ClearLaunch
Feature CheckerRegulations & PoliciesEnforcementRadarVendorsChangelogGuides
FAQ
← All Controls

Strong Customer Authentication (SCA) for payments

strong-customer-authenticationDomain: paymentsType: mixed

Description

Strong Customer Authentication (SCA) is the EU PSD2 / UK FCA requirement that electronic payments be authenticated using two independent factors drawn from knowledge, possession, and inherence (something the user knows, has, or is). The headline rule is simple; the interesting part is the exemption regime, which is what most production payment flows actually run on. Low-value transactions (under €30 with cumulative caps), trusted-beneficiary lists the user has whitelisted, recurring transactions of a fixed amount, corporate-payment instruments, and transaction-risk analysis (TRA) at the acquirer level all relax the two-factor requirement under specific conditions. The operational pieces are the authentication surface (3DS2 for card-not-present, biometric or PIN for in-app payments), the exemption logic that decides per transaction whether SCA is required and which exemption is being claimed, and the fallback path when an exemption fails or the issuer challenges back. TRA does most of the work in production. It lets the acquirer bypass SCA for low-fraud-rate transactions, which is what makes large-merchant checkout flows feel frictionless. Failing SCA where it is required typically results in transaction decline rather than enforcement action, but persistent under-application can attract supervisory attention from national competent authorities.

Applicability

Applies when: markets include EU or UK.

How predicates are evaluated

Required by (3 regulations)

  • PSD2

    Article 97 — strong customer authentication.

    Directive (EU) 2015/2366

  • UK FCA Payments

    PSRs 2017 Regulation 100 + RTS on SCA; two-of-three independent authentication factors; exemptions for low-value/recurring/contactless under cumulative thresholds; FCA SUP 17A operationalization.

    Payment Services Regulations 2017 (SI 2017/752); Electronic Money Regulations 2011 (SI 2011/99); FCA Handbook

  • EU EMD2

    PSD2 (Directive 2015/2366) Article 97 + RTS on SCA — pan-EU SCA framework that EMD2 issuers operating payment services must apply.

    Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009

Fulfilled by (2)

  • stripe · full · low effort · $
    3DS2 + Radar handle SCA + exemption logic.
  • adyen · full · low effort · $$

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

  • SCA implementation spec
  • exemption-rules configuration
  • success-rate dashboards

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

ClearLaunch

Regulatory intelligence for people who ship products.

Tools
Feature CheckerRegulations & PoliciesVendorsGuidesFor LegalFor EngineeringFor ExecutivesFor Investors
About
AboutMethodologyChangelogFAQRegulatory UpdatesClearLaunch on LinkedIn
Legal
Terms of ServicePrivacy PolicyHow we handle your dataCoverage scope & limitations

Built by Neel Patel, in-house game counsel. Games touch more compliance domains at once than anything else in tech. That's what ClearLaunch was designed around.

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. ClearLaunch provides legal information; consult a licensed attorney in your jurisdiction. Data reviewed through March 2026. Methodology

© 2026 ClearLaunch · Terms · Privacy