Get ready for Strong Customer Authentication.

In October 2015 the European Parliament passed legislation known as Payment Services Directive 2 PSD2.

PSD2 has meant several changes for the payments industry, but one key specific area is known as Strong Customer Authentication (SCA).

SCA is a regulatory requirement to reduce fraud and make online card payments more secure, by having more authentications built into the checkout flow.

The requirement is to have payments authenticated as genuine using at least two of the following three data points:

  1. Something the customer knows (e.g. their password or PIN)
  2. Something the customer has (e.g. the phone or hardware token they are using)
  3. Something the customer is (e.g. their fingerprint or face recognition)

The regulatory requirement is to have these new processes in place for 14 September 2021, and from this date, banks will decline payments that require SCA but don’t meet these criteria.

What transactions require SCA and what is the benefit to your business?

SCA applies to “customer-initiated” online payments within Europe. Any payment made by customers online. This means most card payments will require SCA, although there are some exemptions.

Currently, the most common way of authenticating an online card payment relies on 3D Secure (3DS) – the authentication standard developed by Visa (Verified by Visa) and Mastercard (Mastercard SecureCode) and supported by the vast majority of European cards. This typically adds an extra step after the checkout where the cardholder is prompted to provide additional information to complete a payment (e.g. random letters or numbers from their password to login to their online banking).

To meet the requirements of SCA, the major payment schemes are rolling out 3D Secure version 2.0 during this year. Whilst the original version of 3DS had its challenges due to being clunky, this new version introduces a better user experience that will help minimise the friction that authentication adds to the checkout process.

Visa reports that merchants using 3DS 2.0 will experience a 70% decrease in cart abandonment, and an 85% reduction in transaction time, which is great news.

3DS 2.0 also gives merchants another anti-fraud tool as it is designed to better authenticate valid transactions and deny fraudulent transactions. In addition, it shifts the liability for fraudulent transactions from the merchant to the issuing bank.

As well as Visa and Mastercard’s 3DS solutions, there are other payment methods such as Apple Pay or Google Pay – that already meet the new SCA requirements in a smooth and frictionless way.


Under the new regulation, specific types of low-risk payments may be exempted. The most relevant exemptions are:

Low-Risk Transactions – where real-time risk analysis determines whether to apply SCA to a transaction.

Fixed amount subscriptions – this exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business.

Merchant initiated transactions – although requirements for how merchant-initiated transactions will work in practice are still being finalised, payments made with saved cards when the customer is not present in the checkout flow may fall outside the scope of SCA.

Trusted beneficiaries – where a customer registers or whitelists a business they trust to avoid having to authenticate future purchases.

Sales over the phone also known as MOTO – where card details collected over the phone fall outside the scope of SCA and do not require authentication. These payments remain Non-Secure with the liability resting with the merchant. We would always recommend a secure payment method such as Pay by Link to avoid any nasty surprises.

Corporate card payments – payments that are made with a corporate card (e.g. for employee travel expenses) and held directly with an online travel agent, as well as virtual card number corporate payments are also exempt.

If you have any questions about these changes now is the time to give us a call, our experienced team are on hand to answer your queries and make sure you are ready when the new regulations arrive.