Strong Customer Authentication (SCA) - 3DS & Exemptions

SCA is an EU regulation under the second Payment Services Directive (PSD2). The aim being to add more layers of security to online payments and reduce fraud. There are two products to help you with compliance:

Learn when SCA applies and when it does not

There are two products to give you compliance:


Issuer perform risk and identity check, giving both liability shift and SCA compliance.

payments api

Enable 3DS in our Payments API

Add a 3DS authentication as part of our orchestrated payments API. Enable as part of configuration in the API.

3ds api

Use our standalone 3DS API

Send a dedicated 3DS authentication API request and receive a response with the authentication details. Apply this in the Access Card Payments API or other payments gateways as part of external MPI.

Liability Shift

Liability for fraudulent transactions passes to the issuer when 3DS is applied. A successful frictionless/challenge outcome is only an indication of liability shift. The shift itself happens when the 3DS data is applied in the payment request.

SCA Exemptions

Worldpay performed risk check, removing the checkout friction caused by 3DS challenges.

placeholder image

Enable SCA Exemptions in our Payments API

Ask for an SCA Exemption to be applied automatically as part of our Payments API

Coming Soon

placeholder image

Use a standalone SCA Exemptions API

Send a dedicated SCA Exemptions API request and receive a outcome containting a granted exemption. Apply this in the Access card payments API.

When SCA applies

SCA applies to countries in the EEA (European Economic Area) and is required for certain transaction types.

Customer Initiated Transaction (CIT)e.g. online card payment
Recurring orderApplies to the first Customer Initiated Transaction (CIT) in a Merchant Initiated Transaction (MIT) series, for example:
  • Initial payment is made then a monthly charge (online delivery of household supplies e.g. milk/bread)
  • No initial payment is made until the first monthly instalment (Free trial subscription e.g. Spotify/Netflix). For this an account verification can be used to apply the 3DS authentication details as there is no initial payment.

The challenge.preference in the 3DS authentication request must be set to challengeMandated
Add card to accountStrong recommendation to use when adding new cards to an online account (e.g. add a card to Amazon/Ebay account). The challenge.preference in the 3DS authentication request must be set to challengeMandated

When SCA does not apply

SCA ExemptionUnder certain conditions you can bypass the need for 3DS whilst still remaining SCA compliant
  • Low Value - Order is under €30
  • Low Risk - Transactions through Worldpay (acquirer) are maintained below a set Fraud threshold
Liability is shifted to the Exemption provider (e.g. Worldpay) instead of the issuer for this case.
Recurring payments (after initial CIT, see table above)Recurring payments where the customer is not present do not require SCA
MOTO Paymentse.g. Telephone, In-store
One Leg OutIf the issuing bank or acquirer is outside the EEA (European Economic Area)
Corporate PaymentsVirtual cards, used for things such as booking travel.
Whitelist (trusted Businesses)Cardholder can whitelist a merchant to avoid future 3DS checks