PSD2, SCA & 3D Secure: The Merchant's Complete Guide
Everything online merchants need to know about European payment regulations. Understand Strong Customer Authentication requirements, leverage exemptions to reduce checkout friction, and implement 3D Secure 2.0 for maximum approval rates.
What Merchants Must Know About PSD2 and SCA
What is PSD2?
The Second Payment Services Directive (PSD2) is EU regulation that came into force in 2019. It requires Strong Customer Authentication (SCA) for most electronic payments, aiming to reduce fraud and increase payment security across Europe.
The Bottom Line
PSD2 mandates that most online card payments in Europe must be authenticated with at least two of three factors: something the customer knows (password), has (phone), or is (biometrics). Non-compliant payments will be declined by issuing banks.
What is SCA?
Strong Customer Authentication requires two-factor authentication for online payments. Customers must verify their identity using two independent elements from: knowledge (PIN, password), possession (phone, card), and inherence (fingerprint, face).
In Practice
For card payments, SCA typically means 3D Secure authentication. The customer receives a push notification, SMS code, or biometric prompt from their banking app to approve the transaction.
What is 3D Secure 2.0?
3D Secure 2.0 (3DS2) is the technical protocol that enables SCA for card payments. Unlike the old 3DS1 (redirect to bank page, enter password), 3DS2 supports frictionless flows where low-risk transactions are authenticated invisibly.
Key Improvement
3DS2 shares rich transaction data with issuers, enabling risk-based authentication. Low-risk transactions pass through without customer interaction; only high-risk payments trigger a challenge step.
What Happens Without SCA?
Payments that require SCA but don't have it will be declined with a 'soft decline' code. The issuing bank rejects the transaction and requests authentication. Your checkout flow must handle this gracefully.
RoxPay Handles This
RoxPay automatically detects soft declines and retries with 3DS2 authentication. We also apply exemptions when eligible to avoid unnecessary authentication in the first place.
How to Reduce Friction While Staying Compliant
Not every transaction requires SCA. Understanding exemptions and optimizing your 3DS2 flow can dramatically improve conversion rates.
Low-Value Exemption
Transactions under €30 can be exempted from SCA (up to €100 cumulative or 5 consecutive transactions). RoxPay automatically requests this exemption for eligible payments.
Merchant-Initiated Transactions
Recurring payments and subscriptions where the customer has already authenticated don't require SCA on subsequent charges. Card-on-file billing is exempt after initial consent.
Secure Corporate Payments
B2B payments made with corporate cards via secure processes can be exempted. Virtual cards and lodged cards used in secure corporate travel systems qualify.
Transaction Risk Analysis (TRA)
Payment providers with low fraud rates can apply for TRA exemption. RoxPay's fraud monitoring enables TRA for transactions up to €500 based on our fraud performance.
Trusted Beneficiaries
Customers can whitelist merchants as 'trusted beneficiaries' with their bank. Future purchases from trusted merchants skip SCA. Prompt customers to add you during checkout.
One-Leg-Out Transactions
When either the card issuer or acquirer is outside the EEA, SCA doesn't apply. This covers most non-European customers purchasing from EU merchants.
How RoxPay Handles SCA Compliance
You don't need to become a 3DS2 expert. RoxPay manages authentication complexity automatically.
Automatic 3DS2 Triggering
RoxPay analyzes each transaction and determines whether SCA is required. When needed, we trigger 3DS2 authentication automatically — you don't need to make separate API calls.
Exemption Optimization
We automatically request appropriate exemptions (low-value, TRA, merchant-initiated) when transactions qualify. This reduces unnecessary authentication and improves conversion.
Frictionless Flow Support
RoxPay sends rich transaction data to issuers, maximizing the chance of frictionless authentication. Low-risk transactions are approved without customer interaction.
Soft Decline Handling
If a transaction is soft-declined for missing authentication, RoxPay automatically retries with 3DS2. Your checkout flow doesn't need special handling for these cases.
PSD2 & SCA FAQ
Does SCA apply to all my transactions?
No. SCA applies to customer-initiated online payments within the EEA. Exempt scenarios include: transactions under €30 (with limits), recurring/subscription payments after initial authentication, merchant-initiated transactions, and payments where issuer or acquirer is outside EEA.
What's the difference between 3DS1 and 3DS2?
3DS1 (legacy) redirected customers to their bank's page to enter a static password — high friction, poor mobile experience, no exemptions. 3DS2 supports frictionless flows, mobile-native authentication (biometrics, app push), and exemption requests. 3DS2 has significantly higher approval rates.
Will SCA reduce my conversion rates?
Poorly implemented SCA can hurt conversion. But with 3DS2 frictionless flows and smart exemption handling, most merchants see minimal impact or even improvement (due to liability shift reducing chargebacks). RoxPay optimizes authentication to minimize friction.
What is Transaction Risk Analysis (TRA)?
TRA is an exemption that allows payment providers with low fraud rates to skip SCA for transactions up to €500. RoxPay qualifies for TRA and automatically applies it when eligible, reducing authentication steps for your customers.
How do recurring payments work under SCA?
The first payment in a subscription requires SCA. Subsequent recurring charges (merchant-initiated transactions) are exempt because the customer has already authenticated and given consent. RoxPay stores the necessary credentials and handles recurring billing without re-authentication.
Does SCA apply to non-EU customers?
If your customer's card was issued outside the EEA, SCA doesn't apply (one-leg-out exemption). However, many non-EU issuers still support 3DS2 for fraud prevention. RoxPay handles this automatically based on the card's issuing country.
You might also like
High Risk Payment Gateway
Secure payment processing for high-risk industries with multi-acquirer routing and chargeback protection.
Small Business Payment Solutions
Transparent IC++ pricing, free Smart POS terminal, and 24-hour activation for small businesses.
E-commerce Payment Integrations
One-click plugins for Shopify, WooCommerce, Magento, and PrestaShop with full API access.
Stay Compliant Without the Complexity
RoxPay handles PSD2, SCA, and 3DS2 automatically. Focus on your business while we manage payment compliance.
✓ No monthly fixed costs · ✓ Activation in 24 hours · ✓ Dedicated technical support