On this page
- How SCA Works
- 3DS2 Mechanics
- Liability Shift
- SCA Exemptions
- Transaction Risk Analysis (TRA)
- Low-Value Transactions
- Trusted Beneficiaries (Merchant Whitelisting)
- Recurring Transactions / Merchant-Initiated Transactions (MITs)
- Out-of-Scope Transactions
- Benchmarks (as-of various dates)
- Frictionless vs Challenge Rates
- Authentication Success Rates by Country
- Consumer Abandonment Signal
- Stripe Optimisation Impact
- Contradictions
- UK vs EU Divergence
- PSD3 and PSR — Upcoming Changes
- Fashion Ecommerce Implications
- Key terms
Strong Customer Authentication (SCA / PSD2)
Strong Customer Authentication (SCA / PSD2)
Strong Customer Authentication (SCA) is a European regulatory requirement under PSD2 (Payment Services Directive 2) that mandates multi-factor authentication for customer-initiated electronic payments. For ecommerce merchants selling into Europe, it is one of the most consequential payment rules: executed well, it shifts fraud liability to the issuer; executed poorly, it adds checkout friction and abandonment. The primary technical mechanism for implementing SCA on card payments is 3D Secure 2 (3DS2).
How SCA Works
SCA requires at least two of three authentication elements (Stripe, stripe.com/guides/strong-customer-authentication):
| Factor | Examples |
|---|---|
| Knowledge | PIN, password, security question |
| Possession | OTP to registered device, banking app push notification |
| Inherence | Fingerprint, face recognition, voice biometric |
SCA applies to customer-initiated online payments where both the merchant's PSP and the cardholder's bank are located in the EEA (or UK, for UK-regulated payments). Cross-border "one-leg-out" transactions where only one party is in scope are excluded. (Stripe, stripe.com/guides/strong-customer-authentication)
3DS2 Mechanics
3D Secure 2 (3DS2) is the dominant card-payment implementation of SCA. It replaced 3DS1, support for which was discontinued October 15, 2022. 3DS2 sends over 100 data elements to the card network and issuing bank's Access Control Server (ACS), compared to fewer than 10 under 3DS1, enabling far more precise risk decisions. (ProcessOut, processout.com/blog/sca-finding-the-balance-between-risk-and-friction, data as-of March 2024)
There are two possible paths through 3DS2:
- Frictionless flow: device fingerprint and transaction data are assessed silently in the background; no cardholder input is required; the transaction completes transparently.
- Challenge flow: the issuer determines the transaction risk is too high for frictionless approval and prompts the cardholder for explicit authentication (OTP, biometric, app confirmation).
The issuing bank, not the merchant, decides which path applies. The merchant and PSP can influence this decision by sending richer data and requesting exemptions, but cannot control the final outcome. (ProcessOut, processout.com, March 2024)
3DS 2.2 (dominant spec as-of March 2024) introduced two advanced capabilities:
- Delegated authentication: a merchant with FIDO-compliant biometric capability (e.g., fingerprint in their own app) can pass authentication data directly to the issuer, potentially removing the 3DS redirect entirely. Adoption among issuers is noted as limited as-of March 2024. (ProcessOut, processout.com)
- Decoupled authentication: the challenge can occur up to 7 days after the payment request in a separate channel — useful for high-value B2B transactions. (ProcessOut, processout.com)
Liability Shift
SCA's liability shift is one of its most strategically important features (Stripe, stripe.com/guides/strong-customer-authentication):
| Scenario | Fraud chargeback liability |
|---|---|
| 3DS challenge completed successfully | Shifts to issuer |
| Frictionless flow granted (no exemption requested) | Typically shifts to issuer |
| SCA exemption applied by merchant/PSP | Stays with merchant/acquirer |
| Transaction is out of SCA scope | Outside the framework entirely |
This means exemption strategies trade friction reduction against accepting fraud liability — a calibration merchants must manage actively.
SCA Exemptions
Visa Europe estimated that as many as 40–50% of ecommerce transactions by volume could be exempt from SCA (Checkout.com, checkout.com/blog/building-an-sca-exemption-strategy, 2022-03-18).
The four main exemptions available to ecommerce merchants (Stripe, stripe.com/guides/strong-customer-authentication):
Transaction Risk Analysis (TRA)
Real-time risk scoring by the PSP (not the merchant). TRA exemptions are tiered to the PSP's fraud rate:
| PSP fraud rate | Max transaction value for TRA exemption |
|---|---|
| Below 0.13% | Up to €100 |
| Below 0.06% | Up to €250 |
| Below 0.01% | Up to €500 |
| Any rate | No TRA exemption above €500 |
TRA applies fraud liability back to the merchant/acquirer.
Low-Value Transactions
Transactions below €30 / £25 are eligible for a low-value exemption. Hard limits apply:
- The exemption resets after 5 consecutive uses since the last SCA, or
- After the cumulative value of exempted payments exceeds €100 / £85
The cardholder's bank chooses which limit to track, making low-value exemptions unpredictable for merchants. (Stripe, stripe.com/guides/strong-customer-authentication)
Trusted Beneficiaries (Merchant Whitelisting)
A cardholder can add a merchant to a trusted list maintained by their issuing bank. Future purchases at that merchant are then SCA-exempt. Stripe notes bank adoption of whitelisting has been slow. (Stripe, stripe.com/guides/strong-customer-authentication)
Recurring Transactions / Merchant-Initiated Transactions (MITs)
- Subscriptions for a fixed amount to the same merchant require SCA only on the first payment. Subsequent charges are exempt as merchant-initiated transactions (MITs).
- MITs made off-session with stored credentials are entirely out of SCA scope — provided SCA was performed and a valid mandate was obtained at card-saving time.
- ProcessOut recommends passing
challenge_indicator = "challenge-requested-mandate"for the initial CIT (Customer Initiated Transaction) in an MIT chain. (ProcessOut, processout.com, March 2024)
Out-of-Scope Transactions
Not subject to SCA at all:
- MOTO (mail order/telephone order) — must be correctly flagged as MOTO
- One-leg-out transactions (only one party in EEA/UK)
- Anonymous prepaid card transactions below €150
Benchmarks (as-of various dates)
Frictionless vs Challenge Rates
H1 2024: 3DS request rates increased 15% across EEA markets; simultaneously, frictionless authentication flows increased 40%, as issuers approve more exemption requests when richer data is submitted over 3DS2 rails. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, published 2025-08-26) (as-of H1 2024)
Japan April 2025: Following mandatory 3DS introduction, the number of transactions routed through 3DS quadrupled; 60% went through the frictionless path and businesses saw an average 93% conversion rate; dispute rates fell more than 30% vs the same period the prior year. Stripe cites this as evidence that high 3DS routing does not inherently hurt conversion when implementation quality is high. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, 2025-08-26) (as-of April–August 2025)
Authentication Success Rates by Country
UK: Authentication success rates are 5–10% higher than comparable SCA markets; UK issuers accept SCA exemption requests at rates 10 percentage points higher than EEA issuers; over 75% of UK challenges are authenticated via a bank app, mostly using biometrics. (Stripe, 2025-08-26) (as-of 2025)
France: French issuers challenged transactions with 2FA at approximately 100% higher rates than the rest of the EEA and 200% higher than UK issuers (following Banque de France requirements). However, France maintained competitive conversion rates because French cardholders are early adopters of secure authentication methods (PIN-based chip cards), normalising the challenge flow. (Stripe, 2025-08-26) (as-of 2025)
Consumer Abandonment Signal
- 46% of UK consumers find current 2FA frustrating enough to be "somewhat or very likely" to give up a transaction. (Survey via mycustomer.com; no primary source confirmed) (as-of unknown)
- 36% of French consumers and approximately 50% of Italian consumers report abandoning a purchase when faced with a 3DS step-up. (Signifyd European consumer survey; no primary source year confirmed) (as-of unknown)
[!unverified] The abandonment percentages above (46% UK, 36% France, 50% Italy) are from secondary-source citations in an industry overview. No primary survey was directly verified. File as directional only.
Stripe Optimisation Impact
- Stripe reports that merchants using their AI-powered 3DS optimisations see on average a +1.20% conversion uplift while reducing fraud on all transactions by 7.67%. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, 2025-08-26) (as-of 2025)
[!unverified] These are vendor-self-reported figures from Stripe — no independent audit cited.
Contradictions
Challenge flows kill conversion (pre-2024 consensus) vs. challenge rates don't predict conversion outcomes (Stripe 2025)
Pre-2024 industry narrative, typified by Ravelin's 2019–2020 data showing 22% of payments sent to 3DS were "lost" and average authentication taking 37 seconds, established the view that SCA challenge flows significantly damage conversion. (Ravelin, ravelin.com/insights/ultimate-guide-psd2-strong-customer-authentication — Q1 2019 data)
Stripe's August 2025 analysis of EEA and regulated markets found that France — which has among the highest challenge rates in Europe (100% above EEA average) — maintains competitive conversion rates. Japan's April 2025 3DS mandate quadrupled authentication volume but produced a 93% conversion rate and 60% frictionless path. Stripe attributes the discrepancy to implementation quality and consumer familiarity, not to whether challenges occur. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, 2025-08-26)
These are not necessarily contradictory if consumer familiarity and biometric authentication have matured — but the operational implication differs: earlier advice to minimise challenge rates at all costs may be less important than maximising authentication success when challenges do occur.
UK vs EU Divergence
Post-Brexit, the UK implemented SCA under its own FCA-regulated framework. Key current differences and trajectory (Morrison Foerster, mofo.com, 2026-04-30):
- UK: Taking a more principles-based approach to open banking; already introduced mandatory APP fraud reimbursement requirements for Faster Payments and CHAPS (going further than EU PSD3 proposals in some respects); the FSMA-based model will not automatically apply PSD3/PSR changes.
- EU: Moving toward PSD3/PSR (see below), with harmonised regulation applied via directly applicable Regulation (PSR) — eliminating the fragmented national PSD2 transposition.
- Dual compliance: Firms operating cross-border must now manage two diverging frameworks on product design, fraud controls, API standards, and licensing. (Morrison Foerster, 2026-04-30)
PSD3 and PSR — Upcoming Changes
The EU reached provisional political agreement on PSD3 and the new Payment Services Regulation (PSR) in November 2025. Formal adoption is expected in 2026; implementation is anticipated by late 2027. (Morrison Foerster, mofo.com/resources/insights/260430-psd3-and-the-payment-services-regulation-key-developments, 2026-04-30) (as-of April 2026)
Key structural changes relevant to SCA:
- Dual legislative structure: PSD3 (directive) governs licensing; PSR (directly applicable regulation, no national transposition required) governs conduct rules including SCA — eliminating the compliance fragmentation that undermined PSD2. (Morrison Foerster, 2026-04-30)
- SCA can now be satisfied by two inherence factors (e.g., two different biometric types), where independence can be demonstrated — relaxing the current requirement for factors from two of three separate categories. (OneSpan/Norton Rose Fulbright briefings, 2025)
- SCA scope expands to expressly include tokenised payment instrument creation, changes to spending limits, and amendments to contact details. (OneSpan/Norton Rose Fulbright, 2025)
- Risk- and behaviour-based transaction monitoring will be mandated for all PSPs. (Morrison Foerster, 2026-04-30)
- IBAN/name verification required on all credit transfers to prevent APP fraud. (Morrison Foerster, 2026-04-30)
- EBA Level 2 measures (Regulatory Technical Standards) will follow formal adoption and define detailed SCA technical requirements under the new regime. (Adyen, adyen.com/knowledge-hub/psd3, 2025-10-02)
Fashion Ecommerce Implications
No primary source in this harvest specifically addressed fashion ecommerce SCA. The following implications follow from cross-referencing SCA rules with the Fashion ecommerce UX patterns and Checkout Abandonment harvests:
- Guest checkout exposure: High guest checkout rates (43% of shoppers prefer guest checkout per prior harvests) mean fewer stored credentials and less transaction history, reducing TRA exemption eligibility for repeat-customer patterns.
- High-AOV impact: Fashion average order values in Europe vary widely; anything above €500 cannot use TRA exemptions. Luxury or multi-item baskets will face mandatory challenges where fraud risk is elevated.
- Return rate and fraud entanglement: Ecommerce Fraud harvest found that SCA has hardened the checkout stage but displaced fraud to pre-purchase (account creation) and post-purchase (friendly fraud/refund abuse) stages — a relevant pattern for fashion where return rates are already elevated.
- Wero integration: Wero (EPI) uses bank-native biometric authentication over SEPA Instant rails — SCA-compliant by design, potentially lower friction than 3DS challenge flows for consumers using Wero's P2PRO payment.
Key terms
| Term | Meaning |
|---|---|
| SCA | Strong Customer Authentication — PSD2 two-factor requirement |
| 3DS2 / 3D Secure 2 | Technical protocol for SCA on card payments |
| ACS | Access Control Server — issuing bank's 3DS decision engine |
| TRA | Transaction Risk Analysis — PSP-level risk scoring for SCA exemption |
| MIT | Merchant-Initiated Transaction — off-session charge, out of SCA scope if mandate obtained |
| CIT | Customer-Initiated Transaction — requires SCA at mandate setup |
| PSD2 | Payment Services Directive 2 — EU directive introducing SCA |
| PSD3/PSR | Next-generation EU payments regulation (agreed Nov 2025, ~late 2027 enforcement) |
| Delegated auth | 3DS 2.2 feature allowing merchant-hosted biometric to satisfy SCA |
| Frictionless flow | 3DS path requiring no cardholder action |
| Challenge flow | 3DS path requiring explicit cardholder authentication |
| FIDO | Fast Identity Online — open biometric authentication standard enabling delegated auth |