Customers – Strong Customer Authentication(SCA) and 3D Secure(3DS)

As of September 14th, 2019 payment gateways now require additional security steps regarding “SCA” for customer purchases in the European Union.

This will trigger the 3DS payment gateway security features for the customer to authorize their payment.


What is SCA?
Strong Customer Authentication (SCA) is a European regulation set in place on September 14th, 2019 to reduce fraud and make online payments more secure for purchasing customers by adding additional security steps for purchases and subscriptions.

When is SCA applied?
SCA currently only applies to EU businesses that are selling to EU based customers and match any of the following criteria

(a) accesses their payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Most card payments and all bank transfer payments will require SCA.

When is SCA not required?
There are scenarios in which SCA may not be required for the customer’s purchase.

  • Low-risk transactions: payment gateways the vendor is using to process payments will be allowed to do a real-time risk analysis to determine whether to apply SCA to a transaction. This may only be possible if the payment provider’s or bank’s overall fraud rates for card payments do not exceed the set threshold of fraud rates.
  • Payments below 30 euro: Transactions below €30 will be considered “low value transactions” and may be exempted from SCA. Banks will need to request authentication if the exemption has been used five times since the cardholder’s last successful authentication or if the sum of previously exempted payments exceeds €100. The cardholder’s bank will need to track the number of times this exemption has been used and decide whether authentication is necessary.
  • Fixed amount subscriptions:  This can apply when the customer makes a series of recurring payments for the same amount, to the same business(Subscriptions). SCA will be required for the customer’s first payment but rebill charges may be exempt from SCA.
  • Merchant-initiated transactions: Vendor initiated payments made using the billing method when the customer is not present in the checkout flow (“manual transactions”) may qualify as merchant-initiated transactions.
  • Trusted beneficiaries: When completing authentication for a payment, customers may have the option to whitelist a business they trust to avoid having to authenticate future purchases. These businesses will be included on a list of “trusted beneficiaries” maintained by the customer’s bank or payment service provider.
  • Corporate Payments: This exemption may cover payments that are made with “lodged” cards (e.g., where a corporate card used for managing employee travel expenses is held directly with an online travel agent), as well as corporate payments made using virtual card numbers (which are also used in the travel sector).
PLEASE NOTE: None of the above factors which suggest SCA may not be required are any guarantee that SCA will actually not be required for your purchase. This ultimately depends on the discretion of the bank or payment method being used to make the purchase.

What is 3DS?

3D Secure (3DS) is a fraud prevention measure that acts as an additional layer of security when taking card payments. It gives customers a secure 2 step authentication before they can purchase online; ensuring that they’re using the correct card details to help protect against card payment fraud.

3DS serves as the authentication method required by SCA regulations.

How will 3DS work?

1. After entering their checkout info and clicking buy for a subscription-based product, European customers or customers required to use 3ds with their payment method will see a modal window popup (from the payment gateway the vendor is using to sell the product)
2. Customers will need to follow the instructions provided by their bank in the modal window to authenticate the 3ds purchase themselves.

3. When a subscription rebill charge happens, we set that related transaction to a pending status until the rebill is authenticated by the customer. We then send an email to the customer for authentication of the rebill.

    • NOTE: If the customer does not authenticate the transaction within the allotted grace period(1-3 days: contact vendor of product for their grace period), the transaction will be marked as failed.

4. Our system confirms the customer’s rebill transaction and Paykickstart will attempt to process the transaction as normal.

NOTE: The transaction may still decline at this point if, for example, there are insufficient funds in the account.

Related Articles