Understanding Strong Customer Authentication & PSD2

On September 14, 2019, Strong Customer Authentication (SCA) became a requirement for businesses processing online payments in Europe. These requirements were part of the Revised Payment Services Directive (PSD2).

In this article, we’ll discuss everything you need to know to be SCA compliant. We’ll cover what SCA exactly is, which transactions are exempt or out of scope, and how SCA applies to your business.

SCA is a European requirement introduced to make online payments more secure and reduce the risk of fraud. This requirement applies to online payments made in the European Economic Area (EEA), Monaco, and the UK.

In short, SCA means shoppers in Europe may need to complete extra levels of authentication when they pay online.

These levels of authentication involve asking customers for two of the three following: something they know, something they own, and something they are.

You can find out which types of information are included in these categories in the image below.

Before SCA, issuing banks could only challenge customers with a single static password. These new dynamic data points verify users’ identities more accurately.

Learn more about SCA and how it fits into PSD2 in this video summary:

With SCA, there are more ways to authenticate shoppers than the traditional ‘something they know’ (like a password). You can now combine other data points, as long as they are from at least two different categories.

For example:

Even though increased authentication is now required, more data points are available to choose from. This should make it easier for the customer to authenticate a payment and, ultimately, lead to fewer drop-offs.

The Strong Customer Authentication (SCA) requirements, as part of PSD2, were officially introduced on September 14, 2019. The European Banking Authority later extended this deadline to December 31, 2020 due to lack of industry readiness.

To date, all EEA countries are enforcing PSD2 SCA requirements. In the UK, the final implementation date has been delayed until March 14, 2022.

Since the full enforcement of PSD2, all merchants inside the EEA should be SCA ready.

Implementing SCA differs depending on the payment method.

For credit and debit cards, 3D Secure is usually applied. E-wallets and other local payment methods often provide their own SCA-compliant authentication step. Learn more about these two types below.

The protocol 3D Secure provides an extra layer of authentication to verify the customer’s identity. It's supported by most European debit and credit card companies.

Once the customer completes the SCA step, the issuing bank, not the business, becomes liable for any fraudulent chargebacks.

3D Secure 2 (3DS2) provides a more user-friendly experience than 3D Secure 1 (3DS1). Each version is SCA compliant, but we recommend that you support both 3D Secure 1 and 3D Secure 2.

Apart from 3D Secure, you can also make sure you meet SCA requirements with local payment methods and digital wallets. These have the added advantage of increasing conversion rates in certain markets and use cases.

Across the EEA, we see local payment methods converting well, for example:

International e-wallets like Apple Pay and Google Pay™ also provide checkout flows that meet the new SCA requirements. For more details, visit our SCA documentation page. 

SCA is required for online European payments. This means both the business and the card holder’s bank are in Europe. We’re also seeing more regions, such as India, start to introduce SCA as a requirement.

But there are some transactions exempt from SCA or out of the PSD2 SCA scope. Below you can find an extensive list of the specific transactions where this is the case.

SCA exemptions aim to keep the customer journey frictionless for specific payment scenarios. Out of scope transactions are not covered by the PSD2 mandate and don’t require SCA.

Below is a list of the most relevant exempt or out of scope transactions.

Transactions through acquirer or issuer whose fraud level is below a certain threshold.

Certain acquirers, like Adyen, look at the risk involved with each ‘in-scope’ transaction, to comply with the TRA requirements. If the acquirer thinks a transaction is low risk, it can request a ‘TRA exemption’ to try to skip SCA.

But, this is only possible if the acquirer or issuer’s fraud rates are below the following thresholds:

In the end, the issuer decides whether to accept this exemption request or still enforce SCA.

Transactions under €30 and cumulative payments higher than €100 on the same card.

Transactions under €30 EUR are exempt from SCA. But the issuing bank will keep track of how many payments are made using this exemption.

SCA is required if the total amount attempted on the card is higher than €100 EUR, and every five transactions.

Certain trusted merchants chosen by the cardholder.

Customers can assign businesses to a whitelist of ‘Trusted Beneficiaries’. This list is maintained by their bank. Whitelisted merchants, whatever the transaction amount, can be exempt from SCA.

This lets regular customers mostly skip SCA with the businesses they've chosen to whitelist.

Recurring, fixed-amount transactions after first payment.

Recurring, fixed-amount transactions will be exempt from the second transaction onwards. Only the initial transaction requires SCA. But, if the transaction amount changes, SCA will be required for every new amount.

Or, you can also flag these types of payments as a Merchant Initiated Transaction (MIT) which are out of scope of the PSD2 SCA requirements. Find out more about MITs below.

Payments between corporations.

Payments made between two corporations can be exempt from SCA. But, this is only possible when the payment method is a payment instrument dedicated to make such B2B payments.

Payments via phone or mail.

Mail Order and Telephone Orders (MOTO) are exempt from SCA in all cases. MOTO transactions are not considered to be ‘electronic’ payments, so are out of the scope.

Transactions without direct customer involvement.

Merchant initiated transactions (MITs) are transactions that don't directly involve the customer. The payment is taken from a saved card with the customer’s prior consent on an arranged date.

For example, some products have a variable cost based on usage, like energy contracts. The first payment, or the first time the card is saved, always needs to be authenticated. But the following payments can skip SCA if marked as a ‘Merchant Initiated Transaction.’

Payments involving non-European businesses or customers.

Inter-regional transactions, also known as one leg transactions, are payments where the issuer or the acquirer of the card is not based in the EEA, Monaco, or the UK.

These types of transactions are also considered out of scope. Meaning European businesses can accept payments from non-European shoppers without PSD2 SCA requirements.

Many exemptions and out of scope scenarios which depend heavily on the bank, scheme, and regulatory interpretation.

You can find a list of all the exemptions in the official Regulatory technical standards on strong customer authentication and secure communication under PSD2.

The PSD2 SCA regulations are for banks, not for merchants. Issuing banks that approve non-compliant transactions are violating the law in their home country.

The risk for the merchant is the bank refusing your transactions, which causes lower authorization rates.

With Adyen, you can either choose for our Authentication Engine to handle PSD2 SCA compliance for you, or you can manage it yourself.

With the Adyen Authentication Engine, we won’t trigger 3D Secure for out of scope transactions or exemptions. We'll also skip 3D Secure if the issuing bank doesn’t enforce 3D Secure.

If you want to manage PSD2 SCA compliance yourself, Adyen offers two options. You can either:

For more information on how to implement any of these options, check out our SCA compliance docs page.