Strong Customer Authentication did not simply add security to card payments in Europe. It changed where approvals are decided, how often customers are interrupted, and why transactions fail. For many merchants, approval rates shifted after SCA was enforced sometimes subtly, sometimes dramatically without any obvious change in traffic quality.
This is because SCA alters the mechanics of authorisation itself. Understanding its effect requires looking beyond compliance and into how issuers, PSPs, and customers interact during the payment moment.
What Strong Customer Authentication Means Under PSD2
Under PSD2, Strong Customer Authentication is a control mechanism applied to electronic payments that introduces an additional layer of customer verification. In practice, this means a transaction may require the customer to actively prove their identity using multiple independent factors.
The important detail is not the definition, but the distribution of responsibility. SCA is not enforced by merchants alone, nor fully controlled by PSPs. Issuing banks decide when it applies, how it is executed, and whether it succeeds.
That shared enforcement model is why outcomes differ and why approval rates became less predictable after SCA entered the flow.
When SCA Is Applied to Card Payments
SCA is expected for most remote card transactions, but it is not triggered mechanically on every payment. Issuers apply it selectively, based on risk signals evaluated in real time.
Sometimes SCA is unavoidable. Sometimes it is waived. The decision depends on a combination of factors that are invisible to the merchant at checkout.
Where SCA tends to appear most consistently:
Online card payments without a trusted history
Transactions flagged as higher risk by the issuer
Cross-border scenarios where risk confidence is lower
Payments where exemption criteria are weak or unavailable
Merchants can request exemptions. Issuers can ignore them. That asymmetry is intentional.
How SCA Changes the Card Payment Flow
Before SCA, authorisation was largely a background process. After SCA, the customer becomes an active participant in approval.
The flow now contains a decision fork:
- If the issuer allows the payment to proceed frictionlessly, authorisation behaves as before
- If authentication is required, the payment pauses and hands control to the issuer’s environment
This is most commonly implemented through 3D Secure, but the technology is less important than the consequence: approval now depends on customer completion, not just card validity.
If authentication fails, is abandoned, or times out, the payment never reaches the authorisation stage.
Why SCA Affects Card Payment Approval Rates
Approval rates changed because the definition of “failure” expanded.
A transaction can now fail even when:
- The card is valid
- The account has funds
- The merchant is trusted
Authentication introduces new failure modes:
- Customers exit the flow
- Issuer apps fail to load
- Authentication prompts are misunderstood
- Timeouts occur mid-process
- Devices or networks interrupt completion
From the merchant’s perspective, these failures look like declines. From the issuer’s perspective, they are incomplete security checks.
This gap in perspective is where approval volatility originates.
Factors That Influence Approval Outcomes Under SCA
There is no single lever that determines whether SCA improves or harms approval rates. Outcomes emerge from several interacting variables.
Issuer behaviour matters first. Some issuers enforce SCA aggressively. Others rely heavily on exemptions and risk-based scoring.
PSP implementation comes next. How exemptions are requested, how authentication is triggered, and how retries are handled all influence completion.
Customer familiarity matters too. In markets where customers routinely authenticate payments, drop-off is lower. Where SCA still feels foreign, friction increases.
None of these factors operate in isolation. They compound.
Merchant Operational Considerations
Merchants cannot treat SCA as a compliance box ticked at integration time. It is an ongoing operational variable.
Areas that consistently influence outcomes:
- Where authentication appears in the checkout journey
- How clearly customers are prepared for the step
- Whether retries are supported after failure
- How SCA-related declines are reported and analysed
Merchants that monitor issuer-level patterns tend to adapt faster. Those that look only at aggregate approval rates often miss where friction is actually occurring.
How Approval Rate Impacts Differ Across Europe
SCA does not behave uniformly across Europe. In some countries, customers have years of exposure to bank-based authentication and complete flows confidently. In others, authentication still feels intrusive, especially on mobile devices.
Issuer enforcement also varies. Some markets default to strict application. Others lean more heavily on exemptions.
The result is that the same SCA setup can produce materially different approval outcomes depending on where the card is issued even when the merchant, PSP, and checkout remain unchanged.
What Merchants Should Understand About SCA and Approvals
SCA improves security, but it redistributes control.
Approval outcomes are now shaped by:
- Issuer risk logic
- PSP exemption handling
- Customer behaviour at the authentication step
Because these elements differ across providers and markets, there is no single “correct” SCA configuration. What works well with one PSP or in one country may underperform elsewhere.
Merchants that treat SCA as a dynamic system not a static rule are better positioned to manage its impact.
Conclusion
Strong Customer Authentication has permanently altered how card payment approvals work in Europe. It reduces fraud, but it also introduces friction, variability, and new failure points.
For merchants, approval rates are no longer driven solely by card quality or customer intent. They are the outcome of a shared process involving issuers, PSPs, and customers all operating under the same regulation, but not the same assumptions.
Understanding that reality is the first step towards managing it effectively.
FAQs
1. What is Strong Customer Authentication under PSD2?
Strong Customer Authentication is a requirement under PSD2 that obliges customers to verify their identity using multiple factors for certain electronic payments, particularly online card transactions.
2. Does SCA apply to all card payments in Europe?
No. SCA applies mainly to remote and electronic card payments, but exemptions may apply depending on transaction value, risk assessment, merchant profile, and issuer decisions.
3. Why did approval rates change after SCA was introduced?
Approval rates changed because SCA introduced an additional authentication step. Transactions can now fail due to customer drop-off, authentication errors, or issuer-side interruptions, even when cards and funds are valid.
4. Who decides whether SCA is required for a transaction?
Issuing banks make the final decision. Merchants and PSPs can request exemptions, but issuers determine whether authentication is required and whether it succeeds.
5. Is SCA the same as 3D Secure?
Not exactly. SCA is a regulatory requirement, while 3D Secure is the most common technical method used to implement SCA for card payments.
6. Can merchants control SCA-related declines?
Merchants cannot control issuer decisions, but they can influence outcomes through checkout design, clear customer messaging, effective exemption handling, and choosing PSPs with strong SCA implementation.
7. Why do approval outcomes differ between European countries?
Differences in issuer behaviour, customer familiarity, bank app quality, and local enforcement practices all contribute to variation in SCA-related approval rates across Europe.
8. Do SCA exemptions always improve approval rates?
Not always. While exemptions can reduce friction, issuers may reject them. Poorly applied exemption logic can actually increase declines if authentication is triggered unexpectedly.
9. How should merchants monitor the impact of SCA?
Merchants should analyse approval and decline data by issuer, country, and authentication outcome rather than relying only on overall approval rates.
10. Is SCA a one-time implementation task?
No. SCA should be treated as an ongoing operational factor. Issuer behaviour, customer habits, and PSP capabilities evolve, requiring continuous monitoring and optimisation.
Leave a Reply