TABLE OF CONTENTS
Under PSD2, Strong Customer Authentication (SCA) is required on all cardholder-initiated transactions when both the card issuer and acquirer are within the European Economic Area (EEA), United Kindom (UK).
If one of the two parties is outside the EEA or United Kindom, SCA is not required. This type of transaction where either the merchant or buyer is outside the EEA is called a 'one leg out' transaction.
Exemptions for SCA Requirements
- Non-EU/UK card, but EU/UK acquire (one leg out);
- Non-EU/UK acquire, but EU/UK card (one leg out);
- The transaction amount is 30 EUR or less;
- Merchant initiated transactions;
- MOTO payments;
- ApplePay / GooglePay payments.
- The total value of all card charges from the same merchant is 100 EUR or more;
- The number of charges from the same merchant is 5 or more;
- 1st payment to receive card taken, but following recurrent payment and 1-click payment (MIT or CIT) do not require SCA;
- If the charge amount for tokenized CIT is different from the previous transaction.
SCA payment authentification
SCA requires to use in payment flow authentication at least two of the following three elements:
- Something the customer knows (e.g., password or PIN);
- Something the customer has (e.g., phone or hardware token);
- Something the customer is (e.g., fingerprint or face recognition).
EEA countries as of 1 of June 2021