Strong Customer Authentication (SCA)

API v3
Last updated November 2023

SCA is an EU regulation under the second Payment Services Directive (PSD2). The aim being to add more layers of security to online payments and reduce fraud.

When SCA applies

SCA applies to countries in the EEA (European Economic Area) and is required for certain transaction types.

Customer Initiated Transaction (CIT)e.g. online card payment
Recurring orderApplies to the first Customer Initiated Transaction (CIT) in a Merchant Initiated Transaction (MIT) series, for example:
  • Initial payment is made then a monthly charge (online delivery of household supplies e.g. milk/bread)
  • No initial payment is made until the first monthly instalment (Free trial subscription e.g. Spotify/Netflix). For this anaccount verificationcan be used to apply the 3DS authentication details as there is no initial payment.

The challenge.preference in the 3DS authentication request must be set to challengeMandated
Add card to accountApplies when adding new cards to an online account (e.g. add a card to Amazon/Ebay account). The challenge.preference in the 3DS authentication request must be set to challengeMandated

When SCA does not apply

SCA ExemptionUnder certain conditions you can bypass the need for 3DS whilst still remaining SCA compliant
  • Low Value - Order is under €30
  • Low Risk - Transactions through Worldpay (acquirer) are maintained below a set Fraud threshold

Liability is shifted to the Exemption provider (e.g. Worldpay) instead of the issuer for this case.

Recurring payments (after initial CIT, seetable above)Recurring payments where the customer is not present do not require SCA
MOTO Paymentse.g. Telephone, In-store
One Leg OutIf the issuing bank or acquirer is outside the EEA (European Economic Area)
Corporate PaymentsVirtual cards, used for things such as booking travel.
Whitelist (trusted Businesses)Cardholder can whitelist a merchant to avoid future 3DS checks