Tap to Pay on iPhone

Accept contactless payments right on your iPhone with the Mollie app

Learn more

Accept payments

Online payments

Accept and manage online payments

In-person payments

Take payments with terminals and devices

Checkout

Offer a checkout optimised for conversion

Recurring payments

Collect recurring and subscription payments

Acceptance & Risk

Prevent fraud and optimise conversion

Embedded payments

Connect for platforms

Embed payments on your platform

Collect revenue

Payment links

Create, send and customise payment links

Invoicing

Crea

Grow your business

Capital

Get fast funding with flexible repayments

Partners

For Agencies

Learn about our Agency Partner Program

For SaaS and Ecommerce

Explore our SaaS and Ecommerce Partner Program

Technical resources

Developers portal

Discover developer resources and updates

Libraries

Integrate Mollie with ready-to-go libraries

Discord community

Join our developer community

Mollie API

Docs

Explore our API documentation and guides

Status

Check our current system status

Changelog

Read up on recent technical changes

About Mollie

Pricing

View our pricing

About us

Learn more about our story and values

News

Read the latest Mollie news

Careers

Come work for us - we're hiring!

Mollie content

Articles & guides

Discover content that can help your business

Success stories

See how we support our customers

Papers

Download our papers

Contact

For shoppers

Find out why Mollie is on your bank statement

For Mollie customers

Reach out to our customer support team

Contact sales

Discover how we can help your business

Tap to Pay on iPhone

Accept contactless payments right on your iPhone with the Mollie app

Learn more

Accept payments

Online payments

Accept and manage online payments

In-person payments

Take payments with terminals and devices

Checkout

Offer a checkout optimised for conversion

Recurring payments

Collect recurring and subscription payments

Acceptance & Risk

Prevent fraud and optimise conversion

Embedded payments

Connect for platforms

Embed payments on your platform

Collect revenue

Payment links

Create, send and customise payment links

Invoicing

Crea

Grow your business

Capital

Get fast funding with flexible repayments

Partners

For Agencies

Learn about our Agency Partner Program

For SaaS and Ecommerce

Explore our SaaS and Ecommerce Partner Program

Technical resources

Developers portal

Discover developer resources and updates

Libraries

Integrate Mollie with ready-to-go libraries

Discord community

Join our developer community

Mollie API

Docs

Explore our API documentation and guides

Status

Check our current system status

Changelog

Read up on recent technical changes

About Mollie

Pricing

View our pricing

About us

Learn more about our story and values

News

Read the latest Mollie news

Careers

Come work for us - we're hiring!

Mollie content

Articles & guides

Discover content that can help your business

Success stories

See how we support our customers

Papers

Download our papers

Contact

For shoppers

Find out why Mollie is on your bank statement

For Mollie customers

Reach out to our customer support team

Contact sales

Discover how we can help your business

Tap to Pay on iPhone

Accept contactless payments right on your iPhone with the Mollie app

Learn more

Accept payments

Online payments

Accept and manage online payments

In-person payments

Take payments with terminals and devices

Checkout

Offer a checkout optimised for conversion

Recurring payments

Collect recurring and subscription payments

Acceptance & Risk

Prevent fraud and optimise conversion

Embedded payments

Connect for platforms

Embed payments on your platform

Collect revenue

Payment links

Create, send and customise payment links

Invoicing

Crea

Grow your business

Capital

Get fast funding with flexible repayments

Partners

For Agencies

Learn about our Agency Partner Program

For SaaS and Ecommerce

Explore our SaaS and Ecommerce Partner Program

Technical resources

Developers portal

Discover developer resources and updates

Libraries

Integrate Mollie with ready-to-go libraries

Discord community

Join our developer community

Mollie API

Docs

Explore our API documentation and guides

Status

Check our current system status

Changelog

Read up on recent technical changes

About Mollie

Pricing

View our pricing

About us

Learn more about our story and values

News

Read the latest Mollie news

Careers

Come work for us - we're hiring!

Mollie content

Articles & guides

Discover content that can help your business

Success stories

See how we support our customers

Papers

Download our papers

Contact

For shoppers

Find out why Mollie is on your bank statement

For Mollie customers

Reach out to our customer support team

Contact sales

Discover how we can help your business

Content

News

Growth

Success stories

Papers

News

Growth

Success stories

Papers

Content

News

Growth

Success stories

Papers

Growth

Growth

Growth

Strong Customer Authentication: what ecommerce businesses need to know

Strong Customer Authentication: what ecommerce businesses need to know

Strong Customer Authentication: what ecommerce businesses need to know

Strong Customer Authentication is a security requirement from the European Union for contactless, online, and mobile payments. Learn more with Mollie.

Strong Customer Authentication is a security requirement from the European Union for contactless, online, and mobile payments. Learn more with Mollie.

Jun 13, 2022

Iryna Agieieva

Head of product - payments

Strong Customer Authentication (SCA) is a security requirement from the European Union for contactless‚ online‚ and mobile payments. Strong Customer Authentication is part of the revised Payment Services Directive (PSD2)‚ developed to improve the existing one-time-password (OTP) notification system. Asking customers to authenticate their purchase with a TAN or SMS confirmation made sense 10 years ago‚ but electronic payments technology has moved on. And fraudsters have found loopholes. The PSD2 directive requires two-form identification at check out. The authentication burden is on the customer's bank‚ but it's your responsibility to build in the processes for the checks as an online business. So how will this new authentication requirement affect your business? Will the fraud reduction be worth more friction at checkout? Let's take a look.


Strong Customer Authentication (SCA) is a security requirement from the European Union for contactless‚ online‚ and mobile payments. Strong Customer Authentication is part of the revised Payment Services Directive (PSD2)‚ developed to improve the existing one-time-password (OTP) notification system. Asking customers to authenticate their purchase with a TAN or SMS confirmation made sense 10 years ago‚ but electronic payments technology has moved on. And fraudsters have found loopholes. The PSD2 directive requires two-form identification at check out. The authentication burden is on the customer's bank‚ but it's your responsibility to build in the processes for the checks as an online business. So how will this new authentication requirement affect your business? Will the fraud reduction be worth more friction at checkout? Let's take a look.


Strong Customer Authentication (SCA) is a security requirement from the European Union for contactless‚ online‚ and mobile payments. Strong Customer Authentication is part of the revised Payment Services Directive (PSD2)‚ developed to improve the existing one-time-password (OTP) notification system. Asking customers to authenticate their purchase with a TAN or SMS confirmation made sense 10 years ago‚ but electronic payments technology has moved on. And fraudsters have found loopholes. The PSD2 directive requires two-form identification at check out. The authentication burden is on the customer's bank‚ but it's your responsibility to build in the processes for the checks as an online business. So how will this new authentication requirement affect your business? Will the fraud reduction be worth more friction at checkout? Let's take a look.


Strong Customer Authentication (SCA) is a security requirement from the European Union for contactless‚ online‚ and mobile payments. Strong Customer Authentication is part of the revised Payment Services Directive (PSD2)‚ developed to improve the existing one-time-password (OTP) notification system. Asking customers to authenticate their purchase with a TAN or SMS confirmation made sense 10 years ago‚ but electronic payments technology has moved on. And fraudsters have found loopholes. The PSD2 directive requires two-form identification at check out. The authentication burden is on the customer's bank‚ but it's your responsibility to build in the processes for the checks as an online business. So how will this new authentication requirement affect your business? Will the fraud reduction be worth more friction at checkout? Let's take a look.


When did Strong Customer Authentication come into effect? 

The European Banking Authority approved SCA in 2019‚ however‚ the new regulation wasn't enforced for ecommerce in the EU until 1 January 2021. In the UK‚ the regulation was applied to face-to-face payments on 15 September 2021.


The European Banking Authority approved SCA in 2019‚ however‚ the new regulation wasn't enforced for ecommerce in the EU until 1 January 2021. In the UK‚ the regulation was applied to face-to-face payments on 15 September 2021.


The European Banking Authority approved SCA in 2019‚ however‚ the new regulation wasn't enforced for ecommerce in the EU until 1 January 2021. In the UK‚ the regulation was applied to face-to-face payments on 15 September 2021.


The European Banking Authority approved SCA in 2019‚ however‚ the new regulation wasn't enforced for ecommerce in the EU until 1 January 2021. In the UK‚ the regulation was applied to face-to-face payments on 15 September 2021.


What is two-form identification at checkout?

Strong Customer Authentication requires that customer authentication must include at least two of the following elements:

  1. Something only customer knows

  2. Something only the customer owns

  3. Something only the customer has

Something only customer knows

This can be a password, pin, or an answer to a specific question. This is most often handled by an existing password or a 4- to 6-digit number sent by text. 

Something only the customer owns

Examples include a mobile phone, token generator, card reader, desktop, tablet, or any other authorised device. This part of the check is done without active input from the customer. 

Something only the customer has

In essence, this is some sort of biometric data. Face ID or fingerprints are a good example. Strong Customer Authentication requires that you meet the two-factor authentication conditions to help reduce the likelihood of fraudulent activities. For instance, it helps keep sensitive customer data secure and private from external parties. 

Strong Customer Authentication requires that customer authentication must include at least two of the following elements:

  1. Something only customer knows

  2. Something only the customer owns

  3. Something only the customer has

Something only customer knows

This can be a password, pin, or an answer to a specific question. This is most often handled by an existing password or a 4- to 6-digit number sent by text. 

Something only the customer owns

Examples include a mobile phone, token generator, card reader, desktop, tablet, or any other authorised device. This part of the check is done without active input from the customer. 

Something only the customer has

In essence, this is some sort of biometric data. Face ID or fingerprints are a good example. Strong Customer Authentication requires that you meet the two-factor authentication conditions to help reduce the likelihood of fraudulent activities. For instance, it helps keep sensitive customer data secure and private from external parties. 

Strong Customer Authentication requires that customer authentication must include at least two of the following elements:

  1. Something only customer knows

  2. Something only the customer owns

  3. Something only the customer has

Something only customer knows

This can be a password, pin, or an answer to a specific question. This is most often handled by an existing password or a 4- to 6-digit number sent by text. 

Something only the customer owns

Examples include a mobile phone, token generator, card reader, desktop, tablet, or any other authorised device. This part of the check is done without active input from the customer. 

Something only the customer has

In essence, this is some sort of biometric data. Face ID or fingerprints are a good example. Strong Customer Authentication requires that you meet the two-factor authentication conditions to help reduce the likelihood of fraudulent activities. For instance, it helps keep sensitive customer data secure and private from external parties. 

Strong Customer Authentication requires that customer authentication must include at least two of the following elements:

  1. Something only customer knows

  2. Something only the customer owns

  3. Something only the customer has

Something only customer knows

This can be a password, pin, or an answer to a specific question. This is most often handled by an existing password or a 4- to 6-digit number sent by text. 

Something only the customer owns

Examples include a mobile phone, token generator, card reader, desktop, tablet, or any other authorised device. This part of the check is done without active input from the customer. 

Something only the customer has

In essence, this is some sort of biometric data. Face ID or fingerprints are a good example. Strong Customer Authentication requires that you meet the two-factor authentication conditions to help reduce the likelihood of fraudulent activities. For instance, it helps keep sensitive customer data secure and private from external parties. 

When does Strong Customer Authentication apply?

Strong Customer Authentication (SCA) is triggered when a customer initiates an online transaction, and both the customer’s bank and your bank are located within the EU or the UK. If you are refunding money to a customer, for example, SCA does not apply because the transaction has been initiated by the business. If your customer’s bank is located in the US and your bank is in the EU (or vice versa), then SCA also does not apply.

Strong Customer Authentication (SCA) is triggered when a customer initiates an online transaction, and both the customer’s bank and your bank are located within the EU or the UK. If you are refunding money to a customer, for example, SCA does not apply because the transaction has been initiated by the business. If your customer’s bank is located in the US and your bank is in the EU (or vice versa), then SCA also does not apply.

Strong Customer Authentication (SCA) is triggered when a customer initiates an online transaction, and both the customer’s bank and your bank are located within the EU or the UK. If you are refunding money to a customer, for example, SCA does not apply because the transaction has been initiated by the business. If your customer’s bank is located in the US and your bank is in the EU (or vice versa), then SCA also does not apply.

Strong Customer Authentication (SCA) is triggered when a customer initiates an online transaction, and both the customer’s bank and your bank are located within the EU or the UK. If you are refunding money to a customer, for example, SCA does not apply because the transaction has been initiated by the business. If your customer’s bank is located in the US and your bank is in the EU (or vice versa), then SCA also does not apply.

What transactions are exempt from Strong Customer Authentication?

The EU is aware that requiring additional steps for an online purchase introduces friction during a sensitive part of the sales process. To help reduce this friction, they have made some exceptions to the SCA rules. The following transactions are exempt from SCA:

Low-risk transactions 

A well-established payment provider may be allowed to calculate the fraud risk for a transaction and determine whether to enable SCA or not. In general terms, the exemption requires that the level of fraud the payment service provider reports must be lower than the reference fraud rates throughout the EU for the same type of transactions. Other factors in the calculation include the transaction amount being less than €500, and the behaviour and geographic location of the customer as it relates to the normal behaviour for that online payment method.

It’s important to know that this assessment is done by the payment service provider and has nothing to do with the health or profile of your business.

Low-value payments

If the customer has made fewer than five payments in the last 24 hours or if the sum or the payments in the last 24 hours is less than €100, it is usually considered exempt.

Recurring payments

When you bill your customer monthly via credit or debit card, SCA is only applied for the first payment. If the amount changes each month, then SCA may be applied. Recurring payments are usually invoices for regular services, subscriptions or instalments. Recurring payments managed through SEPA direct debit have their own security procedures and are completely separate from SCA protections.

Allowlist members

If your customer uses a commercial credit card, meaning one that is issued by another company’s business account, then any transactions will likely be exempt since PSD2 doesn’t apply to B2B purchases.

The EU is aware that requiring additional steps for an online purchase introduces friction during a sensitive part of the sales process. To help reduce this friction, they have made some exceptions to the SCA rules. The following transactions are exempt from SCA:

Low-risk transactions 

A well-established payment provider may be allowed to calculate the fraud risk for a transaction and determine whether to enable SCA or not. In general terms, the exemption requires that the level of fraud the payment service provider reports must be lower than the reference fraud rates throughout the EU for the same type of transactions. Other factors in the calculation include the transaction amount being less than €500, and the behaviour and geographic location of the customer as it relates to the normal behaviour for that online payment method.

It’s important to know that this assessment is done by the payment service provider and has nothing to do with the health or profile of your business.

Low-value payments

If the customer has made fewer than five payments in the last 24 hours or if the sum or the payments in the last 24 hours is less than €100, it is usually considered exempt.

Recurring payments

When you bill your customer monthly via credit or debit card, SCA is only applied for the first payment. If the amount changes each month, then SCA may be applied. Recurring payments are usually invoices for regular services, subscriptions or instalments. Recurring payments managed through SEPA direct debit have their own security procedures and are completely separate from SCA protections.

Allowlist members

If your customer uses a commercial credit card, meaning one that is issued by another company’s business account, then any transactions will likely be exempt since PSD2 doesn’t apply to B2B purchases.

The EU is aware that requiring additional steps for an online purchase introduces friction during a sensitive part of the sales process. To help reduce this friction, they have made some exceptions to the SCA rules. The following transactions are exempt from SCA:

Low-risk transactions 

A well-established payment provider may be allowed to calculate the fraud risk for a transaction and determine whether to enable SCA or not. In general terms, the exemption requires that the level of fraud the payment service provider reports must be lower than the reference fraud rates throughout the EU for the same type of transactions. Other factors in the calculation include the transaction amount being less than €500, and the behaviour and geographic location of the customer as it relates to the normal behaviour for that online payment method.

It’s important to know that this assessment is done by the payment service provider and has nothing to do with the health or profile of your business.

Low-value payments

If the customer has made fewer than five payments in the last 24 hours or if the sum or the payments in the last 24 hours is less than €100, it is usually considered exempt.

Recurring payments

When you bill your customer monthly via credit or debit card, SCA is only applied for the first payment. If the amount changes each month, then SCA may be applied. Recurring payments are usually invoices for regular services, subscriptions or instalments. Recurring payments managed through SEPA direct debit have their own security procedures and are completely separate from SCA protections.

Allowlist members

If your customer uses a commercial credit card, meaning one that is issued by another company’s business account, then any transactions will likely be exempt since PSD2 doesn’t apply to B2B purchases.

The EU is aware that requiring additional steps for an online purchase introduces friction during a sensitive part of the sales process. To help reduce this friction, they have made some exceptions to the SCA rules. The following transactions are exempt from SCA:

Low-risk transactions 

A well-established payment provider may be allowed to calculate the fraud risk for a transaction and determine whether to enable SCA or not. In general terms, the exemption requires that the level of fraud the payment service provider reports must be lower than the reference fraud rates throughout the EU for the same type of transactions. Other factors in the calculation include the transaction amount being less than €500, and the behaviour and geographic location of the customer as it relates to the normal behaviour for that online payment method.

It’s important to know that this assessment is done by the payment service provider and has nothing to do with the health or profile of your business.

Low-value payments

If the customer has made fewer than five payments in the last 24 hours or if the sum or the payments in the last 24 hours is less than €100, it is usually considered exempt.

Recurring payments

When you bill your customer monthly via credit or debit card, SCA is only applied for the first payment. If the amount changes each month, then SCA may be applied. Recurring payments are usually invoices for regular services, subscriptions or instalments. Recurring payments managed through SEPA direct debit have their own security procedures and are completely separate from SCA protections.

Allowlist members

If your customer uses a commercial credit card, meaning one that is issued by another company’s business account, then any transactions will likely be exempt since PSD2 doesn’t apply to B2B purchases.

How does SCA work with digital wallets?

Strong Customer Authentication allows for fast and secure payments with digital wallet options like Apple Pay and Google Pay. Remember, a transaction needs to meet only two out of the three SCA requirements to work. Since digital wallets are usually used on mobile phones or tablets, which also have some sort of FaceID or fingerprinting capability, two of the three requirements are already met. It doesn’t matter if the customer chooses a credit card or a credit debit card to pay. As long as their bank allows that card to be registered with ApplePay or Google Wallet, they’re good to go.

Strong Customer Authentication allows for fast and secure payments with digital wallet options like Apple Pay and Google Pay. Remember, a transaction needs to meet only two out of the three SCA requirements to work. Since digital wallets are usually used on mobile phones or tablets, which also have some sort of FaceID or fingerprinting capability, two of the three requirements are already met. It doesn’t matter if the customer chooses a credit card or a credit debit card to pay. As long as their bank allows that card to be registered with ApplePay or Google Wallet, they’re good to go.

Strong Customer Authentication allows for fast and secure payments with digital wallet options like Apple Pay and Google Pay. Remember, a transaction needs to meet only two out of the three SCA requirements to work. Since digital wallets are usually used on mobile phones or tablets, which also have some sort of FaceID or fingerprinting capability, two of the three requirements are already met. It doesn’t matter if the customer chooses a credit card or a credit debit card to pay. As long as their bank allows that card to be registered with ApplePay or Google Wallet, they’re good to go.

Strong Customer Authentication allows for fast and secure payments with digital wallet options like Apple Pay and Google Pay. Remember, a transaction needs to meet only two out of the three SCA requirements to work. Since digital wallets are usually used on mobile phones or tablets, which also have some sort of FaceID or fingerprinting capability, two of the three requirements are already met. It doesn’t matter if the customer chooses a credit card or a credit debit card to pay. As long as their bank allows that card to be registered with ApplePay or Google Wallet, they’re good to go.

How do you implement SCA?

You are obligated to comply with the new SCA requirements if these criteria apply:

  • Your business is located in the European Economic Area, or you make payments on behalf of connected accounts based in the EEA

  • Your customers are in the EEA

  • You accept credit or debit cards

The easiest way to do that is to use an SCA-compliant payment gateway, such as Mollie.

If you’re working with a custom payment gateway, your developers will need to make sure that they’ve added the additional authentication layers to your site’s checkout flow. The extra checks allow banks to cross-check customers’ information through the two-step customer identification process. 

To discover more relevant tips for keeping your ecommerce payments secure and compliant, reach out to Mollie. Sign up today and start offering secure payment methods in your ecommerce store.

You are obligated to comply with the new SCA requirements if these criteria apply:

  • Your business is located in the European Economic Area, or you make payments on behalf of connected accounts based in the EEA

  • Your customers are in the EEA

  • You accept credit or debit cards

The easiest way to do that is to use an SCA-compliant payment gateway, such as Mollie.

If you’re working with a custom payment gateway, your developers will need to make sure that they’ve added the additional authentication layers to your site’s checkout flow. The extra checks allow banks to cross-check customers’ information through the two-step customer identification process. 

To discover more relevant tips for keeping your ecommerce payments secure and compliant, reach out to Mollie. Sign up today and start offering secure payment methods in your ecommerce store.

You are obligated to comply with the new SCA requirements if these criteria apply:

  • Your business is located in the European Economic Area, or you make payments on behalf of connected accounts based in the EEA

  • Your customers are in the EEA

  • You accept credit or debit cards

The easiest way to do that is to use an SCA-compliant payment gateway, such as Mollie.

If you’re working with a custom payment gateway, your developers will need to make sure that they’ve added the additional authentication layers to your site’s checkout flow. The extra checks allow banks to cross-check customers’ information through the two-step customer identification process. 

To discover more relevant tips for keeping your ecommerce payments secure and compliant, reach out to Mollie. Sign up today and start offering secure payment methods in your ecommerce store.

You are obligated to comply with the new SCA requirements if these criteria apply:

  • Your business is located in the European Economic Area, or you make payments on behalf of connected accounts based in the EEA

  • Your customers are in the EEA

  • You accept credit or debit cards

The easiest way to do that is to use an SCA-compliant payment gateway, such as Mollie.

If you’re working with a custom payment gateway, your developers will need to make sure that they’ve added the additional authentication layers to your site’s checkout flow. The extra checks allow banks to cross-check customers’ information through the two-step customer identification process. 

To discover more relevant tips for keeping your ecommerce payments secure and compliant, reach out to Mollie. Sign up today and start offering secure payment methods in your ecommerce store.

More updates

What is friendly fraud?

Friendly fraud can cause financial loss, admin headaches, and reputational risk. Explore different types of friendly fraud and how to prevent chargebacks.

How to prevent carding attacks

Learn how to prevent carding attacks. Discover key prevention strategies and how fraud prevention solutions can safeguard your business.

Are consumers taking back control of their data?

Happy Horizon and Mollie are putting their heads together with 23 experts about personal data.

Ecommerce fraud management strategies

Discover ecommerce fraud management strategies and how to protect your business from fraudsters.

What is friendly fraud?

Friendly fraud can cause financial loss, admin headaches, and reputational risk. Explore different types of friendly fraud and how to prevent chargebacks.

How to prevent carding attacks

Learn how to prevent carding attacks. Discover key prevention strategies and how fraud prevention solutions can safeguard your business.

Are consumers taking back control of their data?

Happy Horizon and Mollie are putting their heads together with 23 experts about personal data.

Ecommerce fraud management strategies

Discover ecommerce fraud management strategies and how to protect your business from fraudsters.

Stay up to date

Never miss an update. Receive product updates, news and customer stories right into your inbox.

Stay up to date

Never miss an update. Receive product updates, news and customer stories right into your inbox.

Connect every payment. Upgrade every part of your business.

Never miss an update. Receive product updates, news and customer stories right into your inbox.

Stay up to date

Never miss an update. Receive product updates, news and customer stories right into your inbox.

Form fields
Form fields
Form fields

Table of contents

Table of contents

Table of contents

Table of contents

Table of contents

When did Strong Customer Authentication come into effect? 

What is two-form identification at checkout?

When does Strong Customer Authentication apply?

What transactions are exempt from Strong Customer Authentication?

How does SCA work with digital wallets?

How do you implement SCA?

Contact sales

MollieGrowthStrong Customer Authentication: what ecommerce businesses need to know
MollieGrowthStrong Customer Authentication: what ecommerce businesses need to know
MollieGrowthStrong Customer Authentication: what ecommerce businesses need to know