Why it works

What Merchants Must Know About PSD2 and SCA

The Bottom Line

PSD2 mandates that most online card payments in Europe must be authenticated with at least two of three factors: something the customer knows (password), has (phone), or is (biometrics). Non-compliant payments will be declined by issuing banks.

In Practice

For card payments, SCA typically means 3D Secure authentication. The customer receives a push notification, SMS code, or biometric prompt from their banking app to approve the transaction.

Key Improvement

3DS2 shares rich transaction data with issuers, enabling risk-based authentication. Low-risk transactions pass through without customer interaction; only high-risk payments trigger a challenge step.

RoxPay Handles This

RoxPay automatically detects soft declines and retries with 3DS2 authentication. We also apply exemptions when eligible to avoid unnecessary authentication in the first place.

SCA Exemptions & Best Practices

How to Reduce Friction While Staying Compliant

Not every transaction requires SCA. Understanding exemptions and optimizing your 3DS2 flow can dramatically improve conversion rates.

Low-Value Exemption

Transactions under €30 can be exempted from SCA (up to €100 cumulative or 5 consecutive transactions). RoxPay automatically requests this exemption for eligible payments.

Merchant-Initiated Transactions

Recurring payments and subscriptions where the customer has already authenticated don't require SCA on subsequent charges. Card-on-file billing is exempt after initial consent.

Secure Corporate Payments

B2B payments made with corporate cards via secure processes can be exempted. Virtual cards and lodged cards used in secure corporate travel systems qualify.

Transaction Risk Analysis (TRA)

Payment providers with low fraud rates can apply for TRA exemption. RoxPay's fraud monitoring enables TRA for transactions up to €500 based on our fraud performance.

Trusted Beneficiaries

Customers can whitelist merchants as 'trusted beneficiaries' with their bank. Future purchases from trusted merchants skip SCA. Prompt customers to add you during checkout.

One-Leg-Out Transactions

When either the card issuer or acquirer is outside the EEA, SCA doesn't apply. This covers most non-European customers purchasing from EU merchants.

Implementation

How RoxPay Handles SCA Compliance

You don't need to become a 3DS2 expert. RoxPay manages authentication complexity automatically.

1

Automatic 3DS2 Triggering

RoxPay analyzes each transaction and determines whether SCA is required. When needed, we trigger 3DS2 authentication automatically — you don't need to make separate API calls.

2

Exemption Optimization

We automatically request appropriate exemptions (low-value, TRA, merchant-initiated) when transactions qualify. This reduces unnecessary authentication and improves conversion.

3

Frictionless Flow Support

RoxPay sends rich transaction data to issuers, maximizing the chance of frictionless authentication. Low-risk transactions are approved without customer interaction.

4

Soft Decline Handling

If a transaction is soft-declined for missing authentication, RoxPay automatically retries with 3DS2. Your checkout flow doesn't need special handling for these cases.

Frequently Asked Questions

PSD2 & SCA FAQ

Does SCA apply to all my transactions?

No. SCA applies to customer-initiated online payments within the EEA. Exempt scenarios include: transactions under €30 (with limits), recurring/subscription payments after initial authentication, merchant-initiated transactions, and payments where issuer or acquirer is outside EEA.

What's the difference between 3DS1 and 3DS2?

3DS1 (legacy) redirected customers to their bank's page to enter a static password — high friction, poor mobile experience, no exemptions. 3DS2 supports frictionless flows, mobile-native authentication (biometrics, app push), and exemption requests. 3DS2 has significantly higher approval rates.

Will SCA reduce my conversion rates?

Poorly implemented SCA can hurt conversion. But with 3DS2 frictionless flows and smart exemption handling, most merchants see minimal impact or even improvement (due to liability shift reducing chargebacks). RoxPay optimizes authentication to minimize friction.

What is Transaction Risk Analysis (TRA)?

TRA is an exemption that allows payment providers with low fraud rates to skip SCA for transactions up to €500. RoxPay qualifies for TRA and automatically applies it when eligible, reducing authentication steps for your customers.

How do recurring payments work under SCA?

The first payment in a subscription requires SCA. Subsequent recurring charges (merchant-initiated transactions) are exempt because the customer has already authenticated and given consent. RoxPay stores the necessary credentials and handles recurring billing without re-authentication.

Does SCA apply to non-EU customers?

If your customer's card was issued outside the EEA, SCA doesn't apply (one-leg-out exemption). However, many non-EU issuers still support 3DS2 for fraud prevention. RoxPay handles this automatically based on the card's issuing country.

Get started today

Stay Compliant Without the Complexity

RoxPay handles PSD2, SCA, and 3DS2 automatically. Focus on your business while we manage payment compliance.

✓ No monthly fixed costs · ✓ Activation in 24 hours · ✓ Dedicated technical support