SCA & 3D Secure

Guides

You don't need to do anything. Stripe and Flow automatically apply SCA and 3D Secure where required. This guide explains what's happening behind the scenes.

What is SCA?

Strong Customer Authentication (SCA) is a European regulatory requirement under PSD2. It requires that online payments include at least two forms of authentication (e.g. password + one-time code). SCA applies to card-not-present transactions from European customers. In-person payments (chip & PIN, NFC) are already compliant by nature and are SCA-exempt.

How Flow handles 3D Secure

Automatic 3DS trigger

When you process an online payment (payment link, invoice) requiring SCA, Stripe automatically triggers a 3D Secure challenge for the customer.

Customer completes challenge

The customer is redirected or shown a native prompt from their bank to authenticate (biometric, SMS code, etc.).

Payment resumes

After successful authentication, the payment proceeds normally. If the challenge fails, the payment is declined.

Liability shift

When 3DS is completed, liability for fraudulent chargebacks shifts from you to the card issuer - a major protection benefit.

SCA exemptions

Payment type	SCA required?
In-person chip & PIN	Exempt
In-person contactless (NFC)	Exempt (below threshold)
Tap to Pay (iPhone/Android)	Exempt (in-person)
Payment links (online)	May be required
Invoices (online)	May be required
Low-value transactions (<â‚¬30)	Often exempt

SCA rules apply to EU/EEA customers. If you primarily process in-person payments in the US or other markets outside Europe, SCA has minimal impact on your day-to-day operations.