Strong Customer Authentication Explained: What UK Merchants Need to Know About SCA

You have probably noticed something different about online payments over the past couple of years. Your bank asks you to approve a purchase through your app. A one-time code arrives by text. A fingerprint scan completes a transaction you once completed with a single click.

This is Strong Customer Authentication at work. And if you run a business that accepts online payments, you need to understand it properly. Not because regulators demand it (though they do), but because it directly affects how many customers actually complete a purchase on your website.

Let us start from the beginning.

---

What Is Strong Customer Authentication?

Strong Customer Authentication, known universally as SCA, is a security requirement that demands online payments be verified using at least two independent factors from three possible categories:

• Something you know: a password, a PIN, or a security question answer
• Something you have: your mobile phone, a hardware token, or a card reader
• Something you are: a fingerprint, a face scan, or another biometric identifier

The logic is straightforward. A fraudster who steals your password probably does not also have your fingerprint. Two independent factors create a lock that is exponentially harder to pick.

SCA was introduced as part of the Second Payment Services Directive, known as PSD2, which originated in European regulation. Following Brexit, the UK implemented its own equivalent framework under the Financial Conduct Authority. The FCA extended the enforcement deadline multiple times to allow businesses to prepare, but SCA has been fully enforced for UK e-commerce since 14 March 2022. There is no grace period remaining. This is the law now.

---

How SCA Works in Practice: Enter 3D Secure 2

The technical mechanism that delivers SCA for card payments is called 3D Secure, currently in its second version (3DS2). If you have ever been redirected to your bank's verification page during an online checkout, you have encountered 3D Secure.

3DS2 is a significant improvement over its predecessor. The original 3D Secure (sometimes branded as Verified by Visa or Mastercard SecureCode) was notorious for clunky redirects and high abandonment rates. Customers would see an unfamiliar screen mid-checkout and assume something had gone wrong.

3DS2 solves several of these problems by enabling frictionless authentication. Instead of always interrupting the customer, the system shares over 100 data points with the card issuer in real time: device fingerprint, transaction history, purchase amount, shipping address, time of day, and more. The issuer's system analyses this data and, if it is satisfied the transaction is low-risk, approves it silently in the background. The customer experiences nothing. The transaction completes.

Only when the issuer flags a transaction as higher risk does the customer see a challenge, typically a push notification to their banking app or a one-time passcode.

This is a meaningful improvement. Done well, SCA via 3DS2 should be largely invisible to your genuine customers.

---

Who Is Responsible for SCA: You or Your Payment Provider?

This is one of the most common points of confusion for UK merchants, and it matters financially.

The responsibility for triggering SCA lies primarily with the card issuer (the customer's bank) and the acquirer (your payment processor). As a merchant, you are not personally implementing cryptographic authentication. But you are responsible for ensuring your payment integration supports 3DS2 properly.

Here is the critical point: liability shifts with SCA.

If a fraudulent transaction occurs and your checkout did not correctly invoke SCA, liability for the chargeback typically falls on you, the merchant. If SCA was correctly applied and the issuer authenticated the transaction, liability shifts to the issuer.

This means that running an outdated payment integration that does not support 3DS2 is not just a regulatory problem. It is a financial risk that sits directly on your balance sheet.

Check with your payment provider that your integration supports 3DS2. Ask them directly. If they cannot confirm it, take that seriously.

---

The Exemptions: Where SCA Does Not Apply

SCA is mandatory, but it is not required on every single transaction. The regulations define specific exemptions, and understanding them is where merchant strategy comes in.

The most commercially useful exemptions include:

Transaction Risk Analysis (TRA): Acquirers and issuers can exempt low-risk transactions based on real-time fraud analysis. The threshold is linked to the acquirer's fraud rate. If your payment processor maintains a sufficiently low fraud rate, individual low-value transactions may pass without SCA. The ceiling for TRA exemption is £250 for acquirer-side analysis.

Low-value transactions: Transactions under £30 can be exempt, though there are cumulative limits. After five consecutive exempt transactions, or once the total value of exempt transactions since the last SCA reaches £100, SCA is required again.

Merchant-initiated transactions: Recurring payments where the customer has already authenticated (a subscription, for example) can be processed without SCA on subsequent charges, provided the first payment was properly authenticated and the customer agreed to the recurring arrangement.

Trusted beneficiaries: Customers can whitelist merchants with their bank, so future purchases from that merchant skip SCA. This is sometimes called the "trusted merchant" exemption and is worth understanding if you have repeat customers.

Telephone orders and MOTO transactions: Mail order and telephone order payments are explicitly out of scope for SCA, because SCA applies to electronically initiated transactions where both payer and merchant are present online.

These exemptions are not automatic. Your payment provider must request them correctly during the transaction flow. If you are seeing SCA challenges on every transaction, including small recurring ones, your integration may not be requesting exemptions efficiently.

---

What SCA Means for Your Conversion Rate

Let us be honest about the commercial tension here.

Every additional step in a checkout journey reduces conversion. Research published by Stripe estimated that poorly implemented SCA could reduce conversion by as much as 25 to 30 percent in markets where it was first enforced. That is not a rounding error. For a business turning over £500,000 online, a 25 percent conversion drop is catastrophic.

However, well-implemented SCA using 3DS2 with intelligent exemption requesting tells a very different story. When exemptions are applied appropriately and frictionless authentication handles genuinely low-risk transactions, the conversion impact is minimal. Baymard Institute research consistently shows that checkout friction, including unexpected verification steps, is one of the top reasons customers abandon carts. The solution is not to avoid SCA; it is to implement it intelligently.

The merchants who suffer most are those running outdated integrations that apply SCA challenges indiscriminately, without requesting exemptions and without leveraging frictionless flows.

---

A Real-World Scenario: The Camera Shop Problem

Imagine you run a specialist camera retailer online. A returning customer visits your site to purchase a lens worth £1,200. They have bought from you twice before.

Under a poorly configured setup, this customer faces a full SCA challenge: they are redirected, asked to open their banking app, and approve the payment. They are on their lunch break, their phone is across the room, and they abandon the cart. That sale is gone.

Under a properly configured setup using 3DS2 with intelligent exemption logic, the issuer recognises the device, the shipping address matches the customer's known address, and the transaction history is clean. The payment authenticates frictionlessly. The customer receives a confirmation email before they have even closed the tab.

Same legal requirement. Entirely different customer experience. The difference is the quality of the integration.

High-value retailers in particular, photography, jewellery, premium fashion, specialist electronics, need to scrutinise their payment stack on this point more carefully than almost any other sector. The margin on a £1,200 lens may be 8 to 12 percent. A failed transaction is not an inconvenience; it is a significant loss.

---

Practical Checklist: What to Do Right Now

Here is what your business should confirm with your payment provider immediately:

1. Confirm 3DS2 support. Your provider should be using 3DS2, not the legacy 3DS1 protocol. Ask them directly.

2. Ask how exemptions are managed. Does your provider automatically request TRA exemptions and low-value exemptions where applicable? Or does it apply SCA to every transaction by default?

3. Check your recurring payment setup. If you take subscriptions or repeat charges, confirm the initial payment was SCA-authenticated and that subsequent charges are flagged correctly as merchant-initiated.

4. Review your abandonment data. If you have analytics on your checkout, look at where in the payment flow customers are dropping off. A spike at the payment step, particularly for new 3DS challenge screens, is a signal your SCA implementation needs attention.

5. Consider soft declines. If your payment provider sends you soft decline codes (typically error code 65, authentication required), it means the issuer wanted SCA but did not receive it. These should be retried with SCA invoked. If your system does not handle soft declines, you are losing transactions silently.

---

What This Means for Your Business

SCA is not going away. It is the permanent framework for online payment security in the UK, and any business accepting card payments online needs to be operating within it correctly.

The good news is that SCA, when implemented well, is largely good for everyone. Fraud rates for SCA-authenticated transactions are significantly lower. Chargebacks decline. And the liability protection from correct SCA implementation is genuinely valuable.

The bad news is that implementation quality varies enormously between payment providers. Some platforms handle exemption logic automatically and intelligently. Others leave merchants exposed to unnecessary friction and silent lost sales.

Ask your provider the questions in the checklist above. If the answers are vague, that is information worth acting on.

---

Klipy UK is a payments intelligence platform built for UK small and medium-sized businesses. We explain the payment system clearly so you can make better decisions for your business.

Sources

1. FCA Policy Statement PS21/19: Strong Customer Authentication for online card-based payments, published March 2022. https://www.fca.org.uk/publications/policy-statements/ps21-19-strong-customer-authentication
2. FCA webpage on Strong Customer Authentication requirements and timelines. https://www.fca.org.uk/consumers/strong-customer-authentication
3. European Banking Authority Final Guidelines on SCA and Secure Open Standards of Communication (EBA/GL/2019/01), which formed the basis for UK implementation. https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-the-security-of-internet-payments
4. EMVCo 3DS Specification documentation describing 3D Secure 2 data elements and frictionless flow architecture. https://www.emvco.com/emv-technologies/3d-secure/
5. Baymard Institute research on checkout abandonment rates and friction points (2023 benchmarking study). https://baymard.com/lists/cart-abandonment-rate
6. Stripe guide to SCA for European and UK businesses, including exemption logic and soft decline handling. https://stripe.com/docs/strong-customer-authentication
7. UK Finance Payment Markets Summary 2023, providing context on UK card transaction volumes and fraud rates. https://www.ukfinance.org.uk/system/files/2023-07/Payment%20Markets%20Summary%202023.pdf
8. Payment Systems Regulator overview of PSD2 implementation in the UK post-Brexit. https://www.psr.org.uk/
9. Mastercard Identity Check and Visa Secure documentation on 3DS2 implementation for merchants (technical reference for 3DS2 protocol versions). https://developer.mastercard.com/product/mastercard-identity-check/ and https://developer.visa.com/capabilities/visa_secure

---

Disclaimer

The views and information shared in this post are for educational and informational purposes only and do not constitute financial, legal, or professional advice. While every effort is made to ensure accuracy, Klipy UK Limited accepts no liability for decisions made based on this content. Payment processing rates, regulations, and product features referenced are subject to change. Klipy UK is an authorised seller of Teya payment solutions. Where third-party sources are cited, links are provided for reference; Klipy UK does not endorse or guarantee the accuracy of external content. For personalised guidance on your business payment needs, please contact us directly at editor@klipy.uk.