Authentication with credit card payment 3-D Secure 2.0

This article explains what 3-D Secure and Strong Customer Authentication (SCA) are, why they are required for online card payments, and how they affect donation and payment transactions processed through RaiseNow.

Overview

The Second EU Payment Services Directive (PSD2) introduced stronger security requirements for online payments. Since 14 September 2019, most online card payments in Europe must be verified using Strong Customer Authentication (SCA).

To support these requirements, major card schemes such as Visa and Mastercard introduced 3-D Secure 2.0, an updated authentication standard designed to improve payment security while maintaining a smooth supporter experience.

Key points

• PSD2 requires Strong Customer Authentication for most online card payments
• 3-D Secure 2.0 helps verify that the cardholder is the legitimate owner of the card
• Not every transaction requires an additional authentication step
• The decision is made automatically during the payment process
• RaiseNow supports SCA-compliant payment processing, more information here: https://stripe.com/partners/sca-ready

What is 3-D Secure?

3-D Secure is an additional security layer for online card payments.

Depending on the transaction, the cardholder may be asked to complete an additional verification step before the payment can be authorised.

Examples include:

• Approving the payment in a banking app
• Entering a one-time SMS code
• Using biometric authentication such as Face ID or fingerprint recognition

These additional checks help reduce fraud and protect both supporters and organisations.

Further information to 3-D Secure 2.0 can be found here.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication is a PSD2 requirement that requires online payments to be verified using at least two independent authentication factors.

These factors generally fall into three categories:

• Something the supporter knows (for example, a password or PIN)
• Something the supporter has (for example, a mobile phone)
• Something the supporter is (for example, a fingerprint or facial recognition)

3-D Secure is one of the primary methods used to fulfil these requirements for card payments.

Why does 3-D Secure not appear for every payment?

3-D Secure is not applied in the same way to every transaction.

Whether an additional authentication step is required is determined automatically during the payment process.

Factors considered may include:

• Transaction amount
• Merchant information
• Country or location
• Payment history
• Usual spending behaviour
• Overall risk assessment

As a result:

• Some payments are completed without interruption
• Others require additional authentication

Who decides when 3-D Secure is required?

The decision is typically made by the cardholder's issuing bank.

The bank evaluates the transaction in real time and determines whether additional authentication is necessary.

If the transaction appears unusual or carries a higher level of risk, the bank may require the cardholder to complete an additional verification step before approving the payment.

This approach helps:

• Reduce fraud
• Protect cardholders
• Protect merchants and organisations
• Meet regulatory requirements

What does this mean for organisations using RaiseNow?

No action is generally required from organisations.

Responsibility for implementing and maintaining 3-D Secure compliance lies primarily with:

• Card acquirers
• Payment service providers
• Card schemes such as Visa and Mastercard

RaiseNow continuously works with its payment partners to ensure compatibility with current security requirements.

If any action is required from organisations in the future, RaiseNow will provide guidance and instructions.

Stripe and SCA compliance

If you use Stripe as your payment provider, Stripe supports Strong Customer Authentication requirements.

RaiseNow's Stripe integration is compatible with SCA requirements and supports the necessary authentication flows for compliant payment processing.

Frequently asked questions

Can supporters still donate if they do not complete the authentication step?

No. If authentication is required and the supporter does not complete the process, the payment will be declined or eventually fail after a timeout.

Does every card payment require 3-D Secure?

No. The requirement is determined automatically based on regulatory requirements and risk assessment.

Can RaiseNow disable 3-D Secure?

No. The decision to apply 3-D Secure is made by the cardholder's bank and the payment provider based on PSD2 requirements and risk evaluation.