PSD2, SCA & 3D Secure: The Merchant's Complete Guide
Everything online merchants need to know about European payment regulations. Understand Strong Customer Authentication requirements, leverage exemptions to reduce checkout friction, and implement 3D Secure 2.0 for maximum approval rates.
What Merchants Must Know About PSD2 and SCA
The Bottom Line
PSD2 mandates that most online card payments in Europe must be authenticated with at least two of three factors: something the customer knows (password), has (phone), or is (biometrics). Non-compliant payments will be declined by issuing banks.
In Practice
For card payments, SCA typically means 3D Secure authentication. The customer receives a push notification, SMS code, or biometric prompt from their banking app to approve the transaction.
Key Improvement
3DS2 shares rich transaction data with issuers, enabling risk-based authentication. Low-risk transactions pass through without customer interaction; only high-risk payments trigger a challenge step.
RoxPay Handles This
RoxPay automatically detects soft declines and retries with 3DS2 authentication. We also apply exemptions when eligible to avoid unnecessary authentication in the first place.
How to Reduce Friction While Staying Compliant
Not every transaction requires SCA. Understanding exemptions and optimizing your 3DS2 flow can dramatically improve conversion rates.
Low-Value Exemption
Transactions under €30 can be exempted from SCA (up to €100 cumulative or 5 consecutive transactions). RoxPay automatically requests this exemption for eligible payments.
Merchant-Initiated Transactions
Recurring payments and subscriptions where the customer has already authenticated don't require SCA on subsequent charges. Card-on-file billing is exempt after initial consent.
Secure Corporate Payments
B2B payments made with corporate cards via secure processes can be exempted. Virtual cards and lodged cards used in secure corporate travel systems qualify.
Transaction Risk Analysis (TRA)
Payment providers with low fraud rates can apply for TRA exemption. RoxPay's fraud monitoring enables TRA for transactions up to €500 based on our fraud performance.
Trusted Beneficiaries
Customers can whitelist merchants as 'trusted beneficiaries' with their bank. Future purchases from trusted merchants skip SCA. Prompt customers to add you during checkout.
One-Leg-Out Transactions
When either the card issuer or acquirer is outside the EEA, SCA doesn't apply. This covers most non-European customers purchasing from EU merchants.
How RoxPay Handles SCA Compliance
You don't need to become a 3DS2 expert. RoxPay manages authentication complexity automatically.
Automatic 3DS2 Triggering
RoxPay analyzes each transaction and determines whether SCA is required. When needed, we trigger 3DS2 authentication automatically — you don't need to make separate API calls.
Exemption Optimization
We automatically request appropriate exemptions (low-value, TRA, merchant-initiated) when transactions qualify. This reduces unnecessary authentication and improves conversion.
Frictionless Flow Support
RoxPay sends rich transaction data to issuers, maximizing the chance of frictionless authentication. Low-risk transactions are approved without customer interaction.
Soft Decline Handling
If a transaction is soft-declined for missing authentication, RoxPay automatically retries with 3DS2. Your checkout flow doesn't need special handling for these cases.
PSD2 & SCA FAQ
Does SCA apply to all my transactions?
No. SCA applies to customer-initiated online payments within the EEA. Exempt scenarios include: transactions under €30 (with limits), recurring/subscription payments after initial authentication, merchant-initiated transactions, and payments where issuer or acquirer is outside EEA.
What's the difference between 3DS1 and 3DS2?
3DS1 (legacy) redirected customers to their bank's page to enter a static password — high friction, poor mobile experience, no exemptions. 3DS2 supports frictionless flows, mobile-native authentication (biometrics, app push), and exemption requests. 3DS2 has significantly higher approval rates.
Will SCA reduce my conversion rates?
Poorly implemented SCA can hurt conversion. But with 3DS2 frictionless flows and smart exemption handling, most merchants see minimal impact or even improvement (due to liability shift reducing chargebacks). RoxPay optimizes authentication to minimize friction.
What is Transaction Risk Analysis (TRA)?
TRA is an exemption that allows payment providers with low fraud rates to skip SCA for transactions up to €500. RoxPay qualifies for TRA and automatically applies it when eligible, reducing authentication steps for your customers.
How do recurring payments work under SCA?
The first payment in a subscription requires SCA. Subsequent recurring charges (merchant-initiated transactions) are exempt because the customer has already authenticated and given consent. RoxPay stores the necessary credentials and handles recurring billing without re-authentication.
Does SCA apply to non-EU customers?
If your customer's card was issued outside the EEA, SCA doesn't apply (one-leg-out exemption). However, many non-EU issuers still support 3DS2 for fraud prevention. RoxPay handles this automatically based on the card's issuing country.
You might also like
High Risk Payment Gateway
Secure payment processing for high-risk industries with multi-acquirer routing and chargeback protection.
Small Business Payment Solutions
Transparent IC++ pricing, free Smart POS terminal, and 24-hour activation for small businesses.
E-commerce Payment Integrations
One-click plugins for WooCommerce, Magento, and PrestaShop with full API access.
Stay Compliant Without the Complexity
RoxPay handles PSD2, SCA, and 3DS2 automatically. Focus on your business while we manage payment compliance.
✓ No monthly fixed costs · ✓ Activation in 24 hours · ✓ Dedicated technical support