Skip to main content

SCA Compliance

The PSD2 is the new European Payment Directive aimed at increasing security, protecting the end user, and promoting innovation. One of the main changes introduced is the mandatory application of Strong Customer Authentication (SCA) for transactions, particularly affecting those conducted online.

What is Strong Customer Authentication?

SCA involves reinforcing the authentication of transactions through a minimum of two factors, such as:

  • Something the user knows (password).
  • Something the user has (mobile device or card).
  • Something the user is (biometric data such as fingerprints, facial recognition, etc.).

Exemptions and Exceptions

The regulation includes a series of exemptions and exceptions that allow for avoiding authentication in specific cases.

Exemptions are situations where merchants can request that dual authentication not be applied due to meeting certain established conditions:

  • Low-value transactions.
    • When the transaction amount is less than or equal to €30.
    • When the total of several transactions without SCA is less than or equal to €100.
    • When the number of consecutive transactions under €30 is less than or equal to 5.
  • Transactions with low transaction risk analysis.
    • When the customer initiates an online electronic payment and the acquirer identifies it as low risk according to their control mechanisms.
  • Recurring transactions.
    • The customer authorizes the collection of periodic recurring transactions of the same amount to the same beneficiary. The first transaction must be authenticated, as well as any modification to the recurring payment.
  • Operations included in a Whitelist.
    • When the merchant has been included in a list of trusted beneficiaries created by the customer. Issuing entities are responsible for managing and maintaining the trust list for their holders. The addition, removal, or modification of the merchant in the trust list must be authenticated.

Regarding exceptions, these are operations that fall outside the scope of SCA and must be correctly identified to be treated as such. This includes:

  • “One-leg-out”, operations originating or directed to a country outside the EU.
  • Merchant Initiated Transactions (MIT), operations initiated by the merchant without the user's presence, but with their acceptance for future charges.
  • Mail Order/Telephone Order (MO/TO) transactions.
  • B2B transactions or those related to anonymous prepaid cards.