Strong Customer Authentication for UK merchants
UK online card payments require two-factor authentication on most transactions under the retained PSD2 rules. The payment processor delivers this via 3D Secure 2, which runs invisibly for low-risk transactions and prompts the customer for their banking app, SMS code or biometric on higher-risk ones. Around a quarter to two-fifths of UK ecommerce transactions trigger a challenge in 2026; the rest run frictionless. Cart abandonment at the bank-app prompt is the biggest single leak in UK ecommerce checkout.
How SCA works in practice
When your customer hits "pay" on your checkout, the acquirer routes the authorisation through 3DS2. The protocol asks the customer's card issuer: do you want to authenticate this customer for this transaction? The issuer scores the transaction using fraud signals (device, location, value, merchant history, customer history) and replies with one of three outcomes. Frictionless: the issuer trusts the transaction and authorises silently. Challenge: the issuer prompts the customer to confirm via banking app, SMS code or biometric. Decline: the issuer rejects authentication and the transaction fails.
The challenge flow lives in the customer's banking app for most UK consumers in 2026. Older customers on smaller banks may still see SMS one-time codes. Either way, the customer leaves your checkout, completes the challenge in their banking app, returns to your checkout, and the transaction either authorises or fails. Total elapsed time runs 15 to 60 seconds when it works, longer when the customer cannot find the prompt or their banking app is not installed.
Exemptions worth knowing
- Low value: transactions under £30 are exempt up to 5 consecutive transactions or £100 cumulative per card.
- Merchant Initiated Transaction (MIT): recurring subscriptions where the card was authenticated at sign-up. Most UK SaaS, gym memberships, streaming services use this.
- Trusted Beneficiary: the customer has explicitly whitelisted your business with their bank. Rare in practice.
- Transaction Risk Analysis (TRA): the acquirer demonstrates fraud rates below a threshold (typically 0.13 percent for transactions under £100, 0.06 percent up to £250, 0.01 percent up to £500). Acquirer-led, not merchant-led.
- Corporate cards: commercial cards processed via SecureCorporate Payments are exempt.
Reducing SCA friction
The single biggest lever is using a gateway that supports SCA exemption flagging. Stripe, Adyen, Worldpay and Braintree all pass exemption requests through to issuers when they apply. Lesser gateways force every transaction through challenge flow even when an exemption is valid. The conversion difference at scale is meaningful.
Beyond gateway choice: keep your transaction values consistent (SCA-triggering thresholds are partly velocity-based), build customer recognition into your checkout (signed-in customers fare better than guest checkout), and surface the SCA prompt visibly. The most common abandonment cause is customers not realising they need to switch to their banking app.
What is Strong Customer Authentication (SCA)?
SCA is a UK and EEA regulatory requirement under PSD2 (retained post-Brexit) that mandates two-factor authentication on most online card payments. The two factors are drawn from: something the customer knows (password / PIN), something they have (phone / app), or something they are (biometric). The payment processor implements SCA via the 3D Secure 2 protocol.
Does SCA apply to every UK online card transaction?
No. SCA is mandatory by default but several exemptions exist. The most common: low-value (under £30), Merchant Initiated Transaction (recurring subscriptions where the card was authenticated at sign-up), Trusted Beneficiary (customer has whitelisted your business with their bank), and Transaction Risk Analysis (acquirer-led, low-risk transactions). In practice, around 25 to 40 percent of UK ecommerce transactions trigger an SCA challenge in 2026.
What is 3D Secure 2?
3D Secure 2 (3DS2) is the technical protocol that delivers SCA. It runs invisibly in the background for low-risk transactions (frictionless flow) and challenges the customer with their bank app, SMS one-time code or biometric prompt for higher-risk transactions (challenge flow). 3DS2 replaces the older 3DS1 protocol which had much higher abandonment.
How much does SCA hurt conversion?
Frictionless flow has near-zero conversion impact. Challenge flow typically drops conversion 2 to 5 percentage points, sometimes higher on mobile where customers may not have their banking app installed. Cart abandonment at the bank-app prompt is the single biggest leak point in UK ecommerce checkout in 2026.
What is the SCA liability shift?
When SCA is completed (either frictionless or via challenge), liability for fraudulent transactions shifts from the merchant to the card issuer. If you process without SCA where SCA was required, you carry the chargeback exposure. This is why every UK ecommerce acquirer enforces SCA at the gateway level, not at the merchant level.
Do I need to do anything specific to be SCA-compliant?
If you use a hosted-checkout gateway (Stripe Checkout, Adyen Drop-in, Shopify Payments, PayPal Checkout), SCA is handled for you. If you have a custom checkout, your developer needs to integrate the gateway's 3DS2 SDK (Stripe Elements, Adyen Components, Worldpay Access). Avoid building your own 3DS flow.
Are subscription billing and recurring payments exempt from SCA?
Partly. The first transaction (set-up) requires SCA. Subsequent recurring charges of the same amount, same frequency, same merchant qualify as Merchant Initiated Transactions and are exempt. If the amount or frequency changes (e.g. usage-based billing), SCA may re-trigger. Customer-initiated changes (upgrades, add-ons) always require fresh SCA.
How is SCA different for in-person versus online?
In-person (card present) is largely exempt because the physical card and chip-and-PIN or contactless tap satisfy the two-factor requirement already. Contactless tap is one factor (something you have); the £100 contactless cap exists partly because SCA is not enforced under the cap. Above £100, chip-and-PIN adds the knowledge factor and SCA is satisfied.
Director, AcceptCard
Oliver leads AcceptCard's editorial and comparison research. With a background in UK commercial finance, he oversees provider analysis, rate verification, and industry reporting across all verticals.
Last reviewed: 5 April 2026