Welcome to AMW® Order Services ⚡️ Get a Free Quote Software by AMW® — Get Access See Our Work Talk to our Assistant 24/7 💬 Read our Blog Message us on WhatsApp Welcome to AMW® Order Services ⚡️ Get a Free Quote Software by AMW® — Get Access See Our Work Talk to our Assistant 24/7 💬 Read our Blog Message us on WhatsApp Welcome to AMW® Order Services ⚡️ Get a Free Quote Software by AMW® — Get Access See Our Work Talk to our Assistant 24/7 💬 Read our Blog Message us on WhatsApp

Strong Customer Authentication

Billing Payments
4 min read

Also known as: SCA, PSD2 SCA, Strong Authentication

EU regulation (PSD2) requiring two-of-three authentication factors for most electronic payments, primarily enforced through 3D Secure 2.

Definition

Strong Customer Authentication (SCA) is a requirement under the European Union's Second Payment Services Directive (PSD2) that mandates two out of three authentication factors on most electronic payments: something the customer knows (password, PIN), something the customer has (phone, hardware token), and something the customer is (fingerprint, face scan).

In practice, SCA is enforced through 3D Secure 2 (3DS2) — when a customer pays with a card on a European-issued bank, the issuer can challenge the transaction with a step-up authentication flow on the customer's banking app or via SMS code. Modern payment gateways handle this automatically; the merchant just sees an extra redirect or modal during checkout.

SCA includes exemptions for low-value transactions, recurring fixed-amount subscriptions, merchant-initiated transactions (with stored credentials), and trusted-beneficiary lists. Subscription-billing systems typically use the merchant-initiated transaction exemption to charge recurring invoices without requiring re-authentication every cycle.

Why It Matters

If your billing stack doesn't handle SCA correctly, you'll see European card declines spike to 30-40% on initial transactions and unexpected failures on recurring charges. The decline reason is usually 'authentication required' and the fix is to route the initial payment through a 3DS2 challenge flow.

The biggest mistake is treating SCA as something only large enterprises need to worry about. As of 2021, European acquirers are fully enforcing it. Any merchant taking EU cards without 3DS2 support is losing 1 in 3 transactions to authentication declines, often without realizing it.

Examples in Practice

A SaaS company processing $50K/mo through Stripe sees their EU decline rate jump from 8% to 28% after PSD2 enforcement begins. Switching the integration to use Stripe's Payment Intents API with automatic 3DS2 handling drops the decline rate back to 9% within a week.

A subscription business correctly authenticates the first charge through 3DS2 but stores the payment credential as a merchant-initiated transaction (MIT) for future recurring charges. Subsequent monthly charges process without challenges because they qualify for the MIT exemption.

An e-commerce checkout for a $5 micro-transaction skips the 3DS2 challenge under the low-value-transaction exemption (charges under €30 with a cumulative limit per card). The customer experience stays one-click; the bank still authorizes.

Frequently Asked Questions

What is Strong Customer Authentication and when do I need it?

SCA is an EU regulation requiring two-of-three authentication factors on most card payments processed by European banks. You need it any time you accept cards issued by EU banks. It's enforced through the 3D Secure 2 challenge flow at checkout.

Does SCA apply to US merchants?

Yes — if you accept cards issued by European banks, even if your business is based in the US. The bank that issued the card decides whether to challenge the transaction; your geography doesn't exempt you.

What are the SCA exemptions?

Low-value transactions under €30, recurring fixed-amount subscription charges, merchant-initiated transactions with stored credentials, trusted-beneficiary lists set up by the customer, and transactions the acquirer's risk engine classifies as low-risk.

How do recurring subscriptions handle SCA?

The first charge typically goes through a 3DS2 challenge to authenticate the customer and store the credential as a merchant-initiated transaction. Subsequent recurring charges qualify for the MIT exemption and don't require re-authentication, as long as the amount and frequency match the original agreement.

What is 3D Secure 2 and how does it relate to SCA?

3D Secure 2 (3DS2) is the technical protocol most acquirers use to perform SCA. It's a step-up flow where the card issuer asks the customer to authenticate via their banking app, biometric, or SMS code. SCA is the regulation; 3DS2 is the implementation.

What happens if my gateway doesn't support 3DS2?

European-issued card transactions will be declined with an 'authentication required' code. You'll see decline rates of 30-40% on EU traffic. The fix is to upgrade your integration to a 3DS2-capable payment intent flow with your existing gateway.

Does PSD2 apply to ACH or bank transfers?

PSD2 covers all electronic payment methods originating in the European Economic Area, including SEPA direct debits and instant credit transfers. Bank-transfer authentication is typically handled by the customer's banking app, not by your checkout.

How does AMW Commerce handle SCA on recurring billing?

AMW Commerce routes the initial payment through 3DS2 to capture the merchant-initiated transaction credential, then charges subsequent recurring invoices under the MIT exemption. Failed recurring charges due to expired credentials are retried with a re-authentication flow sent to the customer.

AMW Suite · Beta

Replace the whole stack with one subscription.

Every app in AMW Suite, plus the AI agents that run them — in a single workspace your team actually uses. Costs less than buying the apps individually.

See the Suite

Explore More Industry Terms

Browse our comprehensive glossary covering marketing, events, entertainment, and more.

View Full Glossary Browse Resources
Chat with AMW Online
Connecting...