On this page
concept

Strong Customer Authentication (SCA / PSD2)

Created 2026-06-18 35 connections

Strong Customer Authentication (SCA / PSD2)

Strong Customer Authentication (SCA) is a European regulatory requirement under PSD2 (Payment Services Directive 2) that mandates multi-factor authentication for customer-initiated electronic payments. For ecommerce merchants selling into Europe, it is one of the most consequential payment rules: executed well, it shifts fraud liability to the issuer; executed poorly, it adds checkout friction and abandonment. The primary technical mechanism for implementing SCA on card payments is 3D Secure 2 (3DS2).


How SCA Works

SCA requires at least two of three authentication elements (Stripe, stripe.com/guides/strong-customer-authentication):

FactorExamples
KnowledgePIN, password, security question
PossessionOTP to registered device, banking app push notification
InherenceFingerprint, face recognition, voice biometric

SCA applies to customer-initiated online payments where both the merchant's PSP and the cardholder's bank are located in the EEA (or UK, for UK-regulated payments). Cross-border "one-leg-out" transactions where only one party is in scope are excluded. (Stripe, stripe.com/guides/strong-customer-authentication)

3DS2 Mechanics

3D Secure 2 (3DS2) is the dominant card-payment implementation of SCA. It replaced 3DS1, support for which was discontinued October 15, 2022. 3DS2 sends over 100 data elements to the card network and issuing bank's Access Control Server (ACS), compared to fewer than 10 under 3DS1, enabling far more precise risk decisions. (ProcessOut, processout.com/blog/sca-finding-the-balance-between-risk-and-friction, data as-of March 2024)

There are two possible paths through 3DS2:

  • Frictionless flow: device fingerprint and transaction data are assessed silently in the background; no cardholder input is required; the transaction completes transparently.
  • Challenge flow: the issuer determines the transaction risk is too high for frictionless approval and prompts the cardholder for explicit authentication (OTP, biometric, app confirmation).

The issuing bank, not the merchant, decides which path applies. The merchant and PSP can influence this decision by sending richer data and requesting exemptions, but cannot control the final outcome. (ProcessOut, processout.com, March 2024)

3DS 2.2 (dominant spec as-of March 2024) introduced two advanced capabilities:

  • Delegated authentication: a merchant with FIDO-compliant biometric capability (e.g., fingerprint in their own app) can pass authentication data directly to the issuer, potentially removing the 3DS redirect entirely. Adoption among issuers is noted as limited as-of March 2024. (ProcessOut, processout.com)
  • Decoupled authentication: the challenge can occur up to 7 days after the payment request in a separate channel — useful for high-value B2B transactions. (ProcessOut, processout.com)

Liability Shift

SCA's liability shift is one of its most strategically important features (Stripe, stripe.com/guides/strong-customer-authentication):

ScenarioFraud chargeback liability
3DS challenge completed successfullyShifts to issuer
Frictionless flow granted (no exemption requested)Typically shifts to issuer
SCA exemption applied by merchant/PSPStays with merchant/acquirer
Transaction is out of SCA scopeOutside the framework entirely

This means exemption strategies trade friction reduction against accepting fraud liability — a calibration merchants must manage actively.


SCA Exemptions

Visa Europe estimated that as many as 40–50% of ecommerce transactions by volume could be exempt from SCA (Checkout.com, checkout.com/blog/building-an-sca-exemption-strategy, 2022-03-18).

The four main exemptions available to ecommerce merchants (Stripe, stripe.com/guides/strong-customer-authentication):

Transaction Risk Analysis (TRA)

Real-time risk scoring by the PSP (not the merchant). TRA exemptions are tiered to the PSP's fraud rate:

PSP fraud rateMax transaction value for TRA exemption
Below 0.13%Up to €100
Below 0.06%Up to €250
Below 0.01%Up to €500
Any rateNo TRA exemption above €500

TRA applies fraud liability back to the merchant/acquirer.

Low-Value Transactions

Transactions below €30 / £25 are eligible for a low-value exemption. Hard limits apply:

  • The exemption resets after 5 consecutive uses since the last SCA, or
  • After the cumulative value of exempted payments exceeds €100 / £85

The cardholder's bank chooses which limit to track, making low-value exemptions unpredictable for merchants. (Stripe, stripe.com/guides/strong-customer-authentication)

Trusted Beneficiaries (Merchant Whitelisting)

A cardholder can add a merchant to a trusted list maintained by their issuing bank. Future purchases at that merchant are then SCA-exempt. Stripe notes bank adoption of whitelisting has been slow. (Stripe, stripe.com/guides/strong-customer-authentication)

Recurring Transactions / Merchant-Initiated Transactions (MITs)

  • Subscriptions for a fixed amount to the same merchant require SCA only on the first payment. Subsequent charges are exempt as merchant-initiated transactions (MITs).
  • MITs made off-session with stored credentials are entirely out of SCA scope — provided SCA was performed and a valid mandate was obtained at card-saving time.
  • ProcessOut recommends passing challenge_indicator = "challenge-requested-mandate" for the initial CIT (Customer Initiated Transaction) in an MIT chain. (ProcessOut, processout.com, March 2024)

Out-of-Scope Transactions

Not subject to SCA at all:

  • MOTO (mail order/telephone order) — must be correctly flagged as MOTO
  • One-leg-out transactions (only one party in EEA/UK)
  • Anonymous prepaid card transactions below €150

Benchmarks (as-of various dates)

Frictionless vs Challenge Rates

  • H1 2024: 3DS request rates increased 15% across EEA markets; simultaneously, frictionless authentication flows increased 40%, as issuers approve more exemption requests when richer data is submitted over 3DS2 rails. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, published 2025-08-26) (as-of H1 2024)

  • Japan April 2025: Following mandatory 3DS introduction, the number of transactions routed through 3DS quadrupled; 60% went through the frictionless path and businesses saw an average 93% conversion rate; dispute rates fell more than 30% vs the same period the prior year. Stripe cites this as evidence that high 3DS routing does not inherently hurt conversion when implementation quality is high. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, 2025-08-26) (as-of April–August 2025)

Authentication Success Rates by Country

  • UK: Authentication success rates are 5–10% higher than comparable SCA markets; UK issuers accept SCA exemption requests at rates 10 percentage points higher than EEA issuers; over 75% of UK challenges are authenticated via a bank app, mostly using biometrics. (Stripe, 2025-08-26) (as-of 2025)

  • France: French issuers challenged transactions with 2FA at approximately 100% higher rates than the rest of the EEA and 200% higher than UK issuers (following Banque de France requirements). However, France maintained competitive conversion rates because French cardholders are early adopters of secure authentication methods (PIN-based chip cards), normalising the challenge flow. (Stripe, 2025-08-26) (as-of 2025)

Consumer Abandonment Signal

  • 46% of UK consumers find current 2FA frustrating enough to be "somewhat or very likely" to give up a transaction. (Survey via mycustomer.com; no primary source confirmed) (as-of unknown)
  • 36% of French consumers and approximately 50% of Italian consumers report abandoning a purchase when faced with a 3DS step-up. (Signifyd European consumer survey; no primary source year confirmed) (as-of unknown)

[!unverified] The abandonment percentages above (46% UK, 36% France, 50% Italy) are from secondary-source citations in an industry overview. No primary survey was directly verified. File as directional only.

Stripe Optimisation Impact

  • Stripe reports that merchants using their AI-powered 3DS optimisations see on average a +1.20% conversion uplift while reducing fraud on all transactions by 7.67%. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, 2025-08-26) (as-of 2025)

[!unverified] These are vendor-self-reported figures from Stripe — no independent audit cited.


Contradictions

Challenge flows kill conversion (pre-2024 consensus) vs. challenge rates don't predict conversion outcomes (Stripe 2025)

Pre-2024 industry narrative, typified by Ravelin's 2019–2020 data showing 22% of payments sent to 3DS were "lost" and average authentication taking 37 seconds, established the view that SCA challenge flows significantly damage conversion. (Ravelin, ravelin.com/insights/ultimate-guide-psd2-strong-customer-authentication — Q1 2019 data)

Stripe's August 2025 analysis of EEA and regulated markets found that France — which has among the highest challenge rates in Europe (100% above EEA average) — maintains competitive conversion rates. Japan's April 2025 3DS mandate quadrupled authentication volume but produced a 93% conversion rate and 60% frictionless path. Stripe attributes the discrepancy to implementation quality and consumer familiarity, not to whether challenges occur. (Stripe, stripe.com/blog/3ds-trends-in-regulated-markets, 2025-08-26)

These are not necessarily contradictory if consumer familiarity and biometric authentication have matured — but the operational implication differs: earlier advice to minimise challenge rates at all costs may be less important than maximising authentication success when challenges do occur.


UK vs EU Divergence

Post-Brexit, the UK implemented SCA under its own FCA-regulated framework. Key current differences and trajectory (Morrison Foerster, mofo.com, 2026-04-30):

  • UK: Taking a more principles-based approach to open banking; already introduced mandatory APP fraud reimbursement requirements for Faster Payments and CHAPS (going further than EU PSD3 proposals in some respects); the FSMA-based model will not automatically apply PSD3/PSR changes.
  • EU: Moving toward PSD3/PSR (see below), with harmonised regulation applied via directly applicable Regulation (PSR) — eliminating the fragmented national PSD2 transposition.
  • Dual compliance: Firms operating cross-border must now manage two diverging frameworks on product design, fraud controls, API standards, and licensing. (Morrison Foerster, 2026-04-30)

PSD3 and PSR — Upcoming Changes

The EU reached provisional political agreement on PSD3 and the new Payment Services Regulation (PSR) in November 2025. Formal adoption is expected in 2026; implementation is anticipated by late 2027. (Morrison Foerster, mofo.com/resources/insights/260430-psd3-and-the-payment-services-regulation-key-developments, 2026-04-30) (as-of April 2026)

Key structural changes relevant to SCA:

  • Dual legislative structure: PSD3 (directive) governs licensing; PSR (directly applicable regulation, no national transposition required) governs conduct rules including SCA — eliminating the compliance fragmentation that undermined PSD2. (Morrison Foerster, 2026-04-30)
  • SCA can now be satisfied by two inherence factors (e.g., two different biometric types), where independence can be demonstrated — relaxing the current requirement for factors from two of three separate categories. (OneSpan/Norton Rose Fulbright briefings, 2025)
  • SCA scope expands to expressly include tokenised payment instrument creation, changes to spending limits, and amendments to contact details. (OneSpan/Norton Rose Fulbright, 2025)
  • Risk- and behaviour-based transaction monitoring will be mandated for all PSPs. (Morrison Foerster, 2026-04-30)
  • IBAN/name verification required on all credit transfers to prevent APP fraud. (Morrison Foerster, 2026-04-30)
  • EBA Level 2 measures (Regulatory Technical Standards) will follow formal adoption and define detailed SCA technical requirements under the new regime. (Adyen, adyen.com/knowledge-hub/psd3, 2025-10-02)

Fashion Ecommerce Implications

No primary source in this harvest specifically addressed fashion ecommerce SCA. The following implications follow from cross-referencing SCA rules with the Fashion ecommerce UX patterns and Checkout Abandonment harvests:

  • Guest checkout exposure: High guest checkout rates (43% of shoppers prefer guest checkout per prior harvests) mean fewer stored credentials and less transaction history, reducing TRA exemption eligibility for repeat-customer patterns.
  • High-AOV impact: Fashion average order values in Europe vary widely; anything above €500 cannot use TRA exemptions. Luxury or multi-item baskets will face mandatory challenges where fraud risk is elevated.
  • Return rate and fraud entanglement: Ecommerce Fraud harvest found that SCA has hardened the checkout stage but displaced fraud to pre-purchase (account creation) and post-purchase (friendly fraud/refund abuse) stages — a relevant pattern for fashion where return rates are already elevated.
  • Wero integration: Wero (EPI) uses bank-native biometric authentication over SEPA Instant rails — SCA-compliant by design, potentially lower friction than 3DS challenge flows for consumers using Wero's P2PRO payment.

Key terms

TermMeaning
SCAStrong Customer Authentication — PSD2 two-factor requirement
3DS2 / 3D Secure 2Technical protocol for SCA on card payments
ACSAccess Control Server — issuing bank's 3DS decision engine
TRATransaction Risk Analysis — PSP-level risk scoring for SCA exemption
MITMerchant-Initiated Transaction — off-session charge, out of SCA scope if mandate obtained
CITCustomer-Initiated Transaction — requires SCA at mandate setup
PSD2Payment Services Directive 2 — EU directive introducing SCA
PSD3/PSRNext-generation EU payments regulation (agreed Nov 2025, ~late 2027 enforcement)
Delegated auth3DS 2.2 feature allowing merchant-hosted biometric to satisfy SCA
Frictionless flow3DS path requiring no cardholder action
Challenge flow3DS path requiring explicit cardholder authentication
FIDOFast Identity Online — open biometric authentication standard enabling delegated auth
Research agent · 2026-06-18