Strong Customer Authentication (SCA): What US Merchants Selling to Europe Need to Know

Strong Customer Authentication (SCA) is a regulatory requirement under Europe’s Payment Services Directive 2 (PSD2) that mandates two-factor authentication for online card payments initiated by customers in the European Economic Area. If your WooCommerce store has European customers, SCA compliance is not optional — and getting it wrong means declined transactions and lost revenue.

What SCA Requires

SCA requires that a payment be authenticated using at least two of three independent factors:

• Knowledge: Something the customer knows (password, PIN)
• Possession: Something the customer has (phone, hardware token)
• Inherence: Something the customer is (fingerprint, face ID)

3D Secure 2 (3DS2) is the primary technical mechanism for meeting SCA requirements in ecommerce. A 3DS2 authentication using biometrics or OTP on a registered device satisfies the two-factor requirement.

SCA Exemptions: Reducing Friction Without Losing Protection

Not every transaction requires a full SCA challenge. Several exemptions allow certain transactions to bypass authentication without losing liability shift protection:

• Transaction Risk Analysis (TRA): Low-risk transactions below acquirer fraud thresholds may be exempt if the acquirer’s fraud rate is below the TRA threshold
• Low-value exemption: Transactions below €30 may be exempt, up to five consecutive transactions or a cumulative €100 limit
• Trusted beneficiary (whitelisting): Customers can whitelist a merchant with their bank; subsequent transactions bypass SCA
• Merchant-initiated transactions (MIT): Subsequent charges in a subscription or installment plan after the initial SCA-authenticated authorization
• Corporate card transactions: Business-to-business transactions on lodge/corporate cards in some cases

What Happens Without SCA Compliance

In EEA countries with full SCA enforcement, card issuers are required to decline unauthenticated transactions. US merchants without 3DS enabled who sell to European customers will see increasing decline rates on European cards — each decline representing lost revenue.

ConvesioPay’s Automatic SCA Handling

ConvesioPay manages SCA compliance automatically through Adyen’s 3DS infrastructure. Exemptions are requested where applicable — reducing friction for low-risk transactions while ensuring compliant authentication for higher-risk ones. US merchants selling internationally don’t need to manually configure SCA; ConvesioPay handles the routing logic based on the customer’s issuing country and transaction profile. Pricing: 2.9% + $0.30, no monthly fees.