PSD2 and SCA: What Merchants Need to Know in 2025
Strong Customer Authentication affects European payments. Here's the practical guide for merchants.
What is SCA?
Strong Customer Authentication (SCA) is a European regulatory requirement under PSD2. It requires two-factor authentication for most electronic payments in the EEA and UK.
The Two Factors
Authentication must use two of:
- Knowledge: Something you know (PIN, password)
- Possession: Something you have (phone, card)
- Inherence: Something you are (biometrics)
When SCA Applies
- Customer-initiated online payments
- European cardholder paying European merchant
- Above certain thresholds (varies)
Exemptions That Help
Low Value Transactions
Under €30 (with cumulative limits). Good for low-ticket items.
Trusted Beneficiaries
Customers can whitelist merchants. Useful for subscriptions.
Transaction Risk Analysis (TRA)
Low-risk transactions can skip SCA. Your PSP applies based on their fraud rates.
Recurring Payments
SCA required for first payment, exempted for subsequent fixed-amount recurring.
Impact on Conversion
SCA adds friction. Customers must complete 3DS2 authentication. Some will drop off. Optimization strategies:
- Use exemptions where possible
- Optimize 3DS2 flow for mobile
- Work with PSPs that have good exemption engine
- Monitor decline rates and adjust strategy
Technical Implementation
3DS2 is the primary SCA implementation method. Your PSP handles most of the complexity, but you need to:
- Pass required data fields for risk assessment
- Implement challenge flow in your checkout
- Handle authentication failures gracefully
Key Takeaways
- SCA is mandatory for most European card payments
- Exemptions can reduce friction significantly
- Work with PSPs that have good exemption engines
- Monitor impact on conversion rates
- Recurring billing has favorable treatment
Need help finding the right PSP?
We help merchants in complex verticals find payment providers that fit.
Talk to Us