This page is no longer supported. Please refer to the current guide for up-to-date information.



PSD2 (Payment Services Directive 2) is a regulation that affects online payments within the European Economic Area (EEA). It requires that all online transactions in the EEA must comply with Strong Customer Authentication (SCA) rules.

SCA is mandatory for all online transactions that are initiated by the cardholder within the EEA. Transactions that are considered exempt from SCA include:

SCA payment authentication

SCA is a security protocol designed to protect customers from fraud and identity theft during online transactions. The SCA rules require two or more forms of authentication before a payment can be approved. This means that customers must confirm their identity with at least two of the following:

  • Something they know (like a password or PIN)
  • Something they have (like a mobile phone or a key fob)
  • Something they are (like a fingerprint or facial recognition)

SCA required

  • The total value of all card charges from the same merchant is 100 EUR or more;
  • The number of charges from the same merchant is 5 or more;
  • 1st payment to receive card taken, but following recurrent payment and 1-click payment (MIT or CIT) do not require SCA;
  • If the charge amount for tokenized CIT is different from the previous transaction.

SCA exemptions 

  • Non-EU/UK card, but EU/UK acquire (one leg out);
  • Non-EU/UK acquire, but EU/UK card (one leg out);
  • Merchant initiated transactions;
  • MOTO payments;
  • Apple Pay
  • GooglePay (DSRP flow only) 
  • Low-value transactions under €30

Merchants who fail to comply with PSD2 and SCA can face significant penalties, including fines and legal action. Therefore, it is crucial that merchants ensure their payment processes comply with these regulations.

To comply with SCA, merchants can use a range of authentication methods, such as one-time passwords, biometric authentication, or hardware tokens. Merchants should also ensure that they have implemented secure payment systems and that their customers' data is adequately protected.

Merchants can also take advantage of exemptions and fraud prevention tools to reduce the impact of SCA on their conversion rates. Exemptions can be applied to transactions that meet certain criteria, such as low-risk or recurring payments. Merchants can also use fraud prevention tools to identify and prevent fraudulent transactions before they occur.

In conclusion, PSD2 and SCA have been introduced to provide greater protection to customers during online transactions. While these regulations may require additional effort from merchants to implement, complying with them is necessary to avoid penalties and protect their customers' data. By following SCA guidelines and taking advantage of exemptions and fraud prevention tools, merchants can maintain a seamless payment experience for their customers while also ensuring their transactions are secure.

EEA countries as of 1 of April 2023