What Is Strong Customer Authentication in the UK: SCA Explained

Despite the major levels of convenience that online shopping offers consumers, payment fraud remains a big concern. In fact, in 2024, UK Finance reported that criminals stole £1.17 billion through unauthorised and authorised fraud in 2024.

This raises the questions: how and what should be done to prevent online payment fraud and protect customers? The answer lies in strong customer authentication.

If you’d like to understand what strong customer authentication is in the UK, this article is for you. Below, we help merchants with online and e-commerce offerings navigate the space better to ensure stronger compliance.

What Is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a form of protection from online payment fraud when customers shop online, initiate payment transactions and more. Introduced under the Revised Payment Services Directive (PSD2), it requires payment services providers to initiate further steps of protection.

In the past, when a customer initiated an online payment, they would only be required to submit a static password in the required field to proceed. However, with SCA, there are three requirements that come into play, two of which must take place simultaneously.

These three requirements focus on what a customer knows (e.g. a password), what a customer has (e.g. a mobile phone) and what a customer is (e.g. a fingerprint or face recognition).

Any two of these three requirements must work together at the same time to authenticate a payment. It’s important to also note that Strong Customer Authentication applies to customers with cards and banks/issuers/acquirers in the European Economic Area, including the UK.

Why SCA Was Introduced Under PSD2 Regulations

SCA was introduced as part of the Revised Payment Services Directive (PSD2). This European regulation is designed to make electronic payments more secure and reduce fraud across the European Union (EU) and the UK.

Before PSD2, online payments were often authenticated with a single security measure, such as entering card details or a password. However, these methods became increasingly vulnerable to payment fraud as digital transactions grew in volume and levels of sophistication.

To address these risks, regulators introduced SCA to ensure a stronger layer of protection for both consumers and businesses. By requiring at least two independent factors of authentication, SCA makes it significantly harder for criminals to complete fraudulent transactions, even if they gain access to sensitive information.

Beyond fraud prevention, the introduction of SCA under PSD2 also aimed to:

• Build consumer trust in online payments by making them safer;
• Create a level playing field for banks, fintechs, and payment providers by setting common standards;
• Encourage innovation in digital payments by enabling new, secure methods of authentication such as biometric verification and mobile app approvals.

In short, SCA was introduced under PSD2 not just to protect transactions, but also to strengthen the overall payment ecosystem.

How SCA Affects UK Businesses and Online Transactions

Since becoming mandatory in the UK in March 2022, SCA has changed the way businesses process online payments. While its primary goal is to combat fraud and increase consumer protection, it also has practical implications that merchants need to understand.

For UK businesses, SCA means that many online transactions now require customers to complete an additional authentication step before payment is approved. 

Instead of relying solely on card details, shoppers may need to confirm their identity through:

• A one-time passcode sent via SMS or app notification;
• Biometric verification such as fingerprint or facial recognition;
• Or card reader or banking app confirmations.

The impact on online transactions aims to reduce fraud and chargebacks. That’s because with stricter checks in place, fraudulent attempts are far less likely to succeed, helping businesses avoid financial losses and disputes.

However, the customer experience (CX) may be impacted negatively. For instance, extra steps in the checkout process can sometimes lead to cart abandonment if customers find authentication inconvenient or confusing. Businesses therefore need to optimise their payment flow and clearly guide customers through the process.

On the other hand, it can result in greater trust in digital payments. By aligning with PSD2 requirements, merchants signal that they take payment security seriously, which can strengthen customer confidence and loyalty.

Get the perfect payment solution for your business

Enjoy 10% off your first order when you fill in the form below!

When SCA Is Required and When It’s Exempt

Not all transactions require SCA. Examples of potential exemptions include:

• Low-value purchases;
• Recurring payments (like subscriptions);
• Transactions deemed low-risk by the payment provider.

By working with a payments partner such as myPOS, businesses can take advantage of these exemptions to keep checkout friction low while still staying compliant.

How SCA Works for In-Store vs. Online Card Payments

SCA applies to most card payments in the UK. However, the way it is implemented depends on whether the transaction happens in-store or online. Both settings require two-factor authentication, yet the customer experience differs.

For in-store payments

When shopping in person, SCA is usually applied through chip-and-PIN or contactless limits:

• Chip-and-PIN: Customers insert their card and enter a PIN (something they know) combined with the card itself (something they have). This meets the SCA requirement.
• Contactless payments: For low-value contactless transactions, customers can usually tap their contactless card without entering a PIN code. However, after a certain number of consecutive taps or once a spending threshold is reached, the terminal will request a PIN to re-authenticate the cardholder.

This ensures even convenient contactless payments stay compliant with SCA.

Online payments

For e-commerce and remote transactions, SCA is generally applied through two-factor checks during checkout. 

This often involves:

• Entering card details (something you know);
• Confirming the purchase via a banking app, SMS one-time passcode or biometric ID (something you have or something you are).

The most common system used online is 3D Secure (3DS), which enables banks to verify the customer in real time before approving the payment.

The key differences are that in-store SCA is mostly seamless and built into everyday payment methods like chip-and-PIN or contactless with limits. Meanwhile, online SCA requires additional steps at checkout. These include mobile devices or biometric authentication, which makes it more noticeable to the customer.

Impact of SCA on Checkout Flow and Conversion Rates

While SCA has improved payment security, it has also introduced new dynamics into the checkout process, which can directly affect a business’s conversion rates.

One example is that SCA requires customers to take an extra step to confirm their identity, such as entering a one-time passcode or approving a payment via a banking app. Although this step improves security, it also adds friction to the checkout flow. If customers find the process confusing, slow or inconvenient, they may abandon their cart before completing the purchase.

Many merchants initially reported higher cart abandonment rates when SCA was rolled out, particularly if their checkout experience wasn’t optimised. Each additional action in the payment journey increases the risk of losing a sale.

On the positive side, however, businesses can take steps to minimise disruption while staying compliant:

• Work with a payment provider like myPOS that supports the latest SCA technologies, such as frictionless 3D Secure authentication.
• Use exemptions where possible – for example, on low-value payments, recurring transactions or low-risk payments approved by the acquirer.
• Optimise the user journey by providing clear instructions during authentication and ensuring the checkout process is mobile-friendly.

Although SCA can add short-term hurdles, its long-term impact is positive. With stronger protection against fraud, customers gain greater trust in digital payments. Over time, this trust can actually support higher conversion rates, as shoppers feel more confident buying online.

myPOS Solutions That Support SCA Compliance

Complying with SCA doesn’t have to be complicated. At myPOS, all solutions are designed to help UK merchants meet regulatory requirements while keeping payments fast, secure and customer-friendly.

Smart card terminals for in-store payments

myPOS offers fully compliant POS machines and smart payment terminals. They support:

• Chip-and-PIN transactions;
• Contactless transactions with automatic SCA checks, where PIN entry is required after reaching the contactless limit or cumulative threshold.

This ensures every in-store payment meets the SCA standards without slowing down checkout.

Secure online payments with myPOS Checkout

For e-commerce businesses, myPOS provides a secure payment gateway that integrates 3D Secure (3DS) technology. This enables:

• Smooth authentication via one-time passcodes, banking app confirmations or biometrics;
• Automatic application of SCA exemptions where possible, to reduce unnecessary friction;
• A mobile-friendly experience, so customers can easily authenticate purchases from their smartphones.

Our payment gateway can integrate with most of the popular e-commerce platforms, so you won’t have to worry about complex integrations. 

Recurring and subscription payments

For merchants offering recurring billing, myPOS helps streamline compliance by applying SCA only when necessary, for example, during the first payment. Subsequent charges that qualify for exemptions can be processed smoothly without repeated authentication.

By choosing myPOS, UK businesses can be certain that they are not only SCA-compliant but also provide their customers with a smooth payment experience, whether in-store, online or remotely.

Frequently Asked Questions