What Is Strong Customer Authentication (SCA)?

To keep digital transactions secure, the European Union introduced Strong Customer Authentication (SCA) under the PSD2 directive. It’s a rule that adds extra protection every time someone makes a payment or accesses their account online.

However, while SCA protects against fraud, it can also affect your checkout flow if not implemented correctly. Knowing how it works and how to comply without hurting conversion rates is essential for every online merchant.

In this article, we’ll explain what SCA is, why it matters, when it applies, and how the right payment partner can help you stay secure without adding friction to your customers’ experience.

What is Strong Customer Authentication?

Strong Customer Authentication is a security process that verifies a customer’s identity using two or more independent factors. This makes it much harder for fraudsters to authorise payments, even if they’ve managed to get hold of stolen data like card numbers or passwords.

SCA applies to most online payments made within the European Economic Area (EEA) and the UK. It affects both consumers and businesses that sell online – from e-commerce stores to subscription platforms and marketplaces.

The three authentication factors

To comply with SCA, every authentication must include at least two of the following three elements:

Something you know – such as a password, PIN, or answer to a security question.
Something you have – like a mobile phone, smart card, or token.
Something you are – a biometric identifier, such as your fingerprint or facial recognition.

By combining these factors, SCA builds a strong multi-layered defence. Even if one element is compromised, the payment remains protected.

Find out what to expect from the new PSD3 directive.

When is Strong Customer Authentication required?

SCA is needed whenever a customer initiates an electronic payment within the EEA or UK. Common examples include:

Paying for goods or services online
Sending a bank transfer through online banking
Logging in to a payment account

However, there are a few exceptions where SCA doesn’t have to be applied. These include:

Low-value transactions under €30
Recurring payments for the same amount and merchant (after the first verified payment)
Trusted beneficiaries that customers have previously added to a safe list
Corporate payments made through secure company systems
Low-risk transactions identified by payment providers with very low fraud rates
Male order and telephone orders (MOTO), because payment details shared over the phone or by mail fall outside SCA’s scope, as they’re not considered electronic transactions

These exemptions help reduce friction and make the checkout experience smoother when the risk is minimal.

How SCA improves payment security

Before SCA, most online payments were verified with only a card number and CVV – details that could easily be stolen or sold online. SCA raised the standard by adding extra verification layers. Here’s how it makes online transactions safer and more reliable for both sides:

1. It reduces fraud

By requiring multiple verification steps, SCA makes it nearly impossible for criminals to complete transactions using stolen data alone. Even if they have a password or card number, they’ll still need a second factor, such as a phone or biometric approval.

2. It builds customer trust

Shoppers are more likely to buy from businesses they trust. With SCA, customers see that your checkout process is safe and compliant, increasing confidence and reducing cart abandonment.

3. It drives innovation in authentication

The SCA introduction has led to smarter, faster, and more secure authentication methods, such as biometric verification and bank app confirmations. These tools make checkout smoother while maintaining security.

4. It strengthens open banking payments

SCA plays a crucial role in open banking, where customers can pay directly from their bank accounts. It ensures these instant, account-to-account payments remain fully secure and compliant with PSD2.

Learn tips for improving the payment success rate.

3D Secure 2.0: SCA in action

3D Secure 2.0 (3DS2) is a technical solution that allows merchants to follow the regulations of the SCA.

Developed by major card networks, 3DS2 authenticates the cardholder during checkout, ensuring that the payment meets SCA standards. Here’s how it works in practice:

The customer initiates a card payment.
The issuing bank reviews transaction data, such as device, location, and risk level.
If the transaction looks safe, it’s approved instantly (a frictionless flow).
If extra verification is needed, the customer confirms the payment via biometrics, a banking app, or a one-time code.

Unlike the first version, 3DS2 integrates smoothly into the checkout process, supports mobile devices, and allows real-time authentication.

By using an SCA-compliant provider like Payop, merchants can process 3DS2-enabled card payments and real-time Pay by Bank transfers securely, ensuring every transaction is both compliant and seamless.

How Payop helps businesses follow SCA requirements

For online merchants, Strong Customer Authentication is essential to maintain healthy conversion rates. Payments that don’t comply can be automatically declined by banks, even when they’re legitimate. Each declined payment means a lost sale and a poor customer experience.

So we handle compliance so you don’t have to. Payop uses 3DS2 to verify card payments in line with PSD2 and SCA requirements. Each transaction is automatically checked to determine the right level of authentication or exemption, keeping payments secure without adding unnecessary steps for customers.

With real-time fraud detection and smart risk assessment, Payop helps merchants stay protected, compliant, and conversion-ready. All while keeping checkout experiences quick and seamless.