Strong Customer Authentication
How VINR applies SCA / PSD2 across methods.
Strong Customer Authentication (SCA) is a European regulatory requirement that forces an extra identity check on many electronic payments. VINR decides when authentication is required, requests the right exemptions, and runs the 3D Secure challenge for you — so you write the same payments.create call whether or not a challenge ends up firing.
This page is informational and not legal advice; consult your compliance counsel for binding decisions.
What SCA requiresAsk
Under PSD2, a payment in the European Economic Area generally needs two of three independent authentication factors:
| Factor | Category | Examples |
|---|---|---|
| Knowledge | Something the customer knows | Password, PIN |
| Possession | Something the customer has | Phone, hardware token |
| Inherence | Something the customer is | Fingerprint, face scan |
The rule applies when both the cardholder's bank and the merchant's acquirer are in the EEA. It covers most card payments and many bank-initiated flows, with a defined set of exemptions for low-risk or low-value transactions.
How VINR applies itAsk
You do not call a separate "authenticate" endpoint. VINR evaluates every eligible payment at creation time, attaches an exemption where one is justified, and escalates to a challenge only when the issuer requires it.
import { Vinr } from '@vinr/sdk';
const vinr = new Vinr({ secretKey: process.env.VINR_SECRET_KEY });
const payment = await vinr.payments.create({
amount: 4900, // €49.00 in minor units
currency: 'EUR',
description: 'Annual plan',
returnUrl: 'https://yoursite.com/payment/complete',
authentication: {
// Optional. Defaults to "automatic" exemption handling.
requestExemption: 'transaction_risk_analysis',
},
});
// payment.authentication.status → "pending" | "required" | "succeeded"
// | "failed" | "exempted"
// payment.checkoutUrl → hosted page; runs the challenge if "required"When payment.authentication.status is required, the customer must complete a challenge on checkoutUrl before the charge can be captured. VINR surfaces the outcome on the payment object and in webhooks, so your server logic stays the same across exempted and challenged payments.
Always send the customer to checkoutUrl even when you expect an exemption. The issuer can override a requested exemption and demand a challenge ("soft decline"), and the hosted page handles that retry for you automatically.
ExemptionsAsk
Exemptions let you skip the challenge while staying compliant — they protect conversion without weakening the rule. VINR requests them on your behalf based on the request and your risk profile.
Prop
Type
The issuer is the final authority: it can accept or reject any requested exemption. If it rejects, VINR transparently falls back to a 3D Secure challenge — the liability shift stays with you for unauthenticated exemptions you requested, and shifts to the issuer once a challenge completes.
The 3D Secure flowAsk
3D Secure (3DS2) is the network protocol that carries the authentication. VINR drives it through the hosted checkout in three phases.
Fingerprint
The hosted page silently collects device and browser data and sends it to the issuer. Most low-risk payments resolve here with no customer interaction (a "frictionless" flow).
Challenge
If the issuer wants more assurance, the customer completes a step — typically a one-time code or a biometric prompt in their banking app. The page handles the redirect and return.
Result
The issuer returns an authentication outcome. VINR records it, fires a webhook, and moves the payment toward capture or marks it failed.
Verify the outcome server-side from the webhook rather than trusting the browser redirect alone:
const event = vinr.webhooks.verify(rawBody, req.headers['x-vinr-signature']);
switch (event.type) {
case 'payment.completed':
// Authentication passed (or was validly exempted) and funds captured.
await fulfillOrder(event.data.metadata.orderId);
break;
case 'payment.authentication_failed':
// Challenge abandoned or rejected — prompt the customer to retry.
await flagForRetry(event.data.id);
break;
}Test the branches in sandbox with the standard cards: 4242 4242 4242 4242 succeeds frictionlessly, 4000 0000 0000 3220 forces a 3DS challenge, and 4000 0000 0000 0002 is declined.
Impact on conversionAsk
Every challenge adds friction, so the goal is to authenticate only when required. To keep approval rates high:
- Let VINR request exemptions — the default handling maximizes frictionless flows within your acquirer's fraud-rate budget.
- Authenticate once, reuse it — the first on-session charge of a subscription clears the way for
recurringandmerchant_initiateddebits. - Pass rich data — accurate billing details and email improve the issuer's risk score and the odds of a frictionless result.
- Handle soft declines — never treat an exemption rejection as a hard failure; the hosted page already retries with a challenge.
Off-session charges (MIT, metered billing) cannot show a challenge because the customer is absent. Ensure the initial setup charge is authenticated on-session, or the issuer may decline later debits.
Next stepsAsk
Payment lifecycle
Every status and the events that fire.
Authorize & capture
Reserve funds now, capture after authentication.
Webhooks
Verify authentication outcomes server-side.
Last updated on
