Strong Customer Authentication (SCA): The Complete UK Merchant Implementation Guide

If your UK business accepts online payments and you’re still unclear about Strong Customer Authentication, you’re not alone — and you’re not alone in the potential consequences either. Fines, rejected transactions, and frustrated customers are all on the table for merchants who haven’t fully implemented SCA. Whether you’re a growing eCommerce brand or an established retailer, understanding Strong Customer Authentication SCA UK requirements is no longer optional. It’s the baseline for doing business safely and legally in today’s digital payments landscape.

What Is Strong Customer Authentication (SCA)?

Commonly abbreviated SCA, Strong Customer Authentication aims to heighten the security of online transactions by requiring users to provide an additional two independent forms of identification to authorize a payment. The additional SCA verification requirements were implemented to combat payment fraud.

These factors fall into three categories: something the customer knows (such as a password or PIN), something the customer has (such as a registered mobile device), and something the customer is (such as a fingerprint or facial recognition). When two of these three elements are combined, the authentication is considered “strong.” This two-factor approach is what makes SCA fundamentally different from older, single-layer verification methods.

The FCA handles SCA compliance in the UK. After Brexit, the UK modified the SCA rules under the Payment Services Regulations 2017, so UK merchants are not directly governed by the EU’s PSD2. But requirements remain almost the same.

Why Strong Customer Authentication SCA UK Compliance Matters for Merchants

Merchants often underestimate the direct impact of SCA on their bottom line. Non-compliance doesn’t just create legal exposure — it creates friction at the checkout and increases the likelihood of declined payments. In 2021, UK Finance reported that fraud losses on UK-issued cards totaled £574 million. SCA exists to drive that number down, and payment processors are actively enforcing these rules.

When SCA is not properly implemented, card networks and issuing banks can decline transactions outright. That’s lost revenue, not a minor inconvenience. On the flip side, merchants who implement SCA correctly — and intelligently use available exemptions — can improve checkout conversion rates while remaining fully compliant.

Visa, Mastercard, and the largest UK acquirers, such as Barclays and WorldPay, say SCA will remain in the UK payments ecosystem. While it is a legal requirement, getting it right is a competitive advantage.

How 3D Secure 2 (3DS2) Supports SCA

The primary technical mechanism for delivering SCA in online card payments is 3D Secure 2. It modernizes the legacy 3D Secure protocol, and both Visa (via Visa Secure) and Mastercard (via Mastercard Identity Check) have made it compulsory within their ecosystems.

3DS2 is a major improvement over 3DS, enabling frictionless authentication. Instead of the customer always being sent to a different page for verification, 3DS2 submits highly detailed information (device data, purchase history, browsing data) to the issuing bank. If the bank’s risk engine is satisfied, the customer is not alerted, and the transaction is approved. For 3DS2, only high-risk transactions (such as one-time passcodes) are sent to the customer for authentication.

For merchants, this means SCA doesn’t have to mean a clunky customer experience. Implemented well, most legitimate transactions flow through without any visible disruption to the buyer. The key is working with a payment service provider (PSP) that has a mature 3DS2 integration.

SCA Exemptions UK Merchants Should Know

Not every transaction requires full SCA verification. Understanding the available exemptions is where savvy UK merchants can genuinely optimize their payment strategy. Applying the right exemption at the right time reduces unnecessary friction and keeps conversion rates healthy.

Low-value transactions are exempt when the payment is under £30. However, this exemption expires after five consecutive uses or once the cumulative total exceeds £100, whichever comes first. At that point, SCA is required for the next transaction regardless of value.

Among the most commercially viable exemptions is Transaction Risk Analysis (TRA). Service providers that meet certain fraud thresholds can use the TRA exemption to exempt low-risk transactions from SCA. The fraud thresholds are tiered, so very low-fraud PSPs can use the TRA exemption for transactions up to £500. This exemption is not something merchants can apply themselves. Your PSP must qualify and must apply it for you.

Recurring payments present a nuanced picture. The first payment in a recurring series requires SCA. Subsequent payments initiated by the merchant — known as merchant-initiated transactions (MITs) — are technically outside the scope of SCA, provided the initial agreement was properly authenticated. Subscription businesses and SaaS platforms should pay close attention to how their PSP handles this distinction.

Trusted beneficiaries permit cardholders to configure merchants with their issuing bank, such that subsequent payments to that merchant bypass the SCA challenge. The current application is primarily in consumer banking apps and is still nascent in the UK market. It would be wise to review the FCA’s recent advice on SCA to ensure your understanding aligns with the latest guidance.

Choosing the Right Payment Service Provider for SCA

The most important infrastructure decision a UK merchant makes around SCA is choosing the right PSP. Your PSP is the entity that actually implements 3DS2, applies exemptions, and communicates with the card networks on your behalf. A capable PSP can dramatically reduce the compliance burden on your own development team.

Stripe

Stripe provides UK and European merchants with an SCA-compliant payment solution with built-in 3DS2 and exemption support in Radar and Payments. 3DS2 flows and exemption support are automatically managed by Stripe. Merchants control whether payment requests go through SCA or whether exemption requests are made via their Payment Intents API. The flexibility to choose when to enforce SCA and when to request exemptions is useful for enterprise merchants with higher payment volumes and multiple requests.

Adyen

Adyen provides one of the most advanced SCA implementations with its RevenueAccelerate product, which aims to minimize friction during authentication while maximizing the use of exemptions. Using Adyen’s global fraud data, the company can set the Standard, enabling merchants on the platform to increase revenue by applying TRA exemptions at much higher risk tiers.

PayPal

PayPal is the authenticating party, so most of PayPal’s wallet transactions fall out of the merchant-focused SCA requirements. However, merchants using PayPal’s Braintree gateway for direct card acceptance must ensure 3DS2 is properly configured for card-not-present transactions. The EMVCo 3DS specification has the most comprehensive technical details for 3DS2 implementation across various systems.

Practical Steps for UK Merchants to Implement SCA

Implementation doesn’t have to be daunting. Most of the heavy lifting falls to your PSP, but merchants need to take a structured approach to ensure nothing falls through the cracks.

The first part of your process is to analyze your existing payment systems. Where do your customers input their credit/debit card details? Analyze your checkouts. Do customers use saved cards, renew subscriptions, call, or order using your MOTO system? Each payment channel presents unique challenges regarding Strong Customer Authentication. Mapping these systems determines where your payment systems need to be updated.

Afterward, confirm with your Payment Service Provider whether they have adequately and appropriately integrated 3D Secure 2.0 into their system. Ask whether they apply exemptions and which ones they use. Many merchants think their service provider is providing them with the best solution, when really, their default is the best. Requiring your Payment Service Provider to present both your payment acceptance trends and authentication success rates is a very reasonable request.

If your company utilizes MOTO orders or transactions where goods/services are not physically received, be aware that MOTO transactions are not subject to SCA requirements. However, you should flag these transactions to your PSP to ensure proper handling and avoid unnecessary declines.

Finally, test your authentication flows thoroughly before going live. Use sandbox environments provided by your PSP to simulate both frictionless and challenge flows. Ensure that your checkout gracefully handles the case where a customer fails SCA — redirecting them clearly, not leaving them stranded on a blank page.

The case studies and industry guidance available on the UK Finance SCA hub provide resources relevant to different merchant types at various stages of implementation.

Common SCA Mistakes UK Merchants Make

Many merchants assume SCA is purely a technical problem delegated entirely to the PSP. The reality is that business decisions — how subscriptions are structured, how saved cards are managed, how returns and chargebacks are processed — all intersect with SCA compliance in ways that require merchant-level understanding.

Another common mistake is failing to update legacy checkout integrations. Merchants running older payment page code that only supports 3DS version 1 will face increasing decline rates as issuers enforce 3DS2 mandates. The window for running outdated authentication infrastructure is closing quickly.

The failure to seek an exemption can also be seen as a lost opportunity. Countless small merchants neglect to engage in dialogue with their PSP to understand how they can leverage exemptions to improve their conversion rates. For many, a simple discussion with their PSP’s account manager to gain insights into TRA eligibility can be hugely beneficial, helping them see a jump in their approval rates.

Conclusion

Strong Customer Authentication SCA UK compliance is one of those areas where preparation pays compounding dividends. Getting it right reduces fraud exposure, improves payment acceptance rates, and builds customer trust — all simultaneously. The regulatory framework is clear, the 3DS2 technology is mature, and the PSP ecosystem has the tools to make implementation smooth. The merchants who treat SCA as a strategic lever rather than a compliance checkbox are the ones who come out ahead. Review your payment flows, engage your PSP, and make SCA work for your business — not just around it.

Frequently Asked Questions