Skip to main content
Legal & Compliance

SCA - Good to know

Published: 28.11.2023
Updated: 27.02.2024

Strong Customer Authentication (SCA)

Depending on how merchants handle their payments today, the new SCA rules could have a noticeable impact on the way they process their payments. Consumers will also face changes in the payment process. To be prepared, dealers need to know the following:

3D Secure authentication (or equivalent) for online payments will be required. Net's eCommerce platforms are SCA compliant*. Card issuers are responsible for SCA and may reject unauthorized transactions in the future.

For transactions that are either merchant initiated or recurring; these must be properly flagged in the authorization message and may require updates to the PSP / Gateway APIs. You will be informed if necessary.

SCA doesn't have to be difficult! Card issuers are getting better at streamlining consumer authentication, and the move to a newer 3D Secure version will further improve this. The exact implementation steps and options available to you as a reseller depend on which network platform you use. It is important that you refer to guidance material for PSP platforms to ensure that you are properly configured for 3D Secure.

Note: If you use 3D Secure today, you are compatible & you don't have to do anything more!!

We know there's a lot of confusing information around PSD2 and SCA, so we've made it easy for you by gathering the most essential information for you– in a simple way. You can read about this below. We at Nets take care of the difficult and confusing payment methods for you, so that you can focus where you are best!

Below you can read more about PSD2, SCA and the points you need to know about 3D Secure and how to prepare. * See information for your specific platform as different platforms and card networks may have different requirements and deadlines for approved compliance.

What is Strong Customer Authentication (SCA) and what types of transactions does it apply to?

Fraud in online payments is becoming increasingly sophisticated and the number has risen in recent years. To accommodate this, new rules for strong customer authentication (SCA) were introduced in the EU's Payment Services Directive II (PSD2).

In essence, PSD2 declares that all electronic transactions (i.e. card and bank transfers) initiated by a payer (i.e. consumer) require SCA. Strong customer authentication according to PSD2 refers to requiring the consumer to provide two-factor authentication (2FA) to identify themselves in the transaction process.

The two factors must be independent of each other and should be within the following categories:

  • Knowledge: something only the consumer knows = a password, pin code

  • Asset something that only the consumer has = a secure token, a mobile device

  • Unique feature: something only the consumer is/possesses = biometric fingerprint, facial recognition

When you shop online with your card today, you enter the card number and are asked to authenticate yourself through 3D Secure with an SMS password or similar.

The consumer's bank is responsible for providing SCA funds and ensuring that the SCA is carried out. However, when it comes to the effective implementation of SCA for card payments, the involvement of payment service providers (PSPs) and the merchant's bank is also required.

Not all transactions require SCA!

The PSD2 rules state that transactions initiated by the payer require SCA, therefore there are certain types of transactions that do not require 2FA (two-factor authentication):

  • "Payee-initiated" (also known as merchant-initiated) transactions are not considered to be triggered by the payer, therefore they are not subject to SCA, instead are exempted from SCA. This is a complicated topic, so we have a separate section on this below.

  • MOTO solutions (email orders, phone orders) and transactions are not considered to be electronic, therefore exempt from SCA.

  • "Cross Border" transactions where either the issuer or card acquirer is not based in Europe are exempt from the SCA.

What do online stores need to do?

3D Secure must be activated for online payments. The requirement for strong customer authentication (SCA) under PSD2 means that approving payers is no longer an option. For the transactions covered, SCA must be performed - i.e. the cardholder must be authenticated to the card issuer. This means that card transactions must be authorized via 3D Secure (or equivalent).

What is 3D Secure?

3D Secure is designed to protect cardholders when they shop online via a security control of payment transactions. 3D Secure is provided by the card organizations (Visa has, for example, "Verified by Visa" and Mastercard has "Secure Code") and is recognizable to consumers, as these brands appear on the 3D Secure page, which appears after they have pressed "verify".

SCA via 3D Secure normally requires the consumer to perform an action to confirm that they are actually the right person making the purchase. This is usually done through an app from the issuer or via a one-time password sent by text message, which the consumer enters to complete the transaction. The exact method is chosen by the card issuer.

When using 3D Secure, it is important to emphasize that the webshop owner is protected against objections in the event of card misuse - i.e. that it is the issuer and thus not the webshop owner's responsibility*. (*) This liability protection may vary for other local and international card brands.

3D Secure will no longer be optional...

Today, businesses often decide for themselves whether they want to use 3D Secure. Some webshop consider SCA to be cumbersome and something that can negatively affect their conversion rate. However, with the SCA regulation, 3D Secure is required for online card transactions, with the exception of a few scenarios, which we will outline below.

It is the issuers (often banks) who control the SCA, and they will not approve payments that have not been authenticated through 3D Secure. Without the use of 3D Secure, you do not comply with the PSD2 directive, and the risk of rejected transactions increases significantly at the same time, as card issuers must also comply with the PSD2 SCA requirements.

It may happen that the issuers already start to enforce the SCA requirements from November 2020. This means that if you are a Nets-PSP customer, you must have activated 3D Secure before November 2020, to be sure that your customers' online payments goes through. If you do not have 3D Secure, you may risk the customer's card being rejected in your webshop.

Frequently asked questions

Are transactions where consumer’s card details are stored in scope for SCA?

“Card on file” is where a consumer’s card details are stored by the Merchant for convenience the next time they shop. A Consumer is usually prompted when checking out to store their 16-digit card number, expiry date and three-digit CVC/CVV code, so that they can skip this step next time they come back.

The fact that these details are stored makes no difference to the classification of the transaction, if it is a consumer-initiated one-off transaction (i.e. where a Consumer must first select items to basket and then checkout), then it remains a single one-off transaction for the purposes of SCA.So, where “Card on File” today is used with single consumer-initiated purchases, then these would need to go through 3D Secure (or equivalent).

What is a Merchant Initiated Transaction (MIT)?

MITs have these key characteristics:

  • Based on a mandate/agreement between merchant and consumer for the delivery of goods/services over time

  • Payment is based on the mandate, and is in a sequence/chain of requested payments from the merchant

  • The transactions initiated by the merchant do not need to be preceded by a “specific action of the payer”

  • The mandate must be signed using SCA, thereafter no SCA is required

Examples of MITs: Music or streaming subscriptions, mobile phone bills

Do I have to re-authenticate all my existing agreements?

In short no, there is a rule in place, meaning existing agreements for Recurring and MITs do not need a new SCA. However, an acquirer must be able to reference previous transactions (through Transaction IDs) in the chain to validate the status of Recurring/MIT.

SCA Exemptions

Although PSD2 sets out rules on when SCA is required, there are also cases where exceptions to the SCA requirements can be applied. It should be noted once again, that the consumer's bank (card issuer) has the final responsibility for the SCA and therefore also the exceptions to the SCA. The exceptions are not binding on the banks, and they can decide for themselves whether they want to offer their customers these exceptions. Examples of exceptions to SCA described under PSD2:

  • Amount below 30 EURO: When a consumer makes an online transaction of up to 30 EUR, this transaction can be carried out without SCA. The SCA must be reapplied on either €100 of total spend or on every 5th transaction.

  • Transaction Risk Analysis (TRA): If the issuer or acquirer performs the TRA and assesses that the  transaction has a low risk of abuse, they can exempt the transaction from SCA.

  • Payer's (consumer's) Trusted Beneficiaries: If a consumer has identified a webshop they trust, and provided that the identification of the webshop takes place through the bank with SCA, the subsequent transactions with this webshop will not require SCA.

This is a new practice under PSD2 and it is expected to take time before these SCA exemptions are widely implemented. However, issuers can continue to perform risk-based authentication (i.e. TRA) on 3D Secure, which also enables passive authentication of the consumer.