payment products that meet SCA requirements and help you maximize the use of exemptions to protect your conversion rate.
For merchants accepting online payments, the most relevant exemptions are:
Payment service providers (such as Onerway) can perform real-time risk analysis (called Transaction Risk Analysis or TRA) to determine whether to apply Strong Customer Authentication (SCA) to a transaction. This exemption is available when the payment provider's overall fraud rate stays below specific thresholds:
These thresholds apply to local equivalent amounts where relevant.
Transactions under €30 or £25 are considered low-value and can be exempted from Strong Customer Authentication (SCA). However, SCA might still be required by the issuer when either of the following scenarios occurs:
The cardholder's bank tracks these exemptions and determines when authentication is required.
Due to these limitations, many payments might not qualify for this exemption. However, Onerway provides support for this exemption service to our customers.
This exemption applies when a customer makes a series of recurring payments to the same merchant for the same amount. The customer's first payment requires Strong Customer Authentication (SCA), but subsequent charges can be exempted from SCA.
Payments using saved cards where the customer isn't present in the checkout process (sometimes called off-session, meaning the customer is not actively interacting with your website or app when the payment is processed) might qualify as merchant-initiated transactions (MITs). These payments technically fall outside the scope of Strong Customer Authentication requirements.
In practice, marking a payment as MIT is similar to requesting an exemption. As with other exemptions, it's ultimately up to the bank to decide whether authentication is required for the transaction.
Requirements for merchant-initiated transactions:
Common use cases:
A customer subscribes to a monthly software service. The first payment requires 3DS authentication. Subsequent monthly charges are processed as MITs without requiring the customer to authenticate each time.
An e-commerce store authorizes payment when order is placed but captures funds when the item ships (3-5 days later). The capture is processed as MIT.
A cloud provider bills customers based on monthly usage. Customers authenticate when adding their card, and monthly invoices are processed as MITs with variable amounts.
Most European banks support this approach if they determine the transaction risk is low.
Onerway's API allows you to authenticate cards when saving them for future use and mark subsequent payments as merchant-initiated transactions. You must use Onerway's latest API to ensure SCA readiness.
While exemptions are useful for reducing friction, the cardholder's bank ultimately decides whether to grant an exemption. When an exemption is declined, the bank might return a specific decline code indicating that authentication is required.
How to handle declined exemptions:
Onerway automatically triggers the additional authentication flow when a bank requests it for declined exemptions.
This regulation has far-reaching impacts on internet commerce businesses in Europe. As Strong Customer Authentication (SCA) rules continue to evolve across European banks, affected businesses that don't comply with these requirements will see impacts on their conversion rates.
In addition to supporting authentication methods such as 3DS 2.0 authentication, we believe that successfully handling exemptions is a key element in building a better payment experience. Our payment products can optimize for different regulatory bodies, banks, and card network rules, and apply appropriate exemptions for low-risk payments so that 3DS authentication is only triggered when necessary. Our advanced machine learning models can also help you adapt to changes in Strong Customer Authentication (SCA) rules.
Before going live, test your SCA integration thoroughly to ensure it handles all scenarios correctly.
Key testing scenarios:
Refer to our 3DS Testing GuideAPI for detailed test card numbers and step-by-step testing procedures.
| Payment Type | SCA Required? | Notes |
|---|---|---|
| Customer-initiated, both parties in EEA | ✅ Yes | Unless exemption granted |
| Merchant-initiated (MIT) | ❌ No | Must authenticate card when saving |
| Recurring (fixed amount) | ⚠️ First only | Subsequent payments exempt |
| Low-value (< €30/£25) | ⚠️ Maybe | Subject to cumulative limits |
| Low-risk (via TRA) | ⚠️ Maybe | Based on fraud thresholds |
| One party outside EEA | ❌ No | Outside SCA scope |
SCA applies to the following scenarios:
The following payments might qualify for exemptions:
SCA doesn't apply to: