Strong Customer Authentication (SCA) explained

Strong Customer Authentication (SCA) is a mandate introduced by the Payment Services Directive (PSD2) enacted by the European Commission, which requires electronic payments initiated by the buyer to be authenticated by at least two of the following three factors.

  • Something the cardholder knows (e.g., a password or PIN)
  • Something the cardholder has (e.g., a token, a mobile phone)
  • Something the cardholder is (e.g., a fingerprint or voice match)


1. To whom does SCA apply?

SCA applies to electronic transactions that occur within the European Economic Area (EEA). When you accept cards issued in the EEA, the SCA check must be performed to all in-scope transactions unless exempted by the legislation.


2. Transactions out of scope for SCA

The SCA check is not required for the following transactions:

  • Anonymous payment instrument transactions Transactions where anonymous payment instrument is used, for example, anonymous prepaid cards.
  • Mail Order/Telephone Order (MOTO) Transactions – Payments transacted over the phone or e-mail.
  • One-leg transaction – Transactions where only one of the payment service providers is located inside the EEA. Since TrustPay is located within EEA, the one leg transactions are the transactions submitted with a card issued outside EEA. PSD2 expects that SCA should be applied for the one-leg transactions on a best effort basis.
  • Merchant Initiated transactions (MIT) – transaction initiated by the merchant, for example, credit fund transfers or repeatable (recurring) transactions, direct debits.


3. E-commerce transactions exempted from SCA

Transaction category


Applied by

Low-value transactions

Electronic payments under €30—and:

  • The cumulative amount of previous electronic payment transactions since the last application of SCA does not exceed €100; or
  • The number of previous electronic payments since the last application of SCA does not exceed five consecutive individual transactions.


Trusted beneficiaries

Payers can assign merchants to a whitelist of trusted beneficiaries which is maintained by their bank. Whitelisted merchants are exempt from SCA.


Secure corporate payments

Electronic payments made through dedicated corporate processes initiated by businesses, for example, secure corporate cards.


Low-risk transactions

TrustPay is allowed to request an exemption based on the risk analysis when its fraud rates do not exceed the specified thresholds.



4. How is SCA applied to e-commerce transactions?

The Strong Customer Authentication requires that two independent factors need to be initiated (what cardholder knows, has, or is). The security protocol EMV 3-D Secure has been introduced as a tool fulfilling the SCA mandate.


5. What is EMV 3-D Secure?

3-D Secure (3DS) is a customer authentication security protocol, designed to reduce fraud rates and provide security to card-not-present transactions. 3DS1 is already widely used by TrustPay today.

With the event of the SCA mandate, the new version of 3DS protocol was introduced EMV 3-D Secure (3DS 2.1.), and its systems are ready to support 3DS 2.1 as well. At present, TrustPay is preparing their systems to be ready for 3DS 2.2. as well and we will inform you when will be available.

TrustPay SCA


6. How to apply for exemption from SCA?

An issuer will decide whether the SCA is required for exempted transactions or not. In case of exemptions applicable for TrustPay (please, refer to point 3), a merchant can apply for the exemption through the specific exemption flag submitted in the authorization request. How to submit an exemption flag, there will be a separate communication distributed to you.


7. What to do in case of out of scope transactions?

The merchants do not need to take any action in relation to the out of scope transactions. These transactions will be submitted automatically without a need for the SCA check.



The impact of COVID-19 on merchants and their Strong Customer Authentication (SCA) preparations has been significant, and the payments industry called for additional time to allow merchants to focus their efforts on SCA again. As a result, the official request for six months long delay was submitted by a couple of payment industry representatives to the European Commission.

We would like to bring to your attention that the European Commission has recently announced that the merchants and payment service providers will be granted no further time to prepare for and comply with the SCA mandate.

Therefore, we would like to assure you that the current deadlines are valid as they were communicated to you before. We encourage you to dedicate enough time and effort to the SCA migration to meet given deadlines. You are required to update your TrustPay gateway integration using the new version of 3-D Secure by October 1st, 2020.

Please refer to the previous TrustPay communications or contact us via the e-mail address and our colleagues will be happy to advise you.



Chargeback Terminology Explained

The following article will help you familiarize with the card scheme dispute-resolution process be explaining the basic vocabulary used in this process.
Read more

Visa Fraud and Chargeback Rules Update

Effective 1st October 2019 Visa will apply new thresholds to improve the efficiency of the Visa Fraud Monitoring Program (VFMP) and the Visa Chargeback Monitoring Program (VCMP).
Read more

TrustPay Introduces New Payment Gateway to Merchants

TrustPay brings a new version of payment gateway according to up-to-date trends and technologies. The payment gateway now provides all merchants with more comfort regarding the implementation, payment overview, and...
Read more
Back to top
This site uses cookies to provide you with a better browsing experience. By browsing TrustPay websites, you agree with using cookies. Find out more on how we use cookies here.