USEFUL INFO
Chapter 2 : Annoying but VERY Important

How Strong Customer Authentication (SCA) Really Works – UK Guide

Complete & Continue Next Lesson Learn More

IN THIS LESSON

Strong Customer Authentication (SCA) is a key part of how secure card payments work online and in some in-person environments.

Introduced as part of the PSD2 regulations, SCA is designed to make fraud harder — but for businesses, it can also lead to confusion, failed payments, or customer friction if not implemented properly.

In this article, we break down what SCA is, when it's required, how it works in the UK, and how you can make sure your business stays compliant without losing sales.

CLICK TO EXPAND

  • SCA is a European and UK regulation that requires customers to complete additional verification steps during certain types of payment, especially online card payments. It’s part of the Payment Services Directive 2 (PSD2) — designed to reduce card fraud.

    To pass SCA, a transaction must include at least two of the following three:

    1. Something the customer knows (e.g. password or PIN)

    2. Something the customer has (e.g. smartphone, card reader)

    3. Something the customer is (e.g. fingerprint, facial recognition)

    📌 This is sometimes referred to as 2-factor authentication for payments.

  • SCA mainly applies to card-not-present (CNP) transactions in the UK and Europe — especially ecommerce payments.

    ✅ SCA is usually required for:

    • Online payments made with debit or credit cards

    • Bank transfers initiated through online banking

    • Some high-value contactless card payments

    ❌ SCA may not apply to:

    • Mail Order / Telephone Order (MOTO) payments

    • Recurring subscription payments (after the first payment)

    • Transactions processed under SCA exemptions

  • Here's what happens when a customer makes an online card payment:

    1. Customer enters their card details at checkout

    2. The payment is routed through 3D Secure 2.0 (a protocol used by Visa/Mastercard)

    3. The bank checks if SCA is required

    4. If required, the customer is asked to verify the transaction:

      • Through a mobile app (push notification or passcode)

      • Using biometrics (fingerprint, face scan)

      • By entering a one-time passcode (OTP) sent by SMS

    Once approved, the transaction is authorised and completed.

  • There are legitimate reasons a transaction might be exempt from SCA:

    • 💷 Low-value transactions under £30

    • 🔁 Recurring transactions (after the initial payment)

    • 🛍️ Trusted merchant exemptions (customer whitelists your site)

    • 📊 Low-risk transactions (based on fraud scoring from your provider)

    📌 Note: Exemptions aren’t guaranteed. The issuing bank can still request SCA if they feel the transaction is suspicious.

    • Transactions will fail or be declined

    • You may see an increase in abandoned carts or failed payments

    • You could be liable for fraud losses if a transaction is processed without SCA when it’s required

    • Your PCI DSS compliance may also be affected indirectly

How to Ensure SCA Compliance

To stay compliant and protect your business:

  • ✅ Use a payment gateway that supports 3D Secure 2.0

  • ✅ Check that your ecommerce platform has integrated SCA support

  • ✅ Work with providers who apply SCA exemptions correctly

  • ✅ Clearly communicate what’s happening to customers at checkout

  • ✅ Test your checkout flow to reduce friction

Final Thoughts

SCA isn’t optional — and it’s here to stay. But when implemented correctly, it improves security, protects against fraud, and reassures customers that their payment is safe.

Make sure your checkout process supports SCA and 3D Secure 2.0 — and talk to your provider if you’re seeing failed transactions or increased drop-offs.

🔍 Compare now or speak to an expert – no pressure, no jargon, just practical advice.