Will all transactions at my outlet use SCA?

No, they won't. It should be taken into account that there are a series of legal exemptions and exceptions that allow us not to always request two authentication factors, thereby benefitting the user experience without reducing payment security.


There are several kinds of payments which, due to their very nature, are exempted by PSD2 from the requirement of requesting strong authentication, including:

  • Payments made with anonymous prepaid cards because it is impossible to verify the cardholder's identity.
  • So-called MITs (Merchant-Initiated Transactions). The standard requires the implementation of SCA in electronic payments initiated by the ordering party. MITs are payments for products or services concerning which there is a prior agreement between the merchant and the cardholder, which allows the merchant to issue the charges without the cardholder having to perform any prior action to trigger them. These transactions require SCA in the first purchase, but not in subsequent ones (for example, subscription payments, supply payments and car rental or hotel booking surcharges). They are similar to card debit transactions.
  • MO/TO (Mail Order/Telephone Order) transactions.
  • Limited network payments.
  • Transactions in which the issuing bank or the acquirer are outside the European Economic Area.


In addition, a series of exemptions are legally envisaged which allow card issuing banks not to apply SCA, since they are deemed low-risk transactions. These exemptions include:

  • Payments under €30 up to a maximum of five consecutive transactions or a cumulative amount of €100.
  • Recurring payments of the same amount to the same outlet. The first transaction requires authentication. Subscriptions initiated before 14 September 2019 will not have to be authenticated unless they are changed.
  • Payments made to the cardholder's trusted beneficiaries that are indicated as such to the issuing bank, also known as "whitelists".
  • Some corporate payments.
  • Payments involving a low fraud risk. 


As a general rule, issuing banks will attempt to apply one of the exemptions or exceptions described above before asking the customer for SCA. The purchasing experience will therefore be the same as it is today in many cases.


Back to FAQs about PSD2 for outlets


For Unicaja Banco S.A., the holder of the web page, it is important to adapt to your tastes and preferences, for which we use own and third-party cookies, that gather connection data that may be linked to your registration user name, the purpose of which is to measure traffic and user interaction with the web page, to help to improve operation of the web content, as well as the services and products offered, preparing behaviour profiles, while always protecting your privacy. You may transparently choose the configuration that suits you best, without that causing any change in your usual operations.