Will all transactions at my outlet use Strong Customer Authentication (SCA)?

No, they won't. It should be taken into account that there are a series of legal exceptions and exemptions that allow us not to always request two authentication factors, thereby benefitting the user experience without reducing payment security.



There are several kinds of payments which, due to their very nature, are exempted by PSD2 from the requirement of requesting strong authentication, including:


  • Payments made with anonymous prepaid cards because it is impossible to verify the cardholder's identity.
  • So-called MITs (Merchant-Initiated Transactions). The standard requires the implementation of Autenticación Reforzada de Clientes (SCA) in electronic payments initiated by the ordering party. MITs are payments for products or services concerning which there is a prior agreement between the merchant and the cardholder, which allows the merchant to issue the charges without the cardholder having to perform any prior action to trigger them. These transactions require SCA in the first purchase, but not in subsequent ones (for example, subscription payments, supply payments and car rental or hotel booking surcharges). They are similar to card debit transactions.
  • MO/TO (Mail Order/Telephone Order) transactions.
  • Limited network payments.
  • Transactions in which the issuing bank or the acquirer are outside the European Economic Area.



In addition, a series of exemptions are legally envisaged which allow card issuing banks not to apply la Autenticación Reforzada de Clientes (SCA), since they are deemed low-risk transactions. These exemptions include:


  • Payments amounting to less than €30 and where the cumulative amount of remote transactions initiated by the ordering party from the last time Strong Customer Authentication was applied does not exceed €100 or where no more than five consecutive remote electronic payment transactions are made.
  • The first transaction of recurring payments of the same amount to the same merchant requires Strong Authentication. Subscriptions initiated before 14 September 2019 will not have to undergo Strong Authentication.
  • Payments made to the cardholder's trusted beneficiaries that are indicated as such to the issuing bank, also known as "whitelists".
  • Some corporate payments.
  • Payments involving a low fraud risk. 



As a general rule, issuing banks will attempt to apply one of the exemptions or exceptions described above before asking the customer for SCA. The purchasing experience will therefore be the same as it is today in many cases.


Back to FAQs about PSD2 for outlets


For Unicaja Banco S.A., the holder of the web page, it is important to adapt to your tastes and preferences, for which we use own and third-party cookies, that gather connection data that may be linked to your registration user name, the purpose of which is to measure traffic and user interaction with the web page, to help to improve operation of the web content, as well as the services and products offered, preparing behaviour profiles, while always protecting your privacy. You may transparently choose the configuration that suits you best, without that causing any change in your usual operations.