TABLE OF CONTENTS


    

    Under PSD2, Strong Customer Authentication (SCA) is required on all cardholder-initiated transactions when both the card issuer and acquirer are within the EEA.


    If one of the two parties is outside the EEA, SCA is not required. This type of transaction where either the merchant or buyer is outside the EEA is called a 'one leg out' transaction.


SCA not required: 

  • Non-EU card, but EU acquire (one leg out);
  • Non-EU acquire, but EU card (one leg out);
  • The transaction amount is 30 EUR or less;
  • Merchant initiated transactions;
  • MOTO payments;
  • ApplePay / GooglePay payments;


SCA required:

  • The total value of all card charges from the same merchant is 100 EUR or more;
  • The number of charges from the same merchant is 5 or more;
  • 1st payment to receive card taken, but following recurrent payment and 1-click payment (MIT or CIT) do not require SCA.
  • If the charge amount for tokenized CIT is different from the previous transaction. 

SCA payment authentification


 SCA requires to use in payment flow authentication at least two of the following three elements:

  • Something the customer knows (e.g., password or PIN);
  • Something the customer has (e.g., phone or hardware token);
  • Something the customer is (e.g., fingerprint or face recognition).



EEA countries as of 1 of June 2021


Belgium(BE)
Spain(ES)
Hungary(HU)
Slovakia(SK)
Bulgaria(BG)
France(FR)
Malta(MT)
Finland(FI)
Czechia(CZ)
Croatia(HR)
Netherlands(NL)
Sweden(SE)
Denmark(DK)
Italy(IT)
Austria(AT)
Germany(DE)
Cyprus(CY)
Poland(PL)
Iceland(IS)
Estonia(EE)
Latvia(LV)
Portugal(PT)
Liechtenstein(LI)
Ireland(IE)
Lithuania(LT)
Romania(RO)
Norway(NO)
Greece(EL)
Luxembourg(LU)
Slovenia(SI)


ISO-3166 country codes

AUT, BEL, BGR, HRV, CYP, CZE, DNK, EST, FIN, FRA, DEU, GRC, HUN, ISL, IRL, ITA, LVA, LIE, LTU, LUX, MLT, NLD, NOR, POL, PRT, ROU, SVK, SVN, ESP, SWE, GBR, AND, FRO, GIB, GRL, GGY, VAT, IMN, JEY, MCO, SMR, SJM, CHE