Strong Customer Authentication (SCA) is a regulatory requirement introduced under the European Union’s revised Payment Services Directive (PSD2). It mandates that electronic payments within the European Economic Area must be authenticated using at least two of three independent factors: something the customer knows (such as a password or PIN), something the customer has (such as a phone or hardware token), and something the customer is (such as a fingerprint or facial recognition). The requirement applies to customer-initiated online payments, contactless transactions above certain thresholds, and other electronic payment actions. It took full effect in 2021, and non-compliant transactions are declined by issuing banks.
SCA is not a technology — it is a legal obligation. The technology most commonly used to fulfil it for online card payments is 3D Secure 2 (3DS2), which passes rich transaction data to the issuing bank so it can perform risk-based authentication. However, SCA also recognises several exemptions that allow certain transactions to bypass the challenge flow. These include low-value transactions under 30 euros, recurring payments of the same amount to the same merchant, transactions flagged as low-risk by the acquirer’s fraud analysis (known as Transaction Risk Analysis or TRA exemptions), and payments to merchants the customer has whitelisted as trusted beneficiaries. Knowing when and how to apply these exemptions is critical, because unnecessary challenges increase cart abandonment while missing a required challenge results in a declined payment.
For platforms operating internationally, SCA compliance adds meaningful complexity. The rules apply whenever both the acquirer and the issuer are in the EEA, but the specifics of how issuers enforce them vary by country and bank. Some issuers are stricter than others. Some have better support for frictionless 3DS2 flows. A platform selling across multiple European markets needs its payment infrastructure to handle these variations gracefully — requesting exemptions where appropriate, falling back to full authentication when required, and interpreting soft declines that signal an SCA retry is needed.
Shuttle Global manages SCA compliance within its payment infrastructure so that platforms do not need to build and maintain this logic themselves. When a transaction routed through Shuttle’s Embedded Payments or Payment Links requires SCA, Shuttle triggers the appropriate 3DS2 flow, applies eligible exemptions where they will improve conversion, and handles the back-and-forth with the issuing bank. Because Shuttle sits between the platform and 40+ PSPs across multiple geographies, it normalises the inconsistencies in how different processors and issuers implement SCA. The platform sends a single payment request; Shuttle ensures the right authentication path is followed based on the transaction amount, the customer’s location, the issuer’s requirements, and the acquirer’s capabilities. This is especially valuable for platforms expanding into European markets from regions where SCA does not apply — Shuttle absorbs the regulatory complexity so the platform’s integration stays the same regardless of where the transaction originates.