SCA: What online retailers really need to consider

SCA has been mandatory since 2021 — but implementation is now decisive for market shares. Retailers who separate security and user experience lose customers. If you combine both, you turn regulatory pressure into a real competitive advantage.

Inhalt:

1. How SCA is changing the checkout — and what that means for retailers in 2025

2. Which best practices and exceptions minimize conversion failures,

3. What measures retailers must implement now to combine security and sales.

Kopieren

Inhalt:

1. How SCA is changing the checkout — and what that means for retailers in 2025

2. Which best practices and exceptions minimize conversion failures,

3. What measures retailers must implement now to combine security and sales.

Kopieren

While there was still uncertainty in 2019, SCA is now part of everyday life. For retailers, it is no longer a question of whether they implement SCA, but how they design it so that security and turnover go hand in hand.

What does SCA mean for online retailers?

SCA — the Strong Customer Authentication — is not just another compliance issue that retailers must check off. It fundamentally changes How payments work online and what customers expect from security and user experience.

In essence, the point is that every sensitive transaction in Europe since PSD2 has at least two factors must be secure: something that the customer knows (password, PIN), something they have (smartphone, card) or something that makes them unique (fingerprint, Face ID).

For retailers, this means:

  • Checkouts have become more complex. In the past, a click on “Buy now” was enough. Today, customers go through additional authentication steps — depending on the bank, payment method and transaction amount. This potentially increases the risk of abortion.
  • Technical infrastructure is crucial. Anyone who uses old payment interfaces or hasn't switched to 3DS2 loses customers to smoother providers. Here, modern PSPs do the “translation work” between bank, card and shop.
  • Responsibility is shifting. Merchants are no longer solely responsible for security, but work together with banks and payment providers. Nevertheless, the retailer remains the first person that customers blame in case of problems.

In short: SCA forces shops to think of security as part of the user experience. Not just a “duty” — but an opportunity to create trust.

How does SCA work in practice?

Today, payment service providers (PSPs) such as Adyen, Stripe, PayPal or Unzer automatically implement SCA requirements. Merchants don't have to build their own authentication procedures — but they must ensure that their checkouts are technically compatible and do not break the user interface.

Best practices:

  • Biometrics instead of TAN: Fingerprint or Face ID via a banking app are faster and more user-friendly than SMS-TAN.
  • Smart Routing: Modern PSPs automatically recognize whether an exception applies and minimize unnecessary SCA queries.
  • 3DS2 instead of 3DS1: The old 3D Secure was a conversion killer. 3DS2 reduces abortions through mobile-first design and simplified processes.

What exceptions still apply?

SCA is mandatory — but not always. Retailers can benefit from exceptions if they are implemented in a technically clean manner:

  • Small amounts: Transactions under 30 euros are often excluded.
  • Recurring payments: Subscriptions with the same amount only require SCA when booking for the first time.
  • B2B payments: With defined, secure payment methods, SCA is partially omitted.
  • Trusted Beneficiaries: Customers can whitelist retailers (rarely used in practice).
  • Transaction risk analysis (TRA): PSPs can approve certain payments when the risk of fraud is demonstrably low.

Important: Whether an exception is accepted is decided at the end the customer's bank, not the merchant.

Conversion effects: risk or opportunity?

When SCA was announced in 2019, the biggest fear in online retail was: Collapse in conversion rates. The concern was justified — initial implementations with the old 3D Secure led to purchase cancellations of 10-20% because processes were cumbersome and barely usable on the go.

The situation is now much more differentiated:

  • Biometrics provide convenience. Many customers today confirm payments using Face ID or fingerprints in their banking app. The process is faster and more convenient than TAN lists or SMS codes used to be.
  • Trust increases sales. Users no longer see additional security as a hurdle, but as a service. Anyone who gives the impression that payments are protected reduces “payment anxiety” — an important conversion driver, especially for high-priced products.
  • Exceptions bring flexibility. With smart routing (e.g. TRA, small amounts, subscriptions), not all transactions need to be confirmed with SCA. Retailers with clean setups thus create an optimal balance of safety and convenience.
  • Mistakes cost sales. Where interruptions occur today, it is almost always due to poorly optimized UX: long loading times between banking app and shop, unclear information in the checkout, lack of alternative payment methods.

The business effect is clear: SCA is not a conversion killer — if it is implemented correctly. Merchants who invest gain trust and can even achieve better conversion rates than before the PSD2 transition.

What retailers should do in 2025

The implementation of SCA is decisive for success or frustration in the checkout. Anyone who now just thinks “duty fulfilled” risks unnecessary interruptions and angry customers. Decision-makers should use SCA rather than strategic lever understand: for more trust, better customer experience and stable conversion rates.

The following measures are mandatory:

  • Check your PSP setup: Are you already using 3DS2 and Smart Routing?
  • Test user experience: Simulates checkout flows with various devices and banks.
  • Adapt customer communication: Clearly explains why additional steps are necessary — and how they increase security.
  • Offer alternative payment methods: Invoices, direct debits or wallets (Apple Pay, Google Pay) can reduce cancellations.
  • Monitor conversion data: Measures where abortions happen — and optimizes in a targeted manner.

Conclusion: Seeing SCA as a business opportunity

SCA is here to stay — and by 2025 it is much more than a regulatory requirement. For retailers, it means that security and conversion are inseparable. Anyone who sets up processes cleanly, makes intelligent use of exceptions and consistently optimizes user guidance transforms the fulfilment of duties into a competitive advantage.

The formula for success is: Technology + transparency + user experience. Retailers who master these three factors minimize interruptions, create trust and increase sales. On the other hand, anyone who relies on outdated systems or half-hearted implementations not only risks losses — but also loss of customer trust.

In short: SCA is not a brake block, but a growth lever. Decision-makers who have recognized this are today securing an advantage in tomorrow's e-commerce.

Wiebke Unger
May 14, 2019
5. min reading time
Thank you for subscribing.
Submission failed. Please try again.