Strong Customer Authentication (SCA)How Did the Transaction Process Change Due to Stronger ID Standards?
In a Nutshell
SCA regulations are now the law of the land in Europe. But what exactly are these rules, and how might they affect your business here in the US and abroad? This article will explore what SCA regulations are, who they affect, how they’re working thus far… and what you might expect in the near future.
The State of Strong Customer Authentication: Does it Help or Hinder Online Commerce?
Strong customer authentication regulations are now fully live and enforceable across Europe. But how do these rules affect your business? What do they mean for chargebacks and fraud liability? And if you're based outside the EU, should you even care?
This chapter explains what SCA regulations are, who they affect, how they connect to chargeback liability, and what merchants can do to stay compliant without sacrificing conversions.
3D Secure
Is 3D Secure the security solution you’ve been searching for or a one-way street to higher friction and abandoned carts? Here, we’ll explain everything you need to know about 3D Secure: what it is, how it works, how it’s branded differently across each card network, why you need it… and why it won’t be enough on its own.
Does SCA Apply to My Business?
Before diving into the details, I want to answer the threshold question: do strong customer authentication requirements actually apply to you?
SCA requirements apply to transactions where both your acquiring bank and the cardholder’s issuing bank are located in the European Economic Area (EEA) or the United Kingdom. If either party is outside this region (what regulators call a "one-leg-out" transaction), then SCA is not strictly required.
This means US-based merchants selling to EU customers are currently exempt from mandatory SCA compliance. However, there are reasons to pay attention anyway. Australia, Mexico, Turkey, and Japan have already adopted or are actively considering their own SCA regimes. The card networks are also promoting voluntary compliance with SCA standards through 3D Secure 2.0 adoption. As more of the global payment community embraces these requirements, US merchants may find themselves subject to similar rules sooner than expected.
If you’re an EEA or UK-based merchant, or if you process payments through an EEA-based acquirer, then SCA compliance is mandatory. Non-compliant transactions will be declined by issuers.
What is Strong Customer Authentication?
- Strong Customer Authentication
Strong customer authentication is a regulatory requirement introduced under the EU's Revised Payment Services Directive (PSD2). It mandates that electronic payments be authenticated using at least two of three independent factors: knowledge, ownership, or inherence.
[noun]/strôNG • kəs • tə • mər • ô • THen • tə • kā • SHən/
In simple terms, the rule requires an extra layer of authentication during checkout for all transactions conducted in the European Union or the United Kingdom. Limiting verification to card number, billing address, and CVV is no longer enough. Merchants must now verify the buyer’s identity according to at least two of the following three factors:
These factors must be independent of one another. Compromising one should not compromise the others. If a transaction requires SCA and the cardholder cannot satisfy two of these factors, the issuing bank will decline the payment.
Strong Customer Authentication Examples
The primary mechanism for delivering SCA in card-not-present transactions is 3D Secure (3DS). This protocol adds an authentication step after checkout, where the cardholder is prompted by their bank to verify their identity.
In practice, SCA typically looks like one of the following scenarios:
- 1. A customer enters their card details, then receives a one-time passcode via SMS (possession) and enters their banking app PIN (knowledge) to confirm
- 2. A customer authenticates through their mobile banking app using fingerprint recognition (inherence) on their registered device (possession)
- 3. A customer confirms a purchase via push notification to their phone (possession) and verifies with facial recognition (inherence)
The specific authentication method is determined by the cardholder’s issuing bank. Different banks implement different challenge flows, which is one reason customer experiences can vary significantly.
Does SCA Protect You From Chargebacks?
SCA offers some protection against chargebacks. But, it does not guarantee that a chargeback will not happen.
This is where a lot of merchants have misconceptions. Strong customer authentication can reduce fraud-related chargebacks, but it does not make transactions “chargeback-proof.”
When a transaction is successfully authenticated through 3-D Secure, liability for certain fraud-related chargebacks shifts from the merchant to the card issuer. If a criminal uses stolen card credentials and defeats the authentication challenge, then the issuer — not the merchant — bears responsibility for the resulting fraud claim. However, this liability shift has important limitations:
It Only Applies to Specific Scenarios
The liability shift covers unauthorized transaction claims where the cardholder denies making the purchase. It does not protect merchants against friendly fraud, service disputes, or claims related to product quality, non-delivery, or subscription cancellations. These chargebacks remain the merchant’s responsibility regardless of authentication status.
“Attempted” Authentication May Fully Protect You
If the issuer’s authentication system is unavailable, then the transaction can proceed with an “attempted” status. But, applicable rules vary by card network and circumstance. Merchants should not assume they’re protected simply because 3DS was initiated.
The Issuer Can Still Decline Liability
Card networks have specific requirements for how authentication data must be passed in authorization requests. Technical errors or missing data can void the liability shift even on authenticated transactions.
SCA can prevent some fraud attacks...
but not all fraud. For comprehensive protection, Chargebacks911® has got you covered.
Request a Demo
SCA Exemptions & Exclusions
Not every transaction requires the full SCA treatment. PSD2 includes several exemptions designed to reduce friction for lower-risk scenarios, including low-value transactions, recurring payments, “one leg” transactions, and more.
Strong customer authentication regulations will not necessarily apply to every transaction. As of this writing, SCA only affects transactions where both the payer and the payee are located in the EU. If one party is outside the EU (called a “one-leg” transaction), then SCA won’t be required.
Also, there are a number of conditions that can make a transaction exempt from these requirements, including:
Payment service providers may also provide other tools to help merchants adjust to SCA. Some commonly cited offerings include rule-based fraud screening, exemption management, and delegation of exemption. Perhaps the most important of these, however, is transaction risk analysis.
Merchants can request exemptions, but the issuing bank makes the final decision. If an exemption is rejected, the transaction must either proceed through full authentication or be declined.
Under the original 3DS 1.0 protocol, authentication added significant friction due to redirects to external pages, unreliable SMS delivery, and poor mobile optimization. These contributed to abandonment rates as high as 30%. With 3DS 2.0, though, risk-based authentication allows most legitimate transactions to pass through frictionless flows without any customer interaction, and when challenges are required, they're embedded directly in the checkout rather than redirecting to a separate window.
Is SCA Working?
Well, yes and no.
With fraud rates constantly in flux, it’s difficult to pinpoint how much of an impact strong customer authentication has had on eCommerce in just one year. However, one company reported that SCA technology helped them achieve 2,000 fewer cases of fraud each month last year. Their research also showed that 68% of its customers are happy to enter a texted passcode in its banking app.
Despite these findings, many companies argue that SCA isn’t actually stopping fraudsters. Instead, they’re just switching tactics. For instance, if a fraudster moderates attacks to remain below the £30 protection limit, they may slide stolen credentials through additional checks without ever raising an alarm.
Card testing, for example, is a fast-growing problem for eCommerce brands. Payment processor Stripe reported in 2022 that they’d detected more than 20 million card testing attempts per day. Because the dollar threshold on these transactions is so low, strong customer authentication would not be applied.
Quit playing catch-up to fraud.
Get ahead of the regulatory curve with end-to-end chargeback management.
Request a Demo
Minimizing Cart Abandonment Under SCA
Cart abandonment was a legitimate concern under 3DS 1.0, where clunky redirect flows and unreliable SMS delivery frustrated customers.
3DS 2.0 substantially improves the experience. The risk-based authentication model means many legitimate customers pass through frictionless flows without any additional steps. When challenges are required, they can be embedded directly within checkout, rather than redirecting the buyer to a separate window.
You can further reduce friction by adopting a few key best practices:
- Optimize Exemption Requests: Work with your payment provider to apply appropriate exemptions for qualifying transactions. This will cut down on unnecessary authentication challenges.
- Enable Biometric Authentication: Mobile wallet payments through Apple Pay and Google Pay use device-based biometrics, which customers often find faster and more intuitive than one-time passcodes.
- Communicate: Providing brief messages explaining why additional verification is required can reduce confusion and abandonment. Customers who understand the security benefit are more likely to complete the process.
- Ensure Mobile Optimization: A significant portion of eCommerce traffic originates on mobile devices. So, authentication flows have to work seamlessly on mobile devices, just like they would on desktop.
What To Do When SCA Fails
Authentication failures happen. The cardholder may enter an incorrect passcode, the one-time passcode may expire, or the issuer’s access control server may time out. When this happens, you still have some options.
First, identify the failure reason. Review the error response from your 3DS server and determine whether the issue was technical (server unavailable, timeout), cardholder-driven (failed challenge), or enrollment-related (card not registered for 3DS).
For cardholder failures, prompting a retry is often effective. The customer may have mistyped a code or missed a push notification. Clear, reassuring messaging helps prevent abandonment.
For issuer-side timeouts, the transaction may return an “attempted” status. Depending on your risk tolerance and the specific circumstances, you may choose to proceed with authorization. Understand that liability protection may be limited or absent, though.
For persistent technical failures, escalate to your payment service provider. Patterns in failure data can reveal integration issues or systemic problems that require attention.
In rare cases involving widespread technical outages, merchants may flag the SCA Authentication Outage Indicator in authorization requests. This signals to issuers that authentication could not be completed due to infrastructure issues. However, this flag has strict usage limits and should only be applied when authentication has been unavailable for at least five minutes with multiple failed attempts.
FAQs
What does ‘strong customer authentication required’ mean?
If a transaction requires strong customer authentication, that means it requires additional verification in order to be completed. This is required for all transactions completed in the EU or UK, unless the transaction meets a condition on a list of exemptions outlined in the revised Payment Services Direction (PSD2).
What are strong customer authentication principles?
Compliance with SCA means merchants must now verify buyers’ identities according to at least two of the following three factors: knowledge (something the buyer knows, like a PIN or password), possession (physical possession of a card), or inherence (fingerprint, facial recognition scan, etc.).
What is an example of strong customer authentication?
OTP, or one-time passcodes, are one example of strong authentication, as are two-factor authentications via emails or texts, or facial recognition scans.
What are the three 3 main types of authentication?
You must authenticate cardholders through either something they know, something they have, or via something they are (knowledge, possession, or inherence). These can include passcodes, physical card details, or fingerprints and facial scans.
