Online Cardholder not Present payments in the European Economic Area (EEA) are changing

Ready or not, new industry standards came into effect last year and the sooner you get on board, the more your business can benefit.


New requirements introduced by the second Payment Services Directive (PSD2) mean your customers will be asked for more information when they buy from you online, in an attempt to reduce fraud with new higher security standards for online payments. You may already be meeting these requirements, but if not you’ll need to add a method for meeting Strong Customer Authentication (SCA) to your checkout.


Strong Customer Authentication (SCA) is an extra layer of security, also known as two-factor authentication

It means customers may be asked for two different pieces of information from the following categories when making purchases online:

SCA must be used for all remote electronic transactions unless an exemption applies. Exemptions include (but are not limited to), Transaction Risk Analysis (TRA), low-value payments (equal to/below €30 with further conditions applying), reoccurring transactions and transactions with trusted beneficiaries (white listing).

See the SCA authentication flows for further information.

Read more

Find out how Mastercard is helping with these changes.

Learn more

Sign up for key updates

Mastercard hosts regular live events providing information about SCA adoption rates and best practices across Europe.

When will Strong Customer Authentication be enforced?

Strong Customer Authentication (SCA) requirements came into force across the majority of EEA countries from 31st December 2020, with the exception of the UK, which is maintaining a longer transition period until 14 September 2021.

Merchants should prepare to migrate to EMV 3DS (the evolution of 3-D Secure and the preferred SCA solution) as soon as possible in order to be fully compliant with the PSD2 SCA requirements.

Register your interest in the Mastercard Payment Gateway Services solution


*This information is correct as of March 2021.