Strong Customer Authentication (SCA) is a regulatory requirement in effect as of September 14, 2019, that impacts many European online payments. It requires customers to use two-factor authentication like 3D Secure to verify their purchase.
Some transactions that are deemed low risk, based on the volume of fraud rates associated with the payment provider or bank, may be exempt from Europe’s Strong Customer Authentication requirements.
If Stripe requests an exemption for payments requiring SCA and the transaction passes through the frictionless flow, it doesn’t benefit from the liability shift. If an issuer applies the frictionless flow without being requested, liability shift generally does happen. For more information on liability shift see Disputed payments and liability shift.
The payment authentication report enables you to view the different type of exemptions being used, so you can access SCA impact, understand levels of enforcement, and see the value of the SCA exemptions requested on your behalf.
Payments in SCA scope is the number of all transactions where you or the card issuing bank is in one of the 32 European countries with SCA regulation. It excludes payments that were retried but failed for the same order. See When is Strong Customer Authentication required?.
Exempted payments is the number of those in-scope payments that were successfully exempted from SCA—either no 3D Secure was present or the payment went through the 3D Secure frictionless flow.
Exemption rate is the proportion of attempted transactions that successfully completed.
The following section contains two views that help you understand changes to your exemption rate over the selected time period, along with the proportion of payment outcomes.
- Succeeded—exempted represents payments that succeeded without requiring an authentication challenge. Either the bank didn’t support 3DS or the payment went through the 3DS frictionless flow.
- Succeeded—authenticated represents payments that succeed with a two-factor challenge, such as a 3DS challenge flow or authentication through Apple Pay or Google Pay.
- Failed represents payments that didn’t go through. Either Radar blocked the payment, the issuing bank declined it, or the customer failed the challenge authentication.
The chart displayed on your Dashboard page shows the different exemptions that were used. Use the breakdown chart to better understand SCA enforcement across your target market, as well as performance of Stripe’s optimizations.
There are two ways to claim an SCA exemption:
- Direct to authorization - where Stripe requests an exemption as part of the authorization message.
- Stripe requests frictionless authentication by asking for an exemption in the 3DS messages.
See Exemptions to Strong Customer Authentication for details on the different types of exemptions.