Definition
Strong Customer Authentication
Strong Customer Authentication (SCA) is a payment security requirement that asks customers to verify certain online payments with stronger identity checks. It is closely associated with PSD2 in Europe and with authentication flows such as 3D Secure.
For online businesses, SCA matters because it can reduce fraud while adding an extra step during checkout. A buyer may need to approve a payment in a banking app, enter a one-time code, use biometrics, or complete another challenge before the transaction is authorized.
The business goal is to keep payments secure without creating unnecessary checkout friction.
Key Takeaways
- Strong Customer Authentication requires stronger verification for certain electronic payments.
- SCA commonly uses two or more factors: something the customer knows, has, or is.
- It can affect checkout conversion, authorization rates, fraud, disputes, and customer trust.
- Exemptions and payment-provider handling can reduce friction when available.
- Businesses should monitor failed authentication, abandoned checkout, and payment approval rates.
How Strong Customer Authentication Works
SCA generally requires at least two independent authentication factors:
- Knowledge: something the customer knows, such as a password or PIN.
- Possession: something the customer has, such as a phone or banking app.
- Inherence: something the customer is, such as a fingerprint or facial scan.
During payment, the customer may be asked to complete a challenge. The issuing bank or payment provider usually controls the exact authentication step.
SCA is often handled through payment systems and protocols such as 3D Secure 2. The merchant may not build the authentication flow directly, but the merchant still feels the impact in checkout completion and payment success.
SCA and Checkout Conversion
SCA can add friction because it interrupts the payment flow. Some customers may not have their phone nearby, may fail the banking app challenge, or may not understand why the extra step appeared.
That friction can affect conversion rate and checkout optimization. Businesses should monitor whether authentication challenges lead to abandoned checkout or failed payments.
Clear checkout design helps. The page should preserve the order state if the customer leaves for bank authentication and returns. Error messages should tell the buyer what to do next.
SCA and Payment Risk
SCA exists to reduce unauthorized payments and card fraud. Stronger authentication can help confirm that the person attempting payment is the legitimate cardholder.
This can reduce some fraud risk and may influence liability for certain transactions, depending on region, payment method, issuer, and payment provider.
SCA is not a complete fraud-prevention program. Businesses still need fraud monitoring, clear fulfillment records, support processes, and chargeback prevention practices.
SCA Exemptions
Some transactions may qualify for exemptions, depending on region and payment-provider rules. Examples may include low-value transactions, trusted beneficiaries, merchant-initiated recurring payments, or transactions assessed as low risk.
The payment provider and issuing bank often decide whether an exemption applies. A merchant can configure payment systems to request exemptions where appropriate, but approval is not guaranteed.
For subscriptions, the first payment may require authentication, while later merchant-initiated renewals may be handled differently. Businesses should confirm how their payment provider manages recurring payments.
SCA and Subscriptions
Subscriptions create special SCA considerations. The initial checkout may need customer authentication. Later renewals may happen without the customer actively checking out again.
If the initial setup is unclear or authentication fails, the customer may not start the subscription. If renewal payments fail later, the business needs payment recovery workflows.
A usable customer portal can help customers update payment methods, retry payments, and manage billing without support intervention.
What Businesses Should Monitor
Track authentication challenge rate, authentication failure rate, authorization rate, checkout abandonment, failed payment recovery, dispute rate, and payment-method mix.
Segment by region and payment method. SCA impact may be much higher for customers in certain markets or with certain issuing banks.
If SCA failures are high, review payment-provider settings, checkout messaging, retry flows, and customer support scripts.
Frequently Asked Questions
Is SCA required everywhere?
No. SCA is most closely tied to European payment regulation. Requirements and enforcement depend on region, payment type, issuer, and provider.
Does SCA always add a checkout step?
No. Some transactions may be exempt or handled with low-friction authentication. Others may require a customer challenge.
Can SCA cause failed payments?
Yes. If the customer cannot complete authentication, the payment may fail or the checkout may be abandoned.