Strong Customer Authentication (SCA) is part of Payment Services Directive 2, a set of regulations that applies to online payments processed in Europe. The SCA requirement is designed to make online payments more secure and reduce online fraud. This requirement triggers when both the credit card holder's bank and the payment processor are both in the European Economic Area (EEA).
Forms of Authentication
SCA requires at least two of the following three form factors in order to process an online payment:
- Knowledge: Something you know, such as a password or PIN code.
- Possession: Something you have, such as a phone or hardware token.
- Inherence: Something you are, such as a fingerprint or facial recognition.
There are many possible exceptions to the SCA requirements, including low-risk transactions, fixed-amount subscriptions, payments below €30, phone sales, and merchant-initiated transactions. Payment providers automatically request these exemptions when processing a payment, and the cardholder's bank ultimately decides whether to approve the exemption or determine if authentication is still necessary. Learn more about exemptions to Strong Customer Authentication.
Payment forms connected to Stripe can test SCA payments in the form preview using the regulatory test cards. Upon submitting the test payment, a dialog prompts you to either complete or fail the authentication. In live mode, customers are asked to verify their identity with a push notification, a text message, or another method chosen by their bank. Learn more about testing payment in Cognito Forms.
If you’re processing payments from the Entries page, payments that require authentication will be treated as declined. In this case, you need to share the form using the entry link in order to collect payment from your customer.
3D Secure (3DS)
3D Secure is the authentication service offered by the card payment industry, which performs SCA. Unlike regular card payments, 3D Secure requires cardholders to complete an additional verification step with the issuer. Typically, this involves showing the customer an authentication page on their bank's website, where they are prompted to enter a password associated with the card or a verification code sent to their phone.
Learn more about how our payment processors use SCA: