Breadcrumbs

Strong Customer Authentication (SCA)

In edoobox, customer authentications offered by the payment service provider (card issuer, etc.) are available for all payment systems. Settings for these must be configured directly with the payment service provider in the respective account.

The EU Payment Services Directive PSD2 (Payment Services Directive 2)

Strong Customer Authentication (SCA) is an EU directive (EU 2015/2366, Payment Service Directive 2) that came into force on September 14, 2019, as part of the European PSD2 regulation (Payment Services Directive 2). It introduced changes to the authentication of online payments by your European customers.

Previously 2 Steps

Card payments traditionally occur in two steps: authorization and capture. A payment is authorized when the customer's bank or card issuer approves a payment; the payment is captured when the card is charged.

Now 3 Steps

With SCA, an additional and mandatory step was introduced before authorization and capture: the authentication. This step serves to protect customers through fraud prevention. To authenticate a payment, customers respond to a bank's request and provide additional information. This additional information typically falls into one of the following three categories:

  • Information that only the user knows, e.g., a password

  • Information that only the user possesses, e.g., a mobile phone

  • Information that only the user is, e.g., a fingerprint.

Your Account Settings with the Payment Service Provider

It is important to differentiate when SCA is required and when it is not, as SCA is not mandatory for every online transaction. For example, there are exceptions for recurring purchases and payments under 30 Euros. We therefore recommend that you consult your payment service provider to determine in which situations enhanced authentication is required.

Note: Influence of the Payment Service Provider

Your verification settings may be tightened by the payment service provider according to their criteria; neither edoobox nor you can influence this.

Criteria Requiring SCA (Strong Customer Authentication)

If the following statements apply to you, you should address Strong Customer Authentication:

  • Your company is based in the European Economic Area (EEA) or you process payments for connected accounts within the EEA

  • You have customers in the EEA

  • You accept credit and/or debit cards

Note: Bank Influence

While some low-risk transactions (based on volume and fraud rate associated with the payment provider or bank) do not require authentication, banks are not obligated to approve these exemptions and may still demand customer authentication.

Recommended for countries outside the EEA, but not mandatory

The EU's PSD2 regulation does not apply to transactions within Switzerland, but it does apply to Swiss companies that have payment transactions with the EEA.

Related Guides

Keywords for this guide

PSD2 ¦ SCA