What is
SCA (Strong Customer Authentication)?

The short answer

SCA (Strong Customer Authentication) is a regulatory requirement from the European Union's Revised Payment Services Directive (PSD2), in force since September 2019 and fully enforced since early 2021. It requires that most electronic payments authenticate the cardholder with at least two independent factors drawn from: knowledge (password, PIN), possession (phone, hardware token), and inherence (biometric — fingerprint, face). For online card payments, this is almost always implemented via EMV 3DS — the issuer's app triggers a push notification / biometric / OTP at checkout.

Who has to comply

• Any merchant accepting cards from customers in the European Economic Area (EEA).
• Any merchant accepting cards issued by an EEA bank, regardless of merchant location — a U.S. merchant selling to a German customer with a Deutsche Bank card is subject to SCA.
• The UK since Brexit has its own functionally-equivalent SCA regime enforced by the FCA.

The exemption list — where SCA doesn't fire

• Low-value transactions: Under €30, with counters (5 exemptions or €100 cumulative before SCA required).
• Transaction Risk Analysis (TRA): If the acquirer has low fraud rates and scores the transaction as low-risk, exemption applies (up to €500 depending on acquirer fraud tier).
• Merchant-initiated transactions (MITs): Subscription renewals after initial authenticated setup. See card-on-file.
• Trusted beneficiaries: Customer has whitelisted the merchant with their issuer.
• Corporate cards and secure corporate payment protocols.
• Mail-order / telephone-order (MOTO): Not electronic in the PSD2 sense — out of scope.
• One-leg-out: When one party is outside the EEA, SCA isn't required (but issuers may still soft-decline).

What operators need to know

• Without 3DS, EEA transactions soft-decline. Non-3DS auth requests on EEA cards come back with "SCA required" response codes. You have to retry with 3DS.
• 3DS frictionless is possible. Risk-based 3DS (3DS 2.x) can authenticate without user interaction if the issuer's risk engine scores the transaction low-risk. Most EEA transactions end up frictionless.
• Request exemptions intelligently. A well-configured checkout flags TRA-eligible transactions and low-value exemptions, reducing the frequency of challenge (full biometric/OTP) flows. Lower challenge rate = higher conversion.
• PSD3 is coming. The European Commission's PSD3 proposal (finalized 2024-2025, rolling out 2026-2028) tightens SCA further — narrower exemptions, mandatory liability shifts, stricter enforcement on merchants who under-implement.
• Subscription businesses benefit from MIT exemption. After initial SCA-authenticated setup, subsequent monthly charges don't need SCA. Capture the initial SCA correctly and downstream stays smooth.
• Multi-brand operators need SCA compliance per brand, with each brand's 3DS integration tested. A bad 3DS integration on one brand breaks EEA revenue on that brand without affecting others.
• U.S.-only merchants are mostly unaffected. But if any EEA revenue flows through, SCA applies. Watch for expansion — Singapore, Australia, and others are exploring similar regimes.