Razorpay Blog
In Payments

What is Strong Customer Authentication: A Complete Guide

8 Mins Read

What Does Strong Customer Authentication Mean?

Strong Customer Authentication (SCA) is a regulatory requirement under the Payment Services Directive 2 (PSD2) in Europe, aimed at reducing online fraud and making digital payments more secure. In simple terms, SCA ensures that customers are who they say they are—by asking for more than just a password or card number during transactions.

Think of it as an extra layer of protection, especially for electronic payments, whether they’re made online or in-store. The goal? To make sure the person initiating a payment is the actual account holder.

To comply with SCA, a payment must include at least two of the following three authentication factors:

  • Knowledge: Something only the user knows (e.g., a password or PIN)
  • Possession: Something only the user has (e.g., a mobile device or hardware token)
  • Inherence: Something the user is (e.g., fingerprint or facial recognition)

This requirement is mandatory for most electronic payments in the European Economic Area (EEA) and is enforced by banks and payment providers.

Example: When a customer in the EU tries to make an online card payment, they might receive a one-time password (OTP) on their phone (possession), enter a PIN they know (knowledge), or verify using their fingerprint (inherence). This layered security approach makes it harder for fraudsters to bypass authentication—even if they get hold of card details.

When Do You Need Strong Customer Authentication?

Strong Customer Authentication (SCA) applies to customer-initiated electronic payments within the European Economic Area (EEA). This includes both online transactions (like purchasing on an e-commerce site) and offline contactless payments (such as tapping a card at a POS terminal).

Here are the most common scenarios where SCA is required:

  • Online card payments made by customers in the EEA
  • Adding a new beneficiary or initiating a bank transfer via online banking
  • Contactless in-store payments after certain limits are crossed (e.g., cumulative amount or number of transactions)

However, SCA is not required in all cases. There are several important exemptions and edge cases:

  • Merchant-initiated transactions (MITs): These are payments made without the customer actively involved—like subscriptions or recurring billing after the initial authentication.
  • Low-value transactions: Payments below €30 may be exempt unless a threshold is exceeded.
  • Trusted beneficiaries: If a customer has whitelisted a merchant, future payments to that merchant might bypass SCA.
  • Corporate payments made using secure, dedicated payment processes.
  • Transactions where either the cardholder or merchant is outside the EEA: SCA typically doesn’t apply to these cross-border scenarios.

Note for Indian Businesses: Even though SCA is an EU-specific regulation, if you’re an Indian merchant serving customers in the EEA, your payment provider must support SCA-compliant flows to process transactions successfully. This ensures your payments aren’t declined due to non-compliance.

Steps to Authenticate a Card Payment

Authenticating a card payment under SCA depends on whether the transaction happens online or in person.

For Online Payments:

The most common method is 3D Secure, specifically 3D Secure 2 (3DS2)—an updated protocol that supports SCA and offers a better user experience. Here’s how it works:

  1. Customer initiates payment on an e-commerce site.
  2. They are prompted to authenticate via:

    • OTP sent to a registered device (knowledge + possession)
    • Fingerprint or face scan if using Apple Pay or Google Pay (inherence)
    • Push notification from their banking app
  3. Once authentication is successful, the payment is completed.

Many modern payment providers—like Stripe, Razorpay, or Adyen—have built-in authentication flows to make this process smooth. For example, they allow biometric verification through platforms like Apple Pay, which satisfies SCA without adding friction.

For Offline Payments:

For in-person card payments, authentication typically involves:

  • Inserting the card and entering a PIN (knowledge + possession)
  • Contactless transactions, which may skip SCA for small amounts but trigger authentication after set thresholds.

Fraud Liability and 3D Secure: How It Works

SCA doesn’t just enhance payment security—it also shifts the liability for certain types of fraud.

When a transaction is SCA-compliant, the responsibility for unauthorised payment disputes lies with the cardholder’s bank, not the merchant. This reduces your risk as a business owner, especially for online transactions.

Why 3D Secure Matters:

  • 3D Secure 2 is the go-to solution for meeting SCA requirements in online card payments.
  • It helps authenticate the cardholder, reducing fraud and boosting trust.
  • It also protects merchants by transferring liability to the issuer bank if the transaction meets SCA standards.

So, beyond compliance, using 3DS2 helps lower chargeback risks and improve fraud protection—critical for high-volume online businesses.

Exemptions to Strong Customer Authentication Rules

Not all transactions require Strong Customer Authentication. The regulation allows specific exemptions based on risk level, transaction amount, or type of payment. These exemptions help maintain a smooth customer experience without compromising security.

That said, banks and card issuers ultimately decide whether to accept an exemption. As a merchant, you can request an exemption, but you’ll need to support full authentication if it’s denied.

Let’s break down the most common SCA exemptions:

1. Transactions with Low Risk

If a transaction has a low risk of fraud, and the payment provider or bank has robust fraud monitoring systems, SCA can be skipped. This is known as Transaction Risk Analysis (TRA).
Thresholds depend on the fraud rate of the payment provider—lower fraud = higher exemption limits.

2. Small Payments Under €30/£25

Payments below €30 or £25 may not require SCA.
However, SCA will be triggered if:

  • More than five consecutive low-value transactions are made without authentication, or
  • The total value of exempted transactions exceeds €100.

3. Regular Recurring Payments

Fixed-amount subscriptions (like Netflix or Spotify) are typically exempt after the first transaction, which requires SCA.
Subsequent payments of the same amount and recipient can skip authentication.

4. Merchant-Initiated Payments (e.g., Variable Subscriptions)

These are payments initiated by the merchant, not the customer, like metered billing or top-ups.
They’re exempt as long as the initial setup involved SCA and the customer agreed to it.

5. Phone Orders and Mail Orders (MOTO Payments)

MOTO payments are not subject to SCA because they aren’t considered electronic transactions initiated by the customer.
These should be flagged properly in the payment request to avoid declines.

6. Business or Corporate Payments

Payments made through secure corporate payment systems (like lodge cards or virtual cards used by travel agents) may be exempt.

7. Payments to Trusted Merchants

Customers can whitelist a merchant with their bank. Once a business is marked as “trusted”, future payments may not require SCA.
Note: Only the bank can manage this list, not the merchant.

What Happens If an Exemption Is Rejected?

Even if a transaction qualifies for an exemption, the bank or issuer has the final say. If they decline the exemption, SCA is required to complete the payment.

What should businesses do?

  • Implement fallback flows: Make sure your checkout experience can seamlessly handle both exempted and authenticated transactions.
  • Communicate clearly: If extra steps are required, inform customers why, so they don’t drop off.
  • Use modern payment providers: Platforms like Razorpay or Stripe automatically handle exemptions and re-route users to authentication if needed—minimising friction.

Conclusion

Strong Customer Authentication is a critical layer of security that protects both businesses and customers from online payment fraud. While compliance is mandatory in the EEA, the right use of exemptions can strike a balance between security and seamless checkout.

By working with a payment provider that supports smart authentication flows, businesses can stay compliant without compromising on user experience.

Frequently Asked Questions (FAQs)

1. How does Strong Customer Authentication impact online payments?

SCA adds an extra layer of security, requiring customers to verify themselves with two or more factors during checkout. This reduces fraud but can add friction if not implemented well.

2. What are the elements of Strong Customer Authentication?

SCA requires at least two out of three of the following:

  • Knowledge (something the customer knows – e.g., password or PIN)
  • Possession (something the customer has – e.g., phone or card)
  • Inherence (something the customer is – e.g., fingerprint or facial recognition)

3. How do I set up Strong Customer Authentication on my website?

Use a payment gateway that supports SCA (like Razorpay or Stripe). Ensure your checkout flow supports 3D Secure 2, fallback options, and exemption handling.

4. Who needs to comply with SCA regulations?

Any business processing electronic payments initiated by customers within the EEA must comply with SCA. This includes e-commerce sites, apps, and service providers.

5. Does SCA apply to all online transactions?

No. Exemptions apply for low-risk transactions, small amounts, recurring payments, and more. However, banks can still require authentication, even if an exemption is requested.

6. What happens if an SCA exemption fails?

The customer will be prompted to complete authentication using methods like OTP or biometrics. If they fail to authenticate, the payment may be declined.

Author

Neelima is a content writer with over 4 years of experience in the field. Her writing is crafted to cater to readers, users, and consumers. And ever so often, she just writes for the joy of it.

Related Posts

Write A Comment