If you sell online to customers in Europe, or process cards through a European acquirer, PSD2 and SCA aren’t optional. They’re a regulatory requirement. Non-compliance means declined transactions, lost revenue, and awkward conversations with your payment provider. This guide explains both in plain language, tells you what actually applies to your business, and shows you how to stay compliant without tanking your conversion rate.
What Is PSD2?
PSD2 stands for the Payment Services Directive 2, a European Union law that came into force in January 2018. It updated the original 2007 Payments Directive to reflect how dramatically payments had changed in the decade since.
The law has two main goals. First, making payments more secure. Second, opening up the banking system so that third-party apps can access payment data, but only with your customer’s explicit permission. For most merchants the security side is what matters. Specifically, the Strong Customer Authentication rules.
Worth flagging early: the UK kept PSD2 rules after Brexit and enforces them independently. If you sell to UK customers, the same SCA requirements apply there as in the EU.
What Is SCA?
SCA stands for Strong Customer Authentication. It’s the specific security requirement inside PSD2 that forces banks to verify who a customer is before approving certain payments.
The problem it’s solving is this. Before PSD2, a customer could complete a card payment by entering their card number, expiry date, and CVV. Three pieces of information that can all be stolen in a single data breach. SCA requires the bank to verify identity using at least two of the following three factors:
The Three Authentication Factors
Knowledge
Something you know
Password or PIN
Possession
Something you have
Your phone or token
Inherence
Something you are
Face ID or fingerprint
Any two of the three factors must be used, and they must come from different categories. Compromising one cannot make the other easier to compromise.
The factors have to come from different categories. A password and a security question don’t count as two factors because both are “something you know.” In practice this almost always means a PIN or password combined with your phone (push notification or one-time code) or a biometric like Face ID.
What Does the Checkout Flow Actually Look Like?
The most common way SCA shows up at checkout is through 3D Secure 2 (3DS2), the authentication layer that sits between your payment form and the card issuer. Here’s what the customer experience looks like before and after:
Checkout Flow: Before vs. After SCA
Before SCA
After SCA
That said, the extra step doesn’t always appear. Modern 3DS2 can authenticate customers silently in the background using device data and browsing signals, with no interruption to the checkout at all. This is called a frictionless flow. The visible challenge only fires when the bank’s risk engine decides it needs more confidence. For legitimate transactions on recognised devices, most will go through frictionlessly.
Who Does SCA Apply To?
SCA applies to online card payments where both the issuing bank (your customer’s bank) and the acquiring bank (your processor’s bank) are in the European Economic Area or the UK. If either bank is outside that zone, SCA is technically out of scope, though it’s still good practice to support 3DS2 regardless.
Practically: if you’re selling to European or UK customers and processing through a European acquirer, SCA applies. That includes merchants based outside Europe who sell into these markets.
What About Subscriptions and Recurring Payments?
This catches a lot of merchants out. The rule is simpler than it sounds:
- The first payment in a recurring series requires SCA. It’s customer-initiated and must be authenticated.
- Subsequent recurring charges are merchant-initiated transactions (MITs) and are generally exempt from SCA, provided the first transaction was properly authenticated and the recurring agreement was set up correctly.
- Free trials converting to paid: SCA is required at the point of the first actual charge, even if that’s days after sign-up.
The setup of that first transaction matters a lot. Cut corners there and you’ll see problems on every charge that follows.
SCA Exemptions: When You Can Skip Authentication
SCA isn’t required on every transaction. There are defined exemptions where the regulation permits the bank to skip authentication. Understanding these is how you protect conversion without cutting compliance corners.
| Exemption | When It Applies | Who Requests It |
|---|---|---|
| Low-value transactions | Payments under €30 (or £25 in the UK), unless the customer has exceeded 5 consecutive exempt transactions or €100 cumulative since last SCA | Acquirer or issuer |
| Trusted merchant / whitelisting | Customer has added the merchant to their bank’s trusted list | Issuer (customer must initiate) |
| Recurring payments of fixed amounts | Same amount to same merchant, after the initial authenticated transaction | Merchant / acquirer |
| Merchant-initiated transactions | Charges made without the customer present (e.g. subscription renewals, metered billing) | Merchant |
| Low-risk transaction (TRA) | Transaction Risk Analysis: PSP’s fraud rate is below threshold and transaction risk score is low | Acquirer or issuer |
| Corporate payments | Business-to-business payments via lodge cards or central travel accounts | Acquirer |
One thing to be clear on: exemptions are requests, not guarantees. The issuing bank always has the final say and can require authentication regardless. And if a transaction goes through under an exemption and turns out to be fraudulent, the liability sits with whoever requested the exemption, usually the acquirer or the merchant, not the bank.
What Happens If You Ignore SCA?
Non-compliance has direct commercial consequences. If your checkout doesn’t support 3DS2, issuing banks will decline transactions that should have been authenticated. There’s no warning, no fine, just a failed payment that shows up in your gateway dashboard. The customer sees a declined card and usually doesn’t try again.
The practical risks:
- Declined transactions: Banks decline SCA-required payments that haven’t been authenticated.
- Processor problems: Your payment processor may flag you for non-compliance or add conditions to your account.
- Chargeback exposure: Authenticated transactions shift fraud liability to the issuer. Unauthenticated ones leave you holding it.
- Regulatory risk: PSPs in Europe are supervised by national regulators and are required to enforce SCA with their merchants.
How to Implement SCA Without Hurting Conversion
The fear is understandable. Add an authentication step and customers drop off. That fear is based on real experience with early 3DS1 implementations, which were genuinely bad. But 3DS2 is a different thing when it’s done properly.
Step 1: Use a Payment Provider That Handles 3DS2 Natively
The simplest path is to use a gateway or PSP (Stripe, Adyen, Braintree, Checkout.com, Mollie and others) that handles 3DS2 authentication as part of their standard payment flow. They manage the challenge, the frictionless flow logic, and the liability rules. You don’t need to build anything. You just need to confirm you’re on their 3DS-enabled integration, which for most providers is now the default.
Step 2: Optimise for Frictionless Flow
Frictionless flow happens when the bank’s risk engine is confident enough to approve without challenging the customer. You can improve your frictionless rate by doing a few things:
- Pass rich transaction data through your 3DS2 integration: device fingerprint, billing address, email, phone number, order history. More data means lower perceived risk.
- Use a gateway with a strong fraud model. Their risk scoring directly affects how often your transactions get challenged.
- Encourage customers to save their card. Saved cards on recognised devices authenticate frictionlessly far more often.
- Encourage customers to whitelist you with their bank. This is a longer-term play but it compounds over time.
Step 3: Handle the Challenge Flow Gracefully
When a challenge does appear, how you handle it determines whether the customer completes it or leaves. A few things that matter:
- Show a clear message explaining what’s happening and why. Customers who understand the security check are much less likely to abandon.
- Make sure the 3DS challenge renders properly on mobile. Most failures happen on small screens where the bank’s iframe breaks the layout.
- Test with real cards across different European banks. Implementation quality varies a lot between issuers.
- Track your authentication rate alongside conversion. If authentication success starts dropping, your gateway or acquirer can usually help diagnose it.
Step 4: Set Up Recurring Billing Correctly From Day One
If you run subscriptions or any recurring billing model, the setup of the first transaction has a big knock-on effect. When that first payment is authenticated:
- Make sure the recurring billing agreement is flagged in the 3DS2 authentication request.
- Store the network transaction ID from the initial authenticated charge. This is what your gateway uses to mark subsequent charges as merchant-initiated.
- Work with your PSP to ensure all recurring charges reference the original authenticated transaction. If that chain breaks, banks may start declining renewals.
The Chargeback Benefit
There’s one advantage of SCA that tends to get buried under all the compliance talk: liability shift. When a transaction is authenticated via 3DS2, fraud liability moves from you to the card issuer. If that transaction later turns out to be fraudulent, the bank absorbs the loss, not you. For merchants in high-risk categories where fraud chargebacks are a real cost line, that’s worth taking seriously.
It won’t help with friendly fraud, where a genuine customer disputes a transaction they actually made. But it does give you solid protection against true fraud chargebacks on authenticated payments.
What About PSD3?
The European Commission has published proposals for PSD3, along with an accompanying Payment Services Regulation, which is intended to replace PSD2. As of mid-2026 it’s still moving through the EU legislative process and isn’t in force yet. The SCA requirements under PSD2 remain fully applicable in the meantime. When PSD3 does pass, it’s expected to tighten SCA requirements rather than relax them, so getting your implementation right now is the right move regardless of what comes next.
Quick Reference: SCA at a Glance
| Question | Answer |
|---|---|
| What is SCA? | A mandatory security check requiring two-factor authentication for online payments in Europe and the UK |
| Who does it affect? | Any merchant processing card payments where both the issuing and acquiring bank are in the EEA or UK |
| How is it implemented? | Via 3D Secure 2 (3DS2), handled by your payment gateway or PSP |
| Do all transactions need it? | No. Several exemptions exist including low-value transactions, recurring charges, and TRA |
| What happens without it? | Issuing banks decline transactions that should have been authenticated |
| Does it affect subscriptions? | Only the first payment needs SCA. Subsequent merchant-initiated charges are exempt |
| What about fraud chargebacks? | Successfully authenticated transactions shift fraud liability from merchant to issuer |