Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > Authentication vs. Authorisation in the SCA era

Authentication vs. Authorisation in the SCA era

Published by Jessica Weisman-Pitts

Posted on June 16, 2022

5 min read

Last updated: January 20, 2026

Illustration of strong customer authentication process in online transactions - Global Banking & Finance Review — Visual representation of the authentication process in the Strong Customer Authentication era, highlighting the importance for merchants in the banking and finance sector. This image relates to the challenges and strategies retailers face in optimizing payments while adhering to new regulations.

By Shagun Varshney, Signifyd Senior Product Manager, Payment Optimisation, takes us through two different approaches to SCA, and what retailers can do to avoid the downsides of the new regulations.

Since its enforcement in the UK in March, Strong Customer Authentication (SCA), designed to protect consumers and reduce the number of fraudulent orders for merchants, comes with added complications when determining the most efficient and cost-effective way for retailers to process online orders.

Many of the questions and concerns surrounding the new SCA regulations have been about how the new consumer authentication regulation adds additional layers to transactions, causing friction and leading to lower conversions.

That’s not a trivial concern, however the positive effects of SCA shouldn’t be minimized. Moreover, merchants have the opportunity to eliminate the friction that SCA brings, which is good news The not so good news is that making those choices is a complicated matter.

The SCA impact on merchants

In the pre-SCA era, merchants didn’t worry about whether they should be seeking exemptions in the payment process and just how they’d best go about that. They were working in a world without exemptions. Optimisation was not a thing.

With SCA in place, the world has changed. 3D Secure, a protocol that facilitates authentication, has become the critical path to a successful transaction. But in the early going, 3D Secure has proven unsteady. Not all merchants, banks and payment processors are prepared and using the newest version of 3DS, a version that accommodates the exemption requests that are vital to a successful SCA strategy.

Now merchants need to understand whether the banks and processors they depend on are fully SCA-prepared or not. And if they are not, merchants need to be able to request SCA exemptions by processing orders along the authorization path.

In short: Today merchants need to be in the business of payment optimisation or live with the damage friction and cart abandonment cause their business.

How has SCA changed online shopping?

First, SCA calls on consumers to demonstrate that they are who they say they are. They can confirm their identity in two of three ways:

Something they own (such as the device they used to buy).
Something they know (such as a one-time passcode).
Something they are (via biometrics, such as a fingerprint or retina scan).

The regulation also comes with a batch of exemptions. These exemptions and related exceptions, called exclusions, are generally available when an order meets certain criteria:

The order is low-risk and low value.
Both the merchant and its banks have kept fraud rates low and the transaction meets certain limits — order values below €100 or between €100 and €250 or €250 and €500 depending on how low the merchant and bank’s fraud rates are.
The transaction is “out of scope.” These include phone or mail orders, prepaid card transactions and orders when the acquiring or issuing bank is outside of the European Economic Area.

Trusted beneficiary — if a consumer’s bank agrees to allow it. The trusted beneficiary exemption can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption.

Authentication or Authorisation?

Making this decision means knowing whether the banks that support an online purchase for the merchant and the customer’s card issuer are fully prepared for frictionless SCA. It also requires an understanding of SCA’s exemptions and the requirements for requesting an exemption to SCA. And it requires those insights for every individual order.

By understanding which payment flow — authentication or authorisation — best accommodates the transaction process for a given order, merchants can optimise the customer experience they provide, which increases conversions and the likelihood a consumer will return for a subsequent shopping trip.

Again, the backbone of authentication is 3D Secure. But, all 3D Secure is not the same. Older versions that have been in the market for years don’t allow merchants or banks to request exemptions. They always require a step-up, often requiring a shopper to click away from a merchant’s site to satisfy the authentication requirement. A newer version allows merchants and card-issuing banks to request exemptions. The newest version allows merchants, the merchant’s bank and card-issuing banks to request exemptions.

Unfortunately, a significant number of European banks have not yet upgraded to the newest form of 3D Secure, meaning consumers will face an authentication challenge when trying to buy, unless the merchant has requested an SCA exemption via the authorisation route.

The optimum strategy for merchants in the SCA era is to understand —through data — the history of transactions when it comes to individual banks and payment service providers. That way they know whether the authentication route will result in a friction-free approval — meaning 3D Secure along the payment processing path is fully optimised for requesting and accommodating exemptions. Or would the better route be to request exemptions through the authorization route?

All this means that merchants need to pay more attention to transaction data. They should get into the business of what is happening: Why was an order declined? What banks and payment processors were involved? They should be more demanding in asking for data from their banks and their payment service providers. They should ask for data and reports that show what orders are being declined and why. And they should consider working with partners who can readily marshal that kind of data and provide instant insights into the question: authentication or authorisation.

After all, optimising transaction flow is more important than ever in the SCA era. And you can only make an intelligent choice if you have the proper data to guide you.