Strong Customer Authentication Guide
Strong Customer Authentication (SCA) is used to reduce fraud and improve online and contactless payment security. But how does it work, how can you make sure your business is compliant, and what are the SCA exemptions?
Use this article as your guide to understanding Strong Customer Authentication requirements in Europe and how they affect different payment types. Learn how to stay compliant and streamline the checkout process for your customers.
Learn the following about Strong Customer Authentication
- What is Strong Customer Authentication?
- When is Strong Customer Authentication required?
- How can you authenticate an online payment?
- Are there exemptions to Strong Customer Authentication?
- Can Strong Customer Authentication exemptions fail? (And what happens if they do?)
- How MONEI helps your e-commerce business comply with Strong Customer Authentication requirements
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a regulatory standard mandated by the European Union to mitigate fraud and enhance the security of online and contactless payments. It's a requirement of the EU Revised Directive on Payment Services (PSD2).
To comply with SCA regulations, you must integrate additional authentication measures into your business's e-commerce checkout process. SCA mandates the use of at least two out of three authentication elements, including:
- Something the customer knows (such as a password or PIN)
- Something the customer has (such as a mobile device or hardware token)
- Something the customer is (such as a biometric identifier like a fingerprint or facial recognition)
By implementing two-factor authentication, strong customer authentication helps to ensure that payments are made by authorized users, reducing the likelihood of fraudulent transactions.
For reference, the SCA requirements are outlined in the Regulatory Technical Standards (RTS). Transactions that require SCA and fail to comply with these standards must be declined by banks.
When is Strong Customer Authentication required?
Strong Customer Authentication is applicable to online and contactless offline payments initiated by customers within Europe. Most card payments and bank transfers require SCA. But recurring direct debits are categorized as "merchant-initiated" and do not require Strong Customer Authentication.
For online card payments, these regulations apply to transactions where both the business and the cardholder's bank are situated within the European Economic Area (EEA).
How can you authenticate an online payment?
3D Secure is the most common method for authenticating online card payments and is supported by the majority of European cards. With 3D Secure, an additional step is added to the checkout process. The cardholder is prompted by their bank to provide supplementary information to complete the payment (such as a one-time code sent to their phone or fingerprint authentication through their mobile banking app).
3D Secure 2.0 is the primary authentication method for online card payments and fulfills the SCA requirements while improving the user experience and reducing checkout friction.
In the case of offline card transactions, authentication requirements are met by entering a PIN.
Payment methods like Apple Pay or Google Pay (which are technically considered digital wallets that securely store card information) already include an integrated layer of authentication (biometric or password), providing a seamless checkout experience while adhering to Strong Customer Authentication requirements.
Are there exemptions to Strong Customer Authentication?
To reduce friction and increase customer satisfaction, Strong Customer Authentication exemptions can be used for low-risk payments. Payment service providers (PSPs) like MONEI can request these exemptions during payment processing, and the cardholder's bank will then assess the risk level of the transaction before deciding whether or not to approve the exemption.
Strong Customer Authentication can add friction to the checkout process and lead to a drop in customer retention. By using exemptions for low-risk transactions, you can reduce the number of times a customer needs to authenticate. That’s why at MONEI, we give you the option to configure 3D Secure authentication settings in your account. This way, you can set the criteria that work best for your business. Taking advantage of these exemptions when possible, can help improve your conversion rates.
The most relevant SCA exemptions for online businesses include:
Payments below €30 may be exempted from SCA as they are considered "low value". But there are limitations to this exemption — banks need to request authentication if the exemption has been used five times since the cardholder's last successful authentication or if the total amount of previously exempted payments exceeds €100.
The cardholder's bank is responsible for keeping track of the number of times this exemption has been used and deciding whether authentication is required. While this exemption is available, it may be more relevant for most payments to use the low-risk transaction exemption due to its less strict limitations. With MONEI, you can take advantage of this exemption by configuring 3D Secure authentication settings in your account.
Transactions that are considered low-risk based on their fraud indicators are exempt from SCA. These indicators may include the transaction amount, the frequency of transactions, and the history of the customer's behavior. At MONEI, we can activate this exemption for transactions below €250 as long as there are no fraud indicators, for example, a history of suspicious activity.
Fixed-amount transactions (subscriptions)
For businesses that offer fixed-amount subscriptions, Strong Customer Authentication may not be required for subsequent charges after the customer's first payment, as long as the recurring payments are made to the same business. With MONEI, you can update the subscription amount without having to do 3D Secure authentication again. This exemption helps reduce friction in the checkout process and is supported by most European banks.
At MONEI, we enable this exemption by detecting when the transaction is a subscription or recurring payment. Our system automatically applies the exemption when relevant and can help manage authentication requests if the exemption is rejected by the customer's bank, making it easier for your business to meet SCA requirements.
- How to Start a Subscription Business [Quickstart Guide]
- Subscription E-commerce: All You Need to Know (+13 Examples)
- 15 Tips on How to Grow a Profitable Subscription Business
If customers trust a business, they may choose to allowlist it during payment authentication to avoid authenticating future purchases. These trusted businesses are added to the customer's bank or payment service provider's "trusted beneficiaries" list.
But not all banks have adopted this feature, despite the potential convenience it offers for repeat purchases or subscriptions. If you’d like to add this exemption to your MONEI account, contact support.
Merchant-initiated transactions (including variable subscriptions)
Merchant-initiated transactions are payments made with saved cards when the customer is not present in the checkout flow, also known as "off-session" payments. These transactions are technically outside the scope of SCA, but requesting an exemption is still required.
Ultimately, it’s the bank's decision whether authentication is necessary for the transaction.
To use merchant-initiated transactions, authentication of the card is needed when it's being saved or during the first payment, and a customer agreement (mandate) is necessary to charge the card later.
This exemption is essential if your business requires delayed payments, variable amount subscriptions, or additional charges. It’s supported by most European banks and is accepted when the transaction is considered low-risk.
MONEI’s Payments API lets you authenticate a card when it’s being saved for future transactions and label subsequent payments as "merchant-initiated transactions."
The "lodged" card exemption pertains to payments made using corporate cards that are directly held by a particular online travel agent for managing employee travel expenses and also applies to corporate payments made with virtual card numbers, which are frequently used in the travel sector.
This exemption doesn’t have much use outside of the travel industry and can only be requested by the cardholder's bank. Businesses and payment service providers (such as MONEI) can’t determine if a card falls under these categories.
Payments processed over the phone
Payments made over the phone, known as “Mail Order and Telephone Orders” (MOTO), are not subject to SCA and do not require authentication. But MOTO transactions must be clearly identified and the cardholder’s bank makes the final decision to approve or decline the transaction.
MOTO payments are an essential payment method for businesses that accept phone orders and are widely supported by banks. This is not an exemption that most MONEI merchants use, but if it’s required for your business, contact support to discuss setting it up.
Can Strong Customer Authentication exemptions fail? (And what happens if they do?)
It’s essential to note that although exemptions can be beneficial, it’s the cardholder's bank that ultimately decides whether to accept an exemption. In instances where authentication is missing, banks may return new decline codes for failed payments. These payments have to be resubmitted to the customer, accompanied by a request for Strong Customer Authentication. MONEI’s SCA-ready products are designed to trigger this additional authentication automatically when banks require it.
How MONEI helps your e-commerce business comply with Strong Customer Authentication requirements
The implementation of this regulation has a profound impact on e-commerce in Europe. By failing to comply with these requirements, you risk a significant decline in conversion rates as SCA enforcement continues across European banks.
To address these challenges, we offer authentication methods like 3D Secure 2.0 and carefully handle exemptions to build a frictionless payment experience. Our payments products comply with regulatory, bank, and card network rules, and our Payments API uses SCA logic to apply the correct exemption and trigger 3D Secure authentication only when it’s required.
We are constantly updating our SCA logic to comply with changing regulations and enforcement timelines across different countries.
Strong Customer Authentication FAQ
What are the available two-factor Strong Customer Authentication methods?
The available two-factor authentication methods include SMS-based one-time passwords, mobile push notifications, biometric authentication, and hardware tokens.
What are the consequences of non-compliance with SCA?
Failure to comply with the SCA requirement may result in declined payments or chargebacks, leading to financial losses and damage to your business's reputation.
How can merchants notify their customers about SCA?
You can notify your customers about SCA through email, SMS, or in-app notifications.
What should merchants do to implement SCA?
To implement SCA, merchants should assess their transactions, choose a two-factor authentication method, notify their customers about SCA, and test their implementation to ensure that it is working correctly.
Is SCA only applicable to merchants based in the EU?
No, SCA is applicable to merchants who accept payments from European Union (EU) customers, regardless of their location.
Can customers opt out of SCA?
No, customers cannot opt out of SCA as it is a regulatory requirement. But customers can whitelist trusted merchants, which would exempt future transactions with those merchants from SCA.
Alexis Damen is the Head of Content at MONEI. She loves breaking down complex topics about payments, e-commerce, and retail to help merchants succeed (with MONEI as their payments partner, of course).