Effective: March 2021

What is Strong Customer Authentication?

In short, SCA is part of a European-wide legislation, PSD2.

In practice, SCA means two-factor authentication will now be required for online purchases. That means when your customer purchases something from your business over the internet, they need to offer two further pieces of identifying information on top of their payment details. This info can take any of the following forms:

  • Something only your customer knows, such as a password
  • Something only your customer possesses, such as their mobile phone (which can receive a single-use code)
  • Something only your customer is, which could be something like a fingerprint

Where does Strong Customer Authentication apply?

SCA will impact any applicable transaction where both the business’ payment service provider and the end-customer’s bank are located within the European Economic Area (EEA). If one of these is outside Europe, the requirement is for the payment service provider in Europe to use ‘best efforts’ to apply SCA.

If you trade within the EEA then this will apply to your business when taking online payments.

How does Strong Customer Authentication affect me?

SCA will be applied by the customer’s bank but is likely to be facilitated by a card processor. However, it’s necessary that you as a merchant have a payment flow which allows for this. Your payment service provider will likely be on top of this, but it’s worth reading any materials they’ve published on the topic to understand their approach and how it affects your payment processing.

NB Your REC+ website does not require any special updates, this affects payment processors who will need to make changes to their systems to comply with this directive.

Will Strong Customer Authentication lower my conversion rates?

This is a concern for many businesses. And it is certainly possible that SCA may complicate the checkout experience in your customers’ eyes, leading to a conversion drop-off. However, SCA has a number of exemptions built-in where two-factor authentication may not be required, for example:

  • Payments assessed as being low risk, according to a set of defined criteria
  • Payments below €30
  • Subscriptions of a fixed amount


For the most up-to-date information please read our latest blog post.