Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Strong Customer Authentication (SCA) for payments

strong-customer-authenticationDomain: paymentsType: mixed

Description

Strong Customer Authentication is the EU PSD2 and UK FCA requirement that electronic payments be authenticated using two independent factors drawn from knowledge, possession, and inherence (something the user knows, something the user has, something the user is). The components an operator runs are an authentication surface (3D Secure 2 for card-not-present, biometric or PIN for in-app payments, app-based passkey or hardware-token for higher-value flows), an exemption decision layer that decides per transaction whether SCA is required and which exemption is being claimed, and a fallback path for when an exemption fails or the issuer step-up-challenges back to two-factor. The headline rule is simple; the exemption regime is what production payment flows actually run on. Low-value transactions under €30 with cumulative caps; trusted-beneficiary lists the cardholder has explicitly whitelisted with their issuer; recurring transactions of a fixed amount with the first transaction SCA-authenticated; corporate-payment instruments under the dedicated B2B carve-out; and transaction-risk analysis at the acquirer level for low-fraud-rate transactions under tiered thresholds. TRA does most of the work in production: it lets the acquirer bypass SCA for transactions the acquirer's fraud rate stays below the supervisory threshold for, which is what makes large-merchant checkout flows feel frictionless to consumers. The regulatory frame is PSD2 Article 97 and the EBA RTS on SCA in the EU; in the UK the same shape sits in PSRs 2017 Regulation 100, the parallel RTS, and FCA Handbook SUP 17A operationalization. EMI issuers operating payment services apply the framework through EMD2 by reference to PSD2 Article 97. Failing SCA where it is required typically surfaces as transaction decline rather than as direct enforcement action, but persistent under-application attracts supervisory attention from the national competent authority, and a fraud-rate breach that triggers a TRA-exemption withdrawal can convert a low-friction checkout into a high-friction one overnight. Evidence formats that hold up include the SCA implementation specification keyed to the merchant integration, the exemption-rules configuration showing which exemption is claimed under which conditions, and the success-rate dashboards by exemption category that demonstrate the rules are being applied as designed.

Applicability

Applies when: markets include EU or UK.

How predicates are evaluated

Required by (3 regulations)

  • PSD2

    Article 97 — strong customer authentication.

    Directive (EU) 2015/2366

  • UK FCA Payments

    PSRs 2017 Regulation 100 + RTS on SCA; two-of-three independent authentication factors; exemptions for low-value/recurring/contactless under cumulative thresholds; FCA SUP 17A operationalization.

    Payment Services Regulations 2017 (SI 2017/752); Electronic Money Regulations 2011 (SI 2011/99); FCA Handbook

    Source →

  • EU EMD2

    PSD2 (Directive 2015/2366) Article 97 + RTS on SCA — pan-EU SCA framework that EMD2 issuers operating payment services must apply.

    Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009

    Source →

Fulfilled by (2)

  • stripe · full · low effort · $
    3DS2 + Radar handle SCA + exemption logic.
  • adyen · full · low effort · $$

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • SCA implementation spec
  • exemption-rules configuration
  • success-rate dashboards

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn