Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a new paymentClosed Exchange of money for goods and services in an acceptable amount to the customer where the payment amount has been agreed upon in advance. The customer can only pay with an accepted payment method. Each payment has an individual payment cost. requirement, introduced by the EU Revised Directive on Payment Services (PSD2), to make online payments more secure and to reduce fraud. SCA requires an additional proof of identity from your customers during the payment transaction, known as two-factor authentication (2FA). The authentication must use at least two of the following:

When Does SCA Apply?

SCA applies to online payments within the European Economic Area (EEA). There are exemptions to SCA when a transaction risk is low. In addition, some transaction types are out of the SCA scope.

In-Scope Transactions

SCA scope is defined by 3 factors:

Out-of-Scope Transactions

There are some out-of-scope transactions to SCA. The most relevant ones are:

  • Merchant-initiated transactions (MIT): A merchant-initiated transaction is a payment taken on an agreed upon date with the payer’s consent and is initiated by the merchant collecting the payment. If a transaction is merchant-initiated, both the fixed and the variable payments will be exempt from SCA.
  • Inter-regional transactions (one-leg-out transactions): A transaction where either the issuer or acquirer is located outside the EEA.
  • Anonymous cards: A transaction processed by using an anonymous card can only be identified by the issuing bank, not by the customer.


The following transactions are exempt from SCA:

  • Low value transaction: Transactions under €30 are exempt from SCA. If the total amount attempted on the card without strong authentication is higher than €100, or if five consecutive transactions have been conducted without SCA, then SCA is required.
  • Low risk transaction/transaction risk analysis (TRA): The ability for a payment to be considered low risk is based on the average fraud levels of the card issuer and of the acquirer processing the transaction:
    • 0.13% to exempt transactions below €100
    • 0.06% to exempt transactions below €250
    • 0.01% to exempt transactions below €500
  • Successfully renewed subscription or recurring transactions: Subscription or recurring transactions with a fixed amount are exempt from the second transaction onwards.
  • Note

    Subsequent payments for subscription or recurring transactions are subject to Strong Customer Authentication when one of the following factors applies:

    • the subscription billing interval is updated.
    • the payment information details are updated.
  • Trusted beneficiaries: Customers can assign businesses to an acceptlist of trusted beneficiaries. Acceptlisted merchants are exempt from SCA.
  • Secure corporate payments: When the transaction is initiated by a legal person, for example a business rather than a consumer, and it is processed through a secured dedicated payment protocol, the transaction is exempt from SCA.

How Is Cleverbridge Managing SCA?

As your ecommerce and payment partnerClosed A company that buys your products in bulk for a discounted price and resells them to their customers for a profit. In legal terms, a partner is a regular customer as there is no partnership agreement with Cleverbridge in place., Cleverbridge takes over responsibility for compliance with SCA requirements. We made some major changes to our platform and processes to ensure transactions are compliant:

  • We have implemented a Cardholder-Initiated Transactions (CIT)/Merchant-Initiated Transactions (MIT) framework so that recurring transactions are out-of-scope, and no SCA is required.
  • We are utilizing an up-to-date Bank Identification Number (BIN) database to identify the cards where the issuer is based outside the EEA, or anonymous cards where no SCA mandate is required.
  • We use preferred acquirers with low fraud rates to utilize TRA exemption for transactions below €100.
  • We will continue to track any changes in requirements for SCA exemptions to ensure that customers can still enjoy easy shopping experiences by applying these exemptions in the best way.

3D Secure

3D Secure is an authentication protocol for online credit and debit card transactions that complies with SCA standards. 3D Secure 2.0, the latest revision to 3D Secure, was specifically designed to reduce friction in the transaction process and to improve orderClosed An agreement between a seller and a buyer to exchange goods and/or services for money. An order can: - contain multiple products and quantities; - have multiple financial transactions. A preorder authorization is considered an order. conversion. Starting January 1, 2021, Cleverbridge will handle 3D Secure 2.0 authentication on hosted checkout pages for the European Economic Area (EEA).

SCA Flow (3D Secure)

The following scenario shows an SCA flow applied to credit card transactions. The required two-factor authentication is executed through possession of device and password verification. On the hosted checkout page, SCA is triggered through the following steps:

  1. Customer introduces credit card information and clicks Next.
  2. Customer reviews payment data and clicks Buy Now to complete the purchaseClosed An order made by a customer and the records associated with it.. The SCA page appears and starts the multi-device checkout process.

First Factor Authentication

  1. The customer's card issuer challenges the cardholder with an authentication request. The cardholder receives a push notification on the registered device.
  2. The cardholder opens the push notification and triggers the card issuer's application to open the authentication page.
  3. The cardholder reviews the transaction details and clicks Confirm or Decline. By clicking Confirm, the cardholder triggers the second factor authentication.


If the SCA flow is interrupted, the cardholder instantly receives a 3D-enrolled email from Cleverbridge. The email invites the cardholder to complete the authentication process and provides information about the product. In case the customer does not complete the authentication after receiving the first 3D-enrolled email, Cleverbridge sends a second email after 24 hours, and a third email after 72 hours.

Both SCA emails for one-time or initial transactions and recurring transactions contain additional information like the product name, renewal date and price.

If a customer enters a different delivery, billing or licensee contact during the checkout process, the delivery, billing, and licensee address will be displayed as well in the SCA emails for one-time or initial transactions and recurring transactions.

Second Factor Authentication

  1. The cardholder receives a message notification on the registered device and uses the received password to authorize the payment.
  2. The registered device accepts the password and verifies the transaction. SCA is complete.
  3. The customer sees the Cleverbridge confirmation pageClosed The confirmation page is displayed after a customer makes a purchase. The confirmation page contains the order confirmation and delivery information. in their browser.

Check out the video below to see the SCA flow for credit card payments.

The following flow charts show the SCA process for credit/debit card payments (3D Secure) in detail:

SCA for One-Time or Initial Transaction (3D Secure)

SCA for Recurring Transactions (3D Secure)


How will 3D Secure impact my checkout conversion?

We can’t foresee how it will affect the conversion because it is ultimately on the cardholder’s bank to decide whether or not to challenge a transaction. However, 3D Secure 2.0 introduces a better user experience that will help minimize some of the friction added to the checkout flow by authentication.

What happens with MITs when the original transaction was before December 31, 2020?

Cleverbridge will flag the transaction as merchant-initiated and will endeavor to "grandfather in" these subscriptions so that they don't require SCA when they come up for renewal on or after December 31, 2020. However, SCA is still required if the customer initiates a payment methodClosed Describes the actual payment method used by the customer to complete the purchase, for example, Visa, wire transfer, or SEPA Direct Debit. change for an active subscription.

With usage-based billing, is SCA required for each re-billing?

As long as the transaction is merchant-initiated and appropriately flagged as such, subsequent charges do not require SCA in most cases, even if the amount varies. Cleverbridge will take care of flagging subsequent re-billings as MIT.

For merchant-initiated transactions, what happens if the transaction amount changes for subsequent transactions? Do they need SCA?

As long as the transaction is merchant-initiated and appropriately flagged as such, subsequent transactions do not require SCA, no matter the amount change. Cleverbridge will take care of flagging subsequent re-billings as MIT.

How can customers acceptlist merchants? Can this process be part of the checkout process?

This process is not considered part of the checkout process. It is part of the app or online banking system provided by the issuing bank that allows you to acceptlist specific merchants.