What is Strong Customer Authentication (SCA) under PSD2?

Strong Customer Authentication (SCA) is a strict European regulatory mandate enacted under the Revised Payment Services Directive (PSD2) to reduce payment fraud and secure digital transactions. It requires enterprise merchants to authenticate online payments using multi-factor authentication, fundamentally altering how cross-border and domestic European payments are processed by shifting the verification burden to the issuing bank.

How SCA Mandates Multi-Factor Authentication

Prior to PSD2, online payments could often be completed with just a credit card number and a CVV. Under the SCA mandate, if both the cardholder's issuing bank and the merchant's acquiring bank are located within the European Economic Area (EEA)—known as a "two-leg in" transaction—the payment must be verified using at least two of the following three independent elements:

• Knowledge: Something only the user knows (e.g., a password, a PIN, or a secret fact).

• Possession: Something only the user possesses (e.g., a mobile phone, a hardware token, or a smart card).

• Inherence: Something the user is (e.g., a fingerprint, facial recognition, or behavioral biometrics).

To facilitate this complex authentication without destroying the digital checkout experience, the payments industry adopted the 3D Secure 2.0 (3DS2) protocol. Unlike the highly disruptive pop-ups of legacy 3DS1, 3DS2 allows the merchant's payment orchestration layer to silently transmit over 100 rich data points (like device ID and IP topology) directly to the issuing bank. If the issuer deems the transaction low-risk based on this background data, they grant a "frictionless flow" approval. If they require more proof, they trigger a "step-up challenge," typically prompting the user to authenticate via their mobile banking app.

Strategic Exemption Management for Enterprises

Subjecting every single corporate buyer or SaaS subscriber to a step-up challenge causes massive cart abandonment and severely damages authorization rates. The strategic core of SCA compliance lies not in authenticating every transaction, but in intelligently applying SCA Exemptions to bypass the friction entirely.

Key exemptions utilized by enterprise risk teams include:

• Transaction Risk Analysis (TRA): If the merchant utilizes advanced fraud detection and the acquiring bank maintains a very low overall fraud rate, transactions up to €500 can be entirely exempted from SCA.

• Merchant-Initiated Transactions (MIT): Crucial for B2B SaaS and subscription models. While the initial card-on-file setup requires SCA, subsequent recurring billing charges initiated by the merchant do not require the customer to be present or to authenticate.

• Low-Value Transactions (LVT): Purchases under €30 are exempt, provided the cardholder hasn't exceeded five consecutive low-value transactions or a cumulative total of €100 since their last authentication.

• Secure Corporate Payments: Transactions made with secure B2B virtual cards or lodged corporate travel cards are generally exempt from SCA protocols.

Automating PSD2 Compliance with Hellgate

Navigating the fragmented implementation of PSD2 across dozens of European jurisdictions and varying issuing banks requires agile, dynamic payment infrastructure. The Hellgate Composable Payment Architecture (CPA) completely automates SCA compliance and exemption routing, ensuring your enterprise maximizes conversion rates across the EEA.

Enterprise engineering teams leverage the Hellgate Hub as their central orchestration fabric. Natively embedded within this flow engine is a dynamic 3DS2 exemption engine.

When a European transaction is initiated, the Specter fraud intelligence layer instantly evaluates the payload. If Specter determines the transaction is low-risk, the Hub automatically flags the payment with a TRA exemption request. The Link PSP abstraction layer then dynamically routes the transaction to the specific acquiring bank with the highest historical probability of honoring that exact exemption, effectively forcing a frictionless checkout.

For subscription models, the Guardian tokenization vault securely vaults the initial SCA-authenticated payment credential as an agnostic network token. Guardian mathematically ensures that all subsequent recurring payments are properly flagged as MITs (Merchant-Initiated Transactions), guaranteeing your SaaS revenue flows seamlessly without triggering involuntary churn or unnecessary step-up challenges.

Frequently Asked Questions (FAQ)

Does SCA apply if my business is in the US, but the customer is in Europe? Generally, no. This is considered a "One-Leg Out" (OLO) transaction. Because your acquiring bank is outside the EEA, the strict legal mandate of PSD2 does not apply. However, some European issuing banks may still voluntarily decline the transaction if they deem the lack of 3DS2 highly suspicious.

What happens if I request an SCA exemption and the issuer rejects it? This is known as a "soft decline." A modern orchestration platform like Hellgate instantly catches the soft decline and automatically retries the transaction in milliseconds, this time stepping the user up to a 3DS2 challenge to successfully secure the funds.

How does SCA impact chargeback liability? If a merchant successfully processes a transaction through 3D Secure 2.0 (even if it follows the frictionless flow) and the transaction is later disputed as fraudulent, the liability structurally shifts from the merchant to the issuing bank. You do not pay the chargeback.

Ready to master SCA exemptions and maximize your European authorization rates? Explore the Hellgate Developer Docs to learn how to architect intelligent 3DS2 routing logic, or get in touch with our team to deploy the Composable Payment Architecture.