Strong Customer Authentication (SCA): All You Need to Know

Strong Customer Authentication

Beginning September 2019, there will be new requirements in Europe for authenticating online payments.

Regulators in Europe have been trying to address the growing complexities in the e-commerce fraud landscape using strong customer authentication (SCA). SCA is essentially a regulation that is intended to reduce fraud by using a uniform and “stiff” approach to authentication. However, SCA has significant and pervasive implications throughout the value chain and will actually have a direct impact on your checkout flows, as a tour operator.

So let’s take a closer look at the new SCA requirements and how they will impact you in this article.

What is SCA All About?

SCA is being introduced as part of the Revised Payment Services Directive (PSD2) regulation. It will kick in on 14th September 2019 and will apply to all online purchases that take place in Europe (well, as long as the cardholder’s bank and the merchant’s payment provider are located within the European Economic Area (EEA)).

In short, it’s going to change the landscape for all online merchants in Europe and abroad, by requiring all transactions to be strongly authenticated. So how will SCA be implemented? With 3D Secure 2 (3DS2).

3DS2 is the new approach to SCA that puts the customer at the front and center of the authentication process and aligns with the latest e-commerce technologies. It has become the authentication standard that allows for high security and low friction.

All in all, 3DS2 will be the main vehicle for payment providers and card issuers to implement SCA.

3D Secure 1

3D Secure 1 (3DS1) was developed by Visa to address the poor authentication process in situations where the card holder is not in possession of their card. It addressed that by adding an authentication layer to online transactions via a “security challenge” which typically consists of entering a password.

3D Secure 1 - strong customer authentication

3D Secure 1 has since been rolled out to other major card companies like Mastercard and American Express and is the most widely used authentication process online today.

Enter 3D Secure 2.

3D Secure 2

3D Secure 2 - strong customer authentication

The aim of 3D Secure 2 (3DS2) is to improve on 3D Secure 1 and provide strong customer authentication for online payments. It achieves that aim by deploying a rigid authentication and identity verification process.

SCA Authentication and Identity Verification Process

SCA authentication process
SCA will add a new step in the payment processing system by adding authentication as the first step in the process.

The customer’s identity has to be verified by at least two of the following: knowledge (something the customer knows, i.e. a pin or password), ownership (something only the customer possesses, like a mobile phone or ID) and something intrinsic (something that the customer is, i.e. fingerprint or facial recognition).

The SCA of course has very rigid rules in securing authentication and identification data. For example, if a customer performs a remote transaction (like a mobile or online payment), additional security is required. The added security measure is an authentication code which associates the transaction to the payee and the amount.

Now let’s go over which transactions the SCA will affect and what the new requirements mean for you and the customer.

Which Transactions Will SCA Affect?

Let’s go over how SCA will affect different types of transactions:

Low-value Transactions: Transactions below €30 will not require SCA, unless the card has seen more than 5 exempted transactions in the last 24 hours; or the sum of those exempted transactions exceeds €100.

Same-amount Subscriptions: Businesses billing a fixed recurring amount will need to strongly authenticate the first payment. Recurring payments of the same amount will not require strong authentication.

Low-risk Transactions: Low fraud payment service providers (PSPs) with fraud rates below 0.13% can exempt transactions below a specific amount threshold (€100, €250, €500), depending on average fraud rate.

Trusted Beneficiaries: Customers can add a merchant to their personal “trusted beneficiaries” list (maintained by their bank or payment method issuer).

Moto Transactions: Mail order telephone orders (MOTO) will be exempt from Strong Customer Authentication.

What Does SCA Mean for The Customer?

The SCA has several benefits for customers, including the obvious – more trust and security. Multi-factor authentication directly translates to more security from potential fraud.

Perhaps among the list of top benefits to the customer is speed and convenience. The SCA removes the redirect found in 3DS1 so the checkout time will be drastically reduced.

Another benefit for the customer is that they get a more personalized approach to online payment. The SCA offers several modes of authentication so the customer can choose the most convenient authentication mode for them.

What Will Change for You?

Well…nothing too drastic. It’s true that all merchants will have to comply with the new SCA requirements. That means that you, as a tour and activity provider with an online presence, needs to enable 3DS2 to be in compliance with the new industry standard. As a customer from Regiondo, and that means using our payment provider, you will of course experience these changes, but you have not to do anything because we will implement it for you.

Another way the SCA will impact you can be found in your e-commerce conversion funnel. Specifically, you may experience less cart abandonment since the checkout process is much quicker and easier for the customer; and is also less prone to errors that lead to customers abandoning the cart.

Now, perhaps the biggest benefit for you as a merchant is that you will no longer be liable for fraudulent transactions when you enable 3DS2 payments. The responsibility will now shift to payment providers and issuing banks.

Regiondo + 3DS2

We at Regiondo have already fully implemented all the requirements of this new regulation in our system, so our customers have the functionality months before the introduction of these requirements.


Even before we implement 3DS2 for our tour activity provider customers, we already have the current industry standard 3DS1 implemented, which you are using today.

As we help you get ready for 3DS2, rest assured that we are always knowledgeable of the industry that our customers operate in; so they — you — can be sure that you always comply with the industry rules and regulations.

Stay tuned.

New call-to-action

You might also like:


Get a personalized demo or create your free account now

Take your business to the next level with Regiondo - it's free to get started and you don't need a credit card.