Manage SCA compliance

Last updated: October 18, 2022

Due to Strong Customer Authentication (SCA) requirements across the European Economic Area (EEA) and UK regions, non-3D Secure (3DS) or frictionless 3DS payments may be declined with a 20154 response code if authorization was presented without SCA, or a valid exemption.

If this happens, we automatically upgrade the payment to 3DS and send a 202 payment response with an "upgrade_reason": "sca_retry" field in the 3ds object. The response also contains a 3DS redirection URL that you should redirect the cardholder to for 3DS authentication.

After the cardholder completes authentication, the subsequent authorization request will be sent with 3DS data.

To retrieve the payment status after authentication, you can use the GET payment details endpoint or subscribe to the payment webhooks.

By default, the retry feature is enabled for all impacted payments.

You can disable the automated retry by passing "3ds.allow_upgrade": false in the payment request.

Alternatively, if you'd prefer to have this feature disabled by default, reach out to your Account Manager.

You can find the full list, as well as complete request and response examples, in our API reference.

post

https://api.checkout.com/payments


1{
2  "source": {
3    "type": "card",
4    "number": "4500622868341387",
5    "expiry_month": 12,
6    "expiry_year": 2025,
7    "cvv": 257
8  },
9  "amount": 100,
10  "currency": "GBP",
11  "3ds": {
12    "enabled": false,
13    "allow_upgrade": false
14  },
15  "processing_channel_id": "id"
16}

Only customer-initiated transactions (CITs) are eligible for the SCA retry solution, as the cardholder must be present or in session to complete the authentication.

If your merchant-initiated transactions (MITs) are receiving 20154 declines, it’s likely that:

The initial CIT to set up the MIT agreement was not authenticated with SCA (challenge)
The subsequent MITs were not flagged correctly for issuers to identify them as out of scope for SCA

Refer to our SCA compliance guide for information on how to correctly flag the initial CIT and subsequent MITs.

To test the flow in the sandbox environment, you can use the following 'magic card number': 4500622868341387.


1{
2  "source": {
3    "type": "card",
4    "number": "4500622868341387",
5    "expiry_month": 12,
6    "expiry_year": 2025,
7    "cvv": 257
8  },
9  "3ds": {
10    "enabled": false,
11    "allow_upgrade": true
12  },
13  "amount": 6510,
14  "currency": "USD",
15  "capture": false
16}

To test the flow in the sandbox environment with 3DS enabled, you can use our Hosted sessions solution.

Request a session and use 4604638550407414 or 5368763493455610 as the value for the source.number field.

post

https://api.sandbox.checkout.com/sessions


1{
2    "source": {
3        "type": "card",
4        "scheme": "amex",
5        "number": "4604638550407414",
6        "expiry_month": 12,
7        "expiry_year": 2030,
8        "billing_address": {
9            "address_line1": "123 High St.",
10            "city": "London",
11            "state": "ENG",
12            "zip": "SW1A 1AA",
13            "country": "GB"
14        },
15        "mobile_phone": {
16            "country_code": "44",
17            "number": "1234567890"
18        },
19        "email": "[email protected]"
20    },
21    "amount": 6510,
22    "currency": "USD",
23    "authentication_type": "regular",
24    "authentication_category": "payment",
25    "completion": {
26        "type": "non_hosted",
27        "callback_url": "https://example.com/callback"
28    }
29}


1{
2  "session_secret": "sek_Dal7UyiH8rIFXA4PfgiIk2jUyQkVDeEWgVBEL4TsRTE=",
3  "id": "sid_y3oqhf46pyzuxjbcn2giaqnb441",
4  "transaction_id": "9aea641d-0549-4222-9ca9-d90b43a4f38c",
5  "scheme": "amex",
6  "amount": 6510,
7  "currency": "USD",
8  "authentication_type": "regular",
9  "authentication_category": "payment",
10  "status": "pending",
11  "protocol_version": "2.2.0",
12  "_links": {
13    "self": {
14      "href": "https://api.checkout.com/sessions/sid_y3oqhf46pyzuxjbcn2giaqnb441"
15    }
16  }
17}

Verify that you can redirect the customer.

Request a payment using the same card number and use the id returned in the previous response as the 3ds.authenticationId value.

post

https://api.sandbox.checkout.com/payments


1{
2  "source": {
3    "type": "card",
4    "number": "4604638550407414",
5    "expiry_month": 12,
6    "expiry_year": 2030
7  },
8  "amount": 6510,
9  "currency": "USD",
10  "reference": "ORD-5023-4E89",
11  "processing_channel_id": "pc_dp7vuzrqp2xe3jipoi52aqkbiu",
12  "3ds": {
13    "enabled": true,
14    "authentication_id": "sid_qwjup7swlcrurgrxxhlqkerbqa"
15  },
16  "success_url": "https://example.com/payments/success",
17  "failure_url": "https://example.com/payments/failure"
18}


1{
2  "id": "pay_mbabizu24mvu3mela5njyhpit4",
3  "action_id": "act_mbabizu24mvu3mela5njyhpit4",
4  "amount": 6510,
5  "currency": "USD",
6  "approved": true,
7  "status": "Authorized",
8  "response_code": "10000",
9  "response_summary": "Approved",
10  "processed_on": "2023-09-10T10:11:12Z",
11  "_links": {
12    "self": {
13      "href": "https://api.sandbox.checkout.com/payments/pay_mbabizu24mvu3mela5njyhpit4"
14    },
15    "action": {
16      "href": "https://api.sandbox.checkout.com/payments/pay_mbabizu24mvu3mela5njyhpit4/actions"
17    }
18  }
19}

Manage SCA compliance

Opt out of automated SCA soft decline retry

Endpoints

Request example

Out-of-scope transactions

Test the automated SCA soft decline retry

Request example

Response example

Request example

Response example