Strong Customer Authentication

What internet businesses need to know about the European regulation

  1. Introduction
  2. What is Strong Customer Authentication?
    1. When is Strong Customer Authentication required?
    2. How to authenticate a card payment
    3. How liability for fraudulent disputes works in the context of 3DS
    4. Exemptions to Strong Customer Authentication
    5. What happens if an exemption fails?
    6. How Stripe helps you meet Strong Customer Authentication requirements
    7. Upcoming changes

In this guide, we'll take a closer look at Europe's Strong Customer Authentication (SCA) requirements, as introduced by the Payments Services Directive 2 (PSD2), and the kinds of payments they affect. We'll also cover the available exemptions that can be requested on behalf of the businesses to offer a frictionless checkout experience.

We've also published a guide to help you identify when to add authentication in your customer journey and a guide on how to prepare for the upcoming Payments Services Directive 3 (PSD3). Visit our site for more information on SCA-ready products from Stripe.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a European regulatory requirement to reduce fraud and make online and contactless offline payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.

If you would like to read the original SCA requirements, they are set out in the Regulatory Technical Standards or RTS. Banks must decline payments that require SCA and don't meet these criteria.

When is Strong Customer Authentication required?

Strong Customer Authentication applies to "customer-initiated" online and contactless offline payments within the UK or Europe. All electronic payments (i.e. card payments and bank transfers) require SCA unless an exemption can be applied or the transaction is considered out of scope for SCA – for example, merchant-initiated transactions (e.g. direct debit).

For online card payments, these requirements apply to transactions where both the business and the cardholder's bank are located in the European Economic Area (EEA).

How to authenticate a card payment

The most common way of authenticating an online card payment relies on 3D Secure – an authentication standard supported by the vast majority of European cards. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g. a one-time code sent to their phone or fingerprint authentication through their mobile banking app).

3D Secure 2 is the main method for authenticating online card payments and meeting SCA requirements.

Offline card transactions typically fulfil authentication requirements with PIN entry. Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). These can be a great way for businesses to offer a frictionless checkout experience while meeting the requirements.

How liability for fraudulent disputes works in the context of 3DS

One of the benefits of applying SCA where multifactor authentication is successful is that businesses can get liability protection from fraudulent disputes.

Exemptions to Strong Customer Authentication

Not all payments fall within the scope of multi-factor authentication under SCA. Some can qualify for either an exemption that is provisioned by the regulation, or they are out of scope of SCA enforcement. In the instances where an exemption is requested and accepted by the cardholder's bank, the liability of fraudulent disputes stays with the business.

Payment providers like Stripe are able to request exemptions when processing the payment. The cardholder's bank will then receive the request, assess the risk level of the transaction and ultimately decide whether to approve the exemption or whether authentication is still necessary. Using exemptions for low-risk payments can reduce the number of times you will need to authenticate a customer and reduce friction and customer drop-off.

Stripe uses machine learning to determine the optimal exemption in each instance in order to help you provide your customers with the most seamless checkout experience possible. We have designed our SCA-ready payments products to help you take advantage of exemptions when possible to protect your conversion.

The most relevant exemptions for businesses that accept online payments are:

Low-risk transactions

A payment provider (like Stripe) is allowed to do a real-time risk analysis, known as Transaction Risk Analysis (TRA), to determine whether to apply SCA to a transaction. Applying this exemption may only be possible if the payment provider's overall fraud rates for card payments do not exceed the following thresholds:

  • 0.13% to exempt transactions below €100/£85
  • 0.06% to exempt transactions below €250/£220
  • 0.01% to exempt transactions below €500/£440

These thresholds will be converted to local equivalent amounts where relevant.

This is one of the most useful exemptions for businesses and one of the most widely supported by banks. Stripe Radar offers comprehensive, real-time risk assessment that allows us to support this exemption for our users.

Payments below €30/£25

Payments with low amounts may also be exempt. Transactions below €30 or £25 are considered "low value" and may be exempted from SCA. Banks, however, need to request authentication if the exemption has been used five times since the cardholder's last successful authentication or if the sum of previously exempted payments exceeds €100/£85. The cardholder's bank needs to track the number of times this exemption has been used and decide whether authentication is necessary.

Due to the strict limitations of this exemption, it may not be relevant for many payments. We do, however, support this exemption for our users.

Recurring transactions

This exemption can apply when the customer makes a series of recurring payments for the same amount, to the same business. SCA is required for the customer's first payment – subsequent charges, however, may be exempted from SCA.

This exemption is very useful for subscription businesses and is broadly supported by European banks. If you're using Stripe Billing to create subscriptions, we apply this exemption automatically when relevant and can help manage authentication requests in case the exemption is rejected by the customer's bank.

Merchant-initiated transactions (including variable subscriptions)

Payments made with saved cards when the customer is not present in the checkout flow (sometimes called "off-session") may qualify as merchant-initiated transactions. These payments technically fall outside the scope of SCA. In practice, marking a payment as a "merchant-initiated transaction" will be similar to requesting an exemption. And like any other exemption, it is still up to the bank to decide whether authentication is needed for the transaction.

To use merchant-initiated transactions, you need to authenticate the card either when it's first being saved or on the first payment. Finally, you need to get an agreement from the customer (also referred to as a "mandate") in order to charge their card at a later point.

This is a vital use case for business models that rely on delayed payments, charge variable-amount subscriptions or bill for add-ons. It is supported by most European banks and accepted if the transaction is considered low-risk by the bank.

Stripe's API lets you authenticate a card when it's being saved for later use and mark subsequent payments as "merchant-initiated transactions." It's important that businesses use Stripe's latest APIs to ensure SCA-readiness.

Phone sales (MOTO)

Card details collected over the phone fall outside the scope of SCA and do not require authentication. This type of payment is sometimes referred to as "Mail Order and Telephone Orders" (MOTO). Similar to exempted payments, MOTO transactions need to be flagged as such – with the cardholder's bank making the final decision to accept or reject the transaction.

This is an important use case for any business accepting payments over the phone and widely supported by banks. Payments created through the Stripe Dashboard can be automatically marked as MOTO payments for this use case.

If your business is PCI-compliant and you've built your own system to accept phone orders, our payments APIs let you mark a payment as MOTO. Please contact us to enable this feature on your Stripe account and to access the technical documentation.

Corporate payments

This exemption covers payments that are made with "lodged" cards (e.g. where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).

This exemption has low practical use outside of the travel industry due to its very narrow scope. The exemption itself can only be requested by the cardholder's bank, as neither the business nor payment providers (such as Stripe) are able to detect whether a card belongs in these categories.

Trusted beneficiaries

When completing authentication for a payment, customers may have the option to allowlist a business they trust to avoid having to authenticate future purchases. These businesses are then included on a list of "trusted beneficiaries" maintained by the customer's bank or payment service provider.

Although allowlisting has the potential to make repeat purchases or subscriptions more convenient for customers, the adoption of this feature among banks has been slow.

What happens if an exemption fails?

While exemptions may be very useful, it's important to remember that it's ultimately the cardholder's bank that decides whether or not to accept an exemption. Banks can return specific decline codes for payments that failed because the exemption was not accepted and, as a result, the payment was missing authentication. These payments then have to be resubmitted to the customer with a request for Strong Customer Authentication. SCA-ready products from Stripe automatically trigger this extra authentication when required by banks.

If your business is impacted by SCA, we recommend preparing for a fallback in case an exemption is rejected and your customer needs to authenticate. This is particularly important if you charge your customers when they′re not actively in your checkout flow (i.e., when they are off-session) and your customer needs to return to your website or app to authenticate. Read our guide on designing payment flows for SCA for more information.

How Stripe helps you meet Strong Customer Authentication requirements

The changes introduced by this regulation deeply affect internet commerce in Europe. Affected businesses that don't adhere to these requirements could see their conversion rates affected as SCA rules continue to evolve across European banks.

In addition to supporting authentication methods like 3D Secure 2, we believe successful handling of exemptions is a key component for building an optimised payments experience that reduces fraud while also minimising friction for your customers. Our payments products optimise for different regulatory, bank and card network rules and apply relevant exemptions for low-risk payments, so as to only trigger 3D Secure when required. Our advanced machine-learning models also help you adapt to SCA rules changes.

Upcoming changes

Regulators across EU and UK are also working on revising the rules that will shape up the future of SCA in both the regions. The European Commission has revised the current PSD2 framework and issued proposals for a Payment Services Directive 3 and Payment Services Regulation. Stripe published this guide that goes into the details of what businesses can expect with the new rules and we are closely monitoring the progress for similar rules in the UK market.

Learn more about SCA-ready products from Stripe. If you have any questions or feedback, please let us know.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.