Logo

Strong Customer Authentication

SCA, PSD2 SCA

Reading time5 min

← Back to glossary

Strong Customer Authentication (SCA) is a European regulatory requirement that reduces fraud by verifying a cardholder’s identity through at least two independent authentication factors. Implemented under the Revised Payment Services Directive (PSD2), this protocol requires shoppers to confirm online transactions using a combination of something they know, something they own, or something they are.

Strong Customer Authentication is a security mandate requiring multi-factor authentication for electronic payments initiated by customers within the European Economic Area. It appears during the checkout stage of the payment processing flow, typically triggering a 3D Secure challenge before the transaction reaches the issuing bank. This process matters operationally because failing to properly route or authenticate these payments leads to a transaction declined by the issuer, directly impacting a merchant’s transaction approval rate.

What is the core mechanism of Strong Customer Authentication?

To satisfy this mandate, a payment must be authenticated using at least two of three distinct categories. These categories ensure that the person initiating the payment is the legitimate cardholder rather than a bad actor with stolen card data.

The three available authentication factors are:

  • Knowledge: Something only the user knows, such as a password or a PIN.
  • Possession: Something only the user owns, such as a mobile device or a hardware token.
  • Inherence: Something the user is, verified through biometrics like a fingerprint or facial recognition.

If a merchant processes a transaction requiring this level of security without gathering these factors, the issuing bank will legally reject the charge. This creates unnecessary payment issues and frustrates customers trying to complete their purchases.

How does Strong Customer Authentication work in practice?

In the modern payment landscape, the primary tool used to facilitate this authentication is 3D Secure 2.0 (3DS2). This protocol allows merchants and issuers to exchange data in the background to verify the user without relying on outdated static passwords.

Here is a step-by-step look at how this process unfolds during a standard e-commerce transaction:

  1. Checkout initiation: The customer enters their payment details and submits the order.
  2. Data exchange: The merchant’s payment gateway sends over 100 data points to the issuer to assess the risk of the transaction.
  3. Frictionless flow evaluation: If the issuer determines the risk is low, they authenticate the user in the background without any visible interruption.
  4. Challenge flow execution: If the issuer needs more proof, the customer receives a prompt on their device requesting biometric approval or a one-time password.
  5. Payment authorization: Once the authentication succeeds, the merchant submits the transaction for final authorization and settlement.

When handled correctly, this flow minimizes checkout issues while ensuring full compliance with regional laws.

When are payments exempt from Strong Customer Authentication?

Not every transaction requires a multi-factor challenge. To balance security with user experience, regulators established specific exemptions that merchants can request to bypass the friction of a challenge flow.

Low-value transactions are frequently exempt. Payments under 30 Euros generally process without a challenge, provided the customer has not exceeded a specific threshold of consecutive unauthenticated purchases.

Merchant-Initiated Transactions (MITs) are another critical exception. These are used heavily by software and digital businesses to bill customers on a recurring basis. Because the customer is not actively at the checkout screen, applying a challenge is impossible.

When processing these recurring charges, flagging them correctly as MITs prevents major subscription payment issues.

Finally, Acquirer Transaction Risk Analysis (TRA) allows acquirers to bypass authentication for certain low-risk payments if their overall fraud rate remains below a strict regulatory threshold. However, the issuing bank always has the final say in the issuer response and can override any exemption request.

Why does Strong Customer Authentication matter for operational teams?

For payment engineers and product managers, this authentication requirement acts as a major variable in checkout conversion rates. Finding the right balance between compliance, fraud prevention, and user friction requires continuous payment optimization.

If a merchant routes transactions poorly or fails to apply the correct exemptions, they will experience a sharp increase in false declines. Every time a valid card declined error occurs because of a technical misconfiguration, the business loses revenue and damages customer trust.

Properly categorizing transactions that fall out of scope, such as cross-border payments where the issuer is outside the European Economic Area, helps bypass unnecessary friction. Teams must actively monitor their authorization metrics to catch routing anomalies before they escalate into widespread payment failures.

How do authentication requirements impact retry strategies?

Even with a highly optimized setup, merchants will inevitably encounter soft declines. A soft decline occurs when the issuer rejects the payment specifically because it lacks Strong Customer Authentication, returning a specific response code indicating that a multi-factor challenge is required.

Handling these soft declines gracefully is a vital part of payment recovery. If a merchant simply tries to push the same charge through again without changing the parameters, the bank will reject it repeatedly.

Instead, platforms like SmartRetry help businesses manage these scenarios by focusing on payment optimization and intelligent retries of declined payment transactions, helping merchants recover revenue and improve transaction approval rates. When an issuer demands authentication on a recurring charge, the system can systematically trigger an email or SMS to the customer, securely bringing them back into session to complete the challenge.

Effectively managing these issuer demands allows businesses to reduce payment declines and successfully retry failed payments in a way that respects network rules and maximizes revenue.

Strong Customer Authentication vs 3D Secure?

While often used interchangeably in casual conversations, these two terms represent entirely different concepts within the payment ecosystem.

Strong Customer Authentication is the legal and regulatory requirement governing how electronic payments must be verified in Europe. It dictates the rules, the necessary factors, and the allowed exemptions.

3D Secure is the technical protocol used by the card networks to actually enforce those rules. Think of the regulation as the building code, while 3D Secure is the physical lock on the door. You use the 3D Secure framework to meet the regulation, but the regulatory standard itself remains platform-agnostic.

Frequently asked questions about this term

It is a PSD2 requirement for many electronic payments in the EEA that verifies the cardholder with at least two independent factors.
It usually runs through 3D Secure 2.0, where merchant and issuer exchange data for a frictionless check or trigger a challenge like biometrics or a one-time passcode.
No. SCA is the regulatory requirement, while 3D Secure is the technical protocol commonly used to apply it during card payments.
Examples include some low-value payments, properly flagged merchant-initiated transactions, and low-risk payments under acquirer transaction risk analysis.
Incorrect routing, missing exemptions, or failed authentication can cause issuer declines, lower approval rates, add friction, and reduce recovered revenue on retries.

Share this article