Learn how the Strong Customer Authentication regulation affects your business and how to update your integration to support it.

Strong Customer Authentication

Strong Customer Authentication (SCA), a rule in effect as of September 14, 2019, as part of PSD2 regulation in Europe, requires changes to how your European customers authenticate online payments. Card payments require a different user experience, namely 3D Secure , in order to meet SCA requirements. Transactions that don’t follow the new authentication guidelines may be declined by your customers’ banks.


To support SCA, you should:

  1. Determine if your business is impacted
  2. Decide which one of our SCA-ready products is right for your business
  3. Make changes now to avoid declined payments

Impacted businesses and payments

Update your Hips integration for SCA if all of the following apply:

  • Your business is based in the European Economic Area (EEA) or you create payments on behalf of connected accounts based in the EEA
  • You serve customers in the EEA
  • You accept cards (credit or debit)

While some low-risk transactions (based on the volume of fraud rates associated with the payment provider or bank) do not require authentication, banks can choose to not honor these exemptions and request that the customer complete authentication. Even if you’re primarily processing low-risk transactions, update your integration so your customers can complete authentication when requested by the bank. Hips new products and APIs help you claim these exemptions and maximize conversion by only requesting authentication when absolutely necessary.

SCA-ready products and APIs

Hips provides prebuilt and customizable solutions to help you meet SCA requirements. Integrations that are not SCA-ready, like ones using the Charges API, will see high rates of declines as banks begin enforcing SCA.

Whether you collect one-time payments or save cards for later reuse, Hips has SCA-ready products that let us update your integration for future regulations, with minimal changes required by you.



Accept card payments with the Preflight API and Hips Checkout—a prebuilt, Hips-hosted checkout flow that automatically handles SCA requirements for you. Checkout is customizable and lets you accept payments for one-time purchases and subscriptions on your website.



Save a card for later reuse with Hips new Payment Intents and Preflight APIs. You can also use Checkout—a pre-built, Hips-hosted checkout flow—to automatically handle SCA requirements, or use Hips Billing to handle SCA for more complex subscription models.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.


When is Strong Customer Authentication required?

Strong Customer Authentication applies to “customer-initiated” online payments within Europe. As a result, most card payments and all bank transfers require SCA. Recurring direct debits on the other hand are considered “merchant-initiated” and don’t require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation.

For online card payments, these requirements apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).

How to authenticate a payment

Currently, the most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).

3D Secure 2—the new version of the authentication protocol —will be the main method for authenticating online card payments and meeting the new SCA requirements. This new version introduces a better user experience that will help minimise some of the friction that authentication adds into the checkout flow.

Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication (biometric or password). Together with enabling 3D Secure in your merchant dashboard [Payments -> Settings -> Enable 3D Secure], these can be a great way for businesses to offer a frictionless checkout experience while meeting the new requirements.

What’s Next