EBA and PSD2 publish guidelines on banking institutions to EEA countries. Each nation in EEA has to interpret and adapt it to national law.

In scope

Region, European Economic Area

All transactions that take place wholly within the EU/EEA (with an EEA-based acquirer, and an EEA-based card issuer) fall within the scope of PSD2.
Consequently, a merchant falls within the scope of PSD2 and SCA if the following criteria is met:

• the merchant has a contract with a EU/EEA-based acquirer

Cardholder initiated transactions (CIT)

PSD2 and SCA enforce Strong Customer Authentication for all online cardholder initiated transactions.

Out of scope

Region, One leg out

A merchant does not fall within the scope of PSD2 and SCA if the following criteria is met:

• It does not use an EEA-based acquirer

🚧

Strongly recommended

However, we strongly recommend to all merchants offering goods and services to consumers mainly in the EU/EEA to meet the PSD2 requirements for SCA regardless of their location.

Merchant initiated transactions (MIT)

PSD2 and SCA do not regulate merchant initiated transactions, therefore it is regarded as out of scope. Please bear in mind that the agreement between merchant and cardholder to setup subsequent merchant initiated transactions requires SCA.

Mail and telephone order (MoTo)

As MoTo transactions are triggered by agents on behalf of the cardholder, it is not a cardholder initiated transaction and therefore out of scope.

Anonymous prepaid cards

SCA is not required for anonymous prepaid transactions.