PSD2 and SCA for US Merchants

PSD2 (Payment Services Directive 2) is European law. SCA (Strong Customer Authentication) is a requirement within PSD2. If you're a US merchant selling to European customers, SCA applies to you whether you have a European entity or not.

The short version: You need 3D Secure for most European card-not-present transactions.

On this page

• Does This Apply to You?
• What is SCA?
• How SCA Works for US Merchants
  • Without 3DS (Non-Compliant)
  • With 3DS (Compliant)
• When SCA Is Required
• SCA Exemptions
• How to Comply (Implementation)
  • Step 1: Enable 3DS
  • Step 2: Handle Redirects
  • Step 3: Request Exemptions When Possible
  • Step 4: Flag Recurring Properly
• What Happens If You Don't Comply
  • Immediate Impact
  • No Direct Penalties for Non-EU Merchants
• PSD2 Beyond SCA
• US Merchant Compliance Checklist
• Test to Run
• Scale Callouts
• Where This Breaks
• Common US Merchant Questions
  • "Do I need a European entity?"
  • "What if I only sell B2B?"
  • "Can I just block European customers?"
  • "Does this apply to PayPal?"
• Next Steps
• See Also

Does This Apply to You?

SCA applies if:

• You're selling to customers with European cards
• Transactions are card-not-present (online, phone, recurring)
• Customer's issuer is in the European Economic Area (EEA: EU + Iceland, Liechtenstein, Norway)

SCA does NOT apply if:

• Customer's card is issued outside EEA (even if they're physically in Europe)
• Transaction is card-present (chip + PIN satisfies SCA)
• You're selling from Europe to US customers (US cards, no SCA)

The trigger is the customer's issuing bank location, not the customer's physical location.

---

What is SCA?

Strong Customer Authentication requires two of three factors:

Factor	Examples
Knowledge	Password, PIN, security question
Possession	Phone, card, hardware token
Inherence	Fingerprint, face recognition, voice

For card payments: 3D Secure (3DS) is the standard implementation of SCA.

3DS provides:

• Knowledge: Password or biometric through banking app
• Possession: Phone with banking app
• = Two factors = SCA compliant

---

How SCA Works for US Merchants

Without 3DS (Non-Compliant)

Result: European issuers decline non-3DS transactions. Your conversion rate tanks in Europe.

With 3DS (Compliant)

Result: Transactions are approved, you get liability shift, customer had to authenticate.

---

When SCA Is Required

Transaction Type	SCA Required?	Notes
Initial card-not-present	Yes	Unless exemption applies
Recurring (after first)	No	First payment must be SCA-authenticated
Card-present (chip + PIN)	No	Chip + PIN satisfies SCA
Contactless under €50	No	Low-value exemption
Merchant-initiated (MIT)	No	Customer not present

Key insight: Only the first transaction in a subscription needs SCA. Subsequent recurring charges are exempt.

---

SCA Exemptions

European regulations allow exemptions from SCA in specific scenarios:

Exemption	Criteria	Merchant Burden
Low-value	Under €30	Not cumulative over €100 or 5 transactions
Recurring payments	After SCA-authenticated first payment	Must use MIT flag
TRA (Transaction Risk Analysis)	Low-risk transactions, low fraud rate	Your fraud rate must be under 0.13-0.5%
Trusted beneficiaries	Customer whitelists merchant	Customer must add you in banking app
Corporate payments	B2B corporate cards	Depends on issuer
Secure corporate process	Dedicated payment processes	Rare

See: 3DS Exemptions for full details.

---

How to Comply (Implementation)

Step 1: Enable 3DS

If you're on Stripe or Shopify Payments:

1. 3DS is already enabled by default for European cards
2. Stripe automatically triggers 3DS when required
3. No action needed (it just works)

If you're on Square:

• Square does not support 3DS
• You cannot sell card-not-present to Europe compliantly on Square
• Use Stripe for European sales or migrate

If you're on a traditional processor:

• Contact your processor to enable 3DS
• Integration required (varies by processor)
• Budget 20-80 hours for integration

Step 2: Handle Redirects

3DS requires redirecting customers to their bank:

1. Customer enters card on your checkout
2. Redirect to issuer's authentication page
3. Customer authenticates (password, biometric, etc.)
4. Redirect back to your site
5. Complete transaction

Mobile app considerations: Use in-app browser, not external browser (better UX).

Step 3: Request Exemptions When Possible

For low-risk transactions, request TRA exemption:

• Reduces friction (no challenge)
• Still SCA-compliant
• Only works if your fraud rate is low

Stripe handles this automatically if you qualify.

Step 4: Flag Recurring Properly

For subscriptions:

• First payment: Full 3DS authentication
• Subsequent: Use MIT (Merchant Initiated Transaction) flag
• No 3DS needed for recurring

Stripe and most processors handle this automatically.

---

What Happens If You Don't Comply

Immediate Impact

European issuers decline non-SCA transactions:

• Your auth rate drops 30-80% for European customers
• Conversions tank
• Revenue from Europe evaporates

This isn't a fine or penalty. Transactions just fail.

No Direct Penalties for Non-EU Merchants

If you're a US merchant:

• European regulators don't fine you directly
• Your processor faces potential fines (they'll pass to you)
• Main impact: transactions decline = lost sales

The market enforces compliance. You can't sell if issuers decline.

---

PSD2 Beyond SCA

PSD2 includes more than just SCA:

PSD2 Component	What It Is	US Merchant Impact
SCA	Authentication requirement	Must implement 3DS
Open Banking	API access to bank data	Enables pay-by-bank methods
Payment initiation	Third-party payment initiation	Enables SEPA alternatives
Refund rights	14-day cooling-off period	Applies to EU consumer sales
Surcharging ban	Can't surcharge most EU cards	Check by country

For most US SMBs: SCA (3DS requirement) is the only part that matters operationally.

---

US Merchant Compliance Checklist

□ Enable 3DS in your processor (Stripe auto-enables for EU)
□ Test European card transactions (use Stripe test cards)
□ Implement redirect flow for 3DS challenges
□ Flag recurring payments as MIT after first payment
□ Request TRA exemptions for low-risk transactions (if available)
□ Monitor European auth rates (should be 85-95% with 3DS)
□ Check if surcharging is allowed in target EU countries
□ Understand 14-day refund rights for EU consumers

---

Test to Run

EU compliance audit (3 weeks):

Week 1: Geography check

1. Calculate % of revenue from EU customers: ____%
2. Pull auth rates for EU transactions
3. Check if 3DS is enabled (look for "3DS" in transaction logs)

Week 2: Auth rate analysis 4. EU auth rate with 3DS: Should be 85-95% 5. If under 80%, investigate why (likely SCA declines) 6. Check frictionless rate (% that don't see challenge)

Week 3: Exemption optimization 7. Check if TRA exemptions are being used 8. Monitor low-value exemptions (under €30) 9. Ensure recurring payments are MIT-flagged

Success criteria: EU auth rate over 85%, frictionless rate over 60%, no SCA decline codes.

---

Scale Callouts

Under $50K/month, under 5% EU:

• Don't worry about SCA yet
• Enable 3DS when EU becomes 10%+
• Focus on US market

$50K-$250K/month, 10-20% EU:

• Ensure 3DS is enabled (should be automatic on Stripe)
• Monitor EU auth rates
• Request TRA exemptions if fraud rate is low

$250K-$1M/month, 20%+ EU:

• Optimize frictionless rate (send more data for TRA)
• Use low-value exemptions strategically
• Consider local EU entity for better rates

Over $1M/month, 30%+ EU:

• Consider Adyen for local EU acquiring
• Full exemption optimization
• Monitor SCA compliance by country

---

Where This Breaks

1. UK left EU but kept SCA: Brexit happened, but UK still requires SCA. Don't assume UK = different rules.

2. Not all EU countries enforce equally: Some countries have soft enforcement. But plan for strict compliance (safer).

3. Card-present in EU still needs chip + PIN: US merchants with EU retail locations need PIN-enabled terminals, not signature.

4. Recurring payment exemption can be revoked: If fraud rate climbs, issuers can require SCA on subsequent recurring charges. This is rare but possible.

5. TRA exemptions require low fraud: If your fraud rate is over 0.5%, you won't qualify for TRA. Exemptions go away.

---

Common US Merchant Questions

"Do I need a European entity?"

No. SCA applies to the transaction, not your business location.

• US entity selling to EU customers: SCA required
• EU entity selling to US customers: SCA not required

"What if I only sell B2B?"

Maybe exempt. Corporate cards can be exempt from SCA, but:

• Depends on card type (not all corporate cards are exempt)
• Issuer decides
• Safer to implement 3DS anyway

"Can I just block European customers?"

Yes, but:

• You're walking away from 20-30% of global e-commerce market
• Implementing 3DS is easier than you think (automatic on Stripe)
• Why exclude customers when compliance is simple?

"Does this apply to PayPal?"

No. PayPal authenticates customers themselves:

• Customers log into PayPal (knowledge + possession)
• PayPal handles SCA compliance
• You don't need to do anything

If customer pays with card through PayPal: PayPal handles 3DS.

---

Next Steps

Selling to Europe?

1. Read 3D Secure guide for implementation
2. Enable 3DS in Stripe dashboard (or verify it's enabled)
3. Test with European test cards

Optimizing EU compliance?

1. Review 3DS Exemptions for TRA/low-value
2. Monitor frictionless authentication rates
3. Send more data for better TRA qualification

Want to avoid SCA entirely?

1. Use regional payment methods - iDEAL, Bancontact
2. Local payment methods often have better conversion than 3DS-challenged cards
3. Consider PayPal for EU (they handle SCA)

---

See Also

• 3D Secure - Full 3DS implementation guide
• 3DS Exemptions - TRA, low-value, recurring
• European Payment Methods - iDEAL, Bancontact, SEPA
• Going Global - International expansion strategy
• Stripe - Auto-handles SCA compliance
• Checkout Conversion - Optimizing with 3DS
• Consumer Protection - EU consumer rights