Skip to content

    Strong Customer Authentication

    Learn how to comply with PSD2 SCA in your unified integration. Please note that the information here should not be taken as a legal advice.


    The Payment Services Directive 2 (PSD2) is an EU regulation and its key objectives are to minimize fraud and make payments more secure across Europe.

    There are different aspects of PSD2, but the key article for merchants is called Strong Customer Authentication (SCA) – an extra level of security for transactions initiated by consumers. It means consumers are requested to provide two-factor authentication to confirm their identify before they can checkout online. The two factors must be independent of each other and should be from the following categories:

    • Knowledge: Something only the consumer knows, e.g. a password or a PIN code.
    • Possession: Something only the consumer has, e.g. a secure token or a mobile device.
    • Inherence: Something only the consumer is, e.g. a biometric fingerprint or a facial recognition.

    To make sure that your transactions comply with PSD2 SCA regulations, you need to implement 3D Secure authentication. For card payments this means using 3D Secure for Visa and Mastercard payments, and the equivalent authentication method for other cards, such as SafeKey for American Express and Dankort Secured by Nets for Dankort payments.

    SCA introduction

    Unified Commerce supports SCA through 3D secure authentication which is a protocol used to protect consumers trough an additional security check that requires action from customer in order to confirm his identity (usually a confirmation trough app is requested). Please note that Unified Commerce support SCA - 3D secure authentication, but Unified commerce is not owner of the process. All process regarding authentication is managed by Netaxept and Steps (the payment processors): acting as proxy Unified Commerce sends - forwarding what is send by merchants - specific and mapped parameters info to Netaxept.

    • Merchant integrated via Unified API can chose if SCA should be forced or not to each transaction type they can perform via the API.
    • Merchant can request exemption based on low value (Low value exemption supported) via Unified API.
    • Exemption for Recurring transactions can be requested via Unified API.

    SCA compliance

    For Merchant Initiated Transactions (MIT), you need to send all parameters to Unified Commerce.

    You should identify in-scope and out-of-scope transactions (to ones that are covered by Initial Payment and ones that are not covered).

    SCA Exemptions is referring to specific transactions that according EU regulation do not require SCA authentication so then such phase can be bypassed. Please not that in such cases SCA exemptions is not guaranteed as the last word belongs always to Issuer which can always refuse transactions;

    3DS authentication on each transaction

    For each payment initiated by customer, you need to request SCA. See below table for more information on parameter and description.

    Parameter nameParameter valueDescription
    SCAExempionsforce3DSUsed to force 3DS authentication

    Recurring payments - No subscription

    When a customer saves the card details for subsequent payment without any payment frequency period set, there are two difference phases for this kind of recurring payments:

    1. SCA in the form of 3DS for initial payment has to perform.
    2. SCA in the form of 3DS for subsequent payment for a Token.

    See below table for more information:

    Parameter nameParameter valueDescription
    paymentMethodDetailsInitialPaymentMethodTokenizationDetailsUsed for first payment for Subscription
    SCAExempionsforce3DSUsed to force 3DS authentication
    paymentMethodDetailsPaymentWithTokenUsed for subsequent payment in case of Subscription

    MIT transactions - Subscription/Recurring payments

    In this scenario, a subscription is made in form of recurring payments. You need to initiate the payment after certain period of time.

    See below table for the parameters and description.

    Parameter nameParameter valueDescription
    SCAExempionsforce3DSUsed to force 3DS authentication
    paymentMethodDetailsInitialPaymentMethodTokenizationDetailsUsed for first payment for Subscription
    paymentMethodDetailsMerchantInitiatePaymentWithTokenUsed for subsequent payment in case of Subscription

    SCA Exemption

    SCA can be exempted in some specific cases as below:

    1. Low monetary value;
    2. Delegated value;

    In such cases, two different parameters need to be sent already mapped and mirrored, see below table

    Parameter nameParameter valueDescriptionAdditional information
    SCAExempionsLowValueUsed to bypass 3ds authentication for low monetary valueTransactions under 30 EUR.

    Note: The card issuers keep track on certain counters; SCA must be applied again after 100 EUR of cumulative spending or on every 5 low-value transactions
    SCAExempionsDelegatedAuthentication on the Issuer behalf

    Was this helpful?

    What was your feeling about it?