Strong Customer Authentication (SCA)

SCA is a European rule requiring two-factor authentication on many online payments to prove the payer is who they claim to be.

Strong Customer Authentication (SCA) is a European regulatory requirement that many online and contactless card payments be verified with two independent factors before they can be approved. It's the enforcement mechanism behind PSD2, and in practice it's what triggers a 3D Secure challenge — a passcode, a banking-app tap, or a biometric prompt — mid-checkout.

The two-factor rule

SCA requires authentication using at least two of three categories:

  • Knowledge — something the customer knows, like a password or PIN.
  • Possession — something they have, like a phone or hardware token.
  • Inherence — something they are, like a fingerprint or face scan.

Combining two factors from different categories makes a stolen password alone useless. When a payment needs SCA, the customer's bank (the issuer) runs the challenge and decides whether to approve.

Exemptions

Not every payment triggers a challenge. Common exemptions include low-value transactions (under €30, with cumulative limits of five payments or €100 before authentication is forced), transaction risk analysis for low-fraud merchants, recurring fixed-amount charges, and trusted-beneficiary lists. Merchant-initiated transactions — like a subscription renewal charged in the background — are typically out of scope once the customer has authenticated the initial setup. The issuer always has the final say on whether an exemption is honored.

Why it matters

A payment that needs SCA but doesn't get it is usually declined. For subscription businesses, the practical takeaway is to authenticate the card at signup so future renewals qualify as merchant-initiated and don't interrupt the customer. Watching for the resulting declined payments helps you catch authentication failures before they turn into lost revenue.

Related terms

Updated July 6, 2026