Strong Customer Authentication (SCA)How Did the Transaction Process Change Due to Stronger ID Standards?

March 7, 2023 | 11 min read

This image was created by artificial intelligence using the following prompts:

An open doorway made out of computer code inside of the door there is an outline of a person’s head with a large keyhole within the keyhole there is an eye, colored red and teal, all other colors muted, wide angle

Strong Customer Authentication SCA

In a Nutshell

SCA regulations are now the law of the land in Europe. But what exactly are these rules, and how might they affect your business here in the US and abroad? This article will explore what SCA regulations are, who they affect, how they’re working thus far… and what you might expect in the near future.

The State of Strong Customer Authentication: Does it Help or Hinder Online Commerce?

Strong customer authentication, or SCA, is not simply a description of verification standards. Under the Revised Payment Services Directive (PSD2), these authentication standards are now legally mandated in the European market.

SCA protocols actually went into effect in 2019, but not all merchants jumped aboard initially. The UK's Financial Conduct Authority, for instance, extended the deadline for compliance through March of last year.

SCA regulations are now fully live and enforceable. But, how have SCA regulations shaped eCommerce for international merchants? What, if any, updates can we expect in the future? Let’s take a look.

What is Strong Customer Authentication?

Back in October 2015, the European Parliament adopted a new set of regulations for the payments industry, called the revised Payment Services Directive, or PSD2.

PSD2 was designed to govern how third-party services like Google or Facebook can operate in the European market. Another part of this directive, however, sets standards for how businesses should authenticate buyers.

In simple terms, the rule requires an extra layer of authentication during checkout for all transactions conducted in the European Union or the United Kingdom. Limiting verification to card number, billing address, and CVV is no longer enough. Merchants must now verify the buyer’s identity according to at least two of the following three factors:

At least two of these three items must be verified to the issuing bank’s satisfaction. Otherwise, the transaction will likely be declined.

How to Authenticate a Payment With SCA

In Europe, one of the most common forms of payment authentication occurs through 3D-Secure technology. This adds an additional layer of authentication to card-not-present (CNP) transactions. 

To consumers, this extra step appears before or directly after checkout with a bank prompt requiring a one-time passcode (OTP) to finalize the transaction from their smartphone. That said, many merchants, processors, and other merchant service providers believe OTP requirements lead to false declines. There’s also a general belief that OTPs can cause increased friction and higher rates of cart abandonment

To combat these issues, many merchants supplement 3DS authentication with biometric payments that can streamline OTP requirements and reduce friction.

SCA can prevent some fraud attacks... but not all fraud. For comprehensive protection, Chargebacks911® has got you covered.REQUEST A DEMO

With biometric payments enabled, customers simply have to enter a thumbprint or facial scan to complete the secondary authentication step. Mobile wallet applications like Apple Pay and Google Pay come standard with biometric authentication capabilities. These tools are already available to consumers in their mobile app stores.

In the end, though, a majority of online transactions are not required to satisfy SCA requirements. There are a number of exceptions to SCA requirements that let transactions go ahead without meeting these standards.

SCA Exemptions & Exclusions

Strong customer authentication regulations will not necessarily apply to every transaction. As of this writing, SCA only affects transactions where both the payer and the payee are located in the EU. If one party is outside the EU (called a “one-leg” transaction), then SCA won’t be required.

Also, there are a number of conditions that can make a transaction exempt from these requirements, including:

Corporate/Virtual Card Transactions

Virtual payment cards, as well as corporate cards not issued in the cardholder’s name, are both exempted from SCA standards.

Fixed-Amount Subscriptions

This exemption applies when customers make recurring payments for the same amount, to the same business, over a fixed period of time. SCA would be required for the first payment (unless another exemption applies), but any additional charges are exempt.

Low-Value Transactions

Transactions valued at less than €30 are exempt from SCA. This exemption is subject to a velocity limit of five consecutive transactions or €100 cumulatively before SCA is required again.

Mail Order

Mail order transactions are not included, as two-factor authentication is difficult to conduct effectively via physical mail.

Merchant-Initiated Transactions

Transactions initiated by a merchant, such as rebills under a subscription service with a variable dollar value, are not subject to the same SCA standards as the initial transaction.

Phone Sales

Same as with mail-order transactions, any cardholder information collected over the phone does not require additional SCA authentication. However, merchants have to flag each phone sale as such to allow the bank one final chance to approve or deny the transaction.

Whitelisted Transactions

After an SCA-verified purchase, consumers can opt to whitelist the merchant, making successive SCA checks unnecessary. The seller must implement 3-D Secure 2.0 to use this functionality, though.

Payment service providers may also provide other tools to help merchants adjust to SCA. Some commonly cited offerings include rule-based fraud screening, exemption management, and delegation of exemption. Perhaps the most important of these, however, is transaction risk analysis.

What is Transaction Risk Analysis?

Transaction risk analysis (or TRA) is a process that monitors the behavior of different parties during a transaction. It is used to gauge risk invisibly and in real-time. This is intended to stop fraud without adding friction to the customer experience. 

TRA analysis is the process of analyzing issuer and merchant risk scores (and other factors) concerning location, time, spending habits, and other behavioral patterns. If a transaction relays any information outside of the historical norm for these factors, an alert will be triggered, and further authentication will be required. Considering the number and complexity of the above exemptions, an additional safeguard was required. 



Transaction risk analysis can only be used on orders valued at less than €500.

So-called “low-risk” transactions are also eligible for SCA exclusions or exemptions. Transactions that are valued at less than €500 and which register as “low risk” in real-time analysis can be exempted from SCA requirements. 

It’s important to note, however, that TRA eligibility is based on the acquirer’s fraud rate, not the merchant's. Acquirers may only deploy TRA if they have an overall, generalized fraud rate below the following thresholds:

  • 0.13% to exempt transactions below €100
  • 0.06% to exempt transactions between €101 and €250
  • 0.01% to exempt transactions between €251 and €500
Learn more about transaction risk analysis

Is SCA Working?

Well, yes and no.

With fraud rates constantly in flux, it’s difficult to pinpoint how much of an impact strong customer authentication has had on eCommerce in just one year. However, one company reported that SCA technology helped them achieve 2,000 fewer cases of fraud each month last year. Their research also showed that 68% of its customers are happy to enter a texted passcode in its banking app.

Despite these findings, many companies argue that SCA isn’t actually stopping fraudsters. Instead, they’re just switching tactics. For instance, if a fraudster moderates attacks to remain below the £30 protection limit, they may slide stolen credentials through additional checks without ever raising an alarm.

Card testing, for example, is a fast-growing problem for eCommerce brands. Payment processor Stripe reported in 2022 that they’d detected more than 20 million card testing attempts per day. Because the dollar threshold on these transactions is so low, strong customer authentication would not be applied.

Quit playing catch-up to fraud. Get ahead of the regulatory curve with end-to-end chargeback management.REQUEST A DEMO

Does SCA Cause More Friction?

The friction introduced by strong customer authentication is minimal, the process does, inevitably, create friction in the customer journey.

According to Nuapay, UK businesses saw payment decline rates increase by an average of 37% following the enforcement of SCA rules. Additional findings the company reported following strong customer authentication implementation include:

  • 29% of respondents believe the regulations need to go further to prevent fraud.
  • 33% said the regulations have a negative impact on the customer experience.
  • Just 39% of respondents felt the regulations were fully fit for purpose.

It’s still too early to paint a full picture of the benefits and downsides of SCA. That said, customer awareness is one area which is emerging as an obvious candidate for improvement. In response to another recent survey, up to 47% of the consumers polled remain unaware of the recent regulation updates, and have no idea how to navigate them. 

Banks and merchants can improve these statistics by increasing communication regarding payment changes in order to increase consumer awareness. After all, throwing additional steps at consumers without explanation is bound to exacerbate cart abandonment issues

Future Predictions

At least for now, the European Union’s strong customer authentication standards only impact EU and UK merchants. As we mentioned above, transactions from other eCommerce merchants are defined as being "one-leg-out.” In other words, only one party is based in the EU, so the transaction is not subject to strong customer authentication mandates.

That means US-based eCommerce merchants can sell to EU markets without worrying about SCA compliance. We can’t necessarily count on this to remain the case forever, though.

The idea behind the SCA mandate is quickly spreading. Australia, Mexico, and Turkey, for example, are all either considering SCA policies, or already have them in place.

In the US, the major card networks are already promoting voluntary compliance with SCA standards. And, as we saw with the California Consumer Privacy Act, being physically based outside the jurisdiction of a law does not necessarily exempt one from compliance with it.

It seems likely that US lawmakers will take up the issue themselves soon. If— or when —the US decides to implement its own SCA policies, we’ll need to focus on standardized, universally-applicable protocols for verifying user identities. That is why it’s probably a good idea to start implementing necessary changes and adopting business best practices in preparation.

How Do You Ensure Strong Customer Authentication?

Like it or not, some level of friction is unavoidable with strong customer authentication. That said, it’s also important to distinguish harmful friction points from useful fraud prevention barriers. Rather than resisting all friction, try redirecting to more positive ends.

“Negative” friction slows down processes for little or no reason and thereby encourages cart abandonment. “Positive” friction points, in contrast, can be minimal or even unnoticeable from the buyer’s perspective, while delivering greatly increased fraud protection. Examples of positive friction include:

  • Verifying CVV at checkout
  • Asking buyers to confirm their order before finalizing
  • Making account creation optional
  • Requiring complex and unique passwords for all new accounts
  • Offering 3-D Secure 2.0 for users who opt-in to the service
  • Employing backend detection fraud tools (geolocation, fraud scoring, etc.)
  • Offering mobile payments with two-factor authentication

If you’re a merchant, then some items on this list may already be part of your normal online checkout. If so, you’re already ahead of the game. That’s no reason to be complacent, though.

Have additional questions about SCA? Want to learn more about third-party fraud and other chargeback risk factors? Click below and speak to one of our experts today.


What does ‘strong customer authentication required’ mean?

If a transaction requires strong customer authentication, that means it requires additional verification in order to be completed. This is required for all transactions completed in the EU or UK, unless the transaction meets a condition on a list of exemptions outlined in the revised Payment Services Direction (PSD2).

What are strong customer authentication principles?

Compliance with SCA means merchants must now verify buyers’ identities according to at least two of the following three factors: knowledge (something the buyer knows, like a PIN or password), possession (physical possession of a card), or inherence (fingerprint, facial recognition scan, etc.).

What is an example of strong customer authentication?

OTP, or one-time passcodes, are one example of strong authentication, as are two-factor authentications via emails or texts, or facial recognition scans.

What are the three 3 main types of authentication?

You must authenticate cardholders through either something they know, something they have, or via something they are (knowledge, possession, or inherence). These can include passcodes, physical card details, or fingerprints and facial scans.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard