Docs Home
Dev Essentials
PaymentsCommerceCustomersStaffMerchants
Publish
Release notes

Docs

Docs Home
Dev Essentials
Payments
Commerce
Customers
Staff
Merchants
Publish
Release notes
Overview
Build a Tip Report
Split an Online Payment
Build a Sales Report
Delayed Capture
Partial Payments
Statement Descriptions
ACH Bank Transfer Payment
Afterpay and Clearpay Payments
Cash App Payments
Cash Payments
External Payments
House Accounts
Collect Application Fees
Update Payment and Tip Amounts
Retrieve Payments
Troubleshoot
Webhooks
Refund Payments
Refund a Payment with an App Fee
Retrieve Refunds
Process an Unlinked Refund
Webhooks
Process Disputes
Test in the Sandbox
Quickstart
Take Payments for Orders
Take One-Off Payments
POS App Pairing
Monitor Square Terminals
Check Device Information
Add Payment and Checkout Features
Save Card on File
Print or Issue Receipts
Customize the Idle Screen
Confirmation Screen
Signature Capture Screen
Data Collection Screen
Menu Selection List Screen
QR Code Screen
Link and Dismiss Actions
Manage Terminal Actions
Authorize the Mobile Payments SDK
Pair and Manage Card Readers
Take a Payment
Tap to Pay on Android
Offline Payments
Handling Errors
Authorize the Mobile Payments SDK
Pair and Manage Card Readers
Take a Payment
Tap to Pay on iPhone
Offline Payments
Configure for Square Stand or Square Kiosk
Handling Errors
Migrate from Reader SDK
React Native Plugin
Flutter Plugin
Migrate to Mobile Payments SDK
Get Credentials
Configure the Sample Application
Take a Cash Payment
Customize the Checkout Amount
Take a Credit Card Payment
How It Works
Build on Android
Build on iOS
Connect a Contactless Reader
Charge a Card on File
Save a Card on File
Configure on iOS for Square Stand
Deauthorize Reader SDK
Capture a Transaction
Delay the Capture of Payments
Configure APK Splits
Update to New Reader SDK Version
Flutter Plugin
React Native Plugin
How It Works
Build on Android
Build on iOS
Build on Mobile Web
Find Your Android Fingerprint
Use the API in Offline Mode
Add an Alert Dialog Helper Class
Accept E-Money Payments
Accept QR Payments
Mobile Web Technical Reference
Payments API Integration
Set Up the Web Client App
Add the SDK to the Web Client
Deploy the Application
Take a Card Payment
Apple Pay
Google Pay
Digital Wallet Payment Requests
ACH Bank Transfer
Afterpay
Cash App Pay
Take a Gift Card Payment
Take Partial Payments
Customize the Card Entry Form
Charge and Store Cards
Add a Content Security Policy
Exception Handling
Set up the Client
Deploy the Server
Install the SDK
Build on Android
Build on iOS
Google Pay
Apple Pay
Localize an Application
Gift Card Payments
Flutter Plugin
React Native Plugin
Customize the Payment Entry Form
Connect to a Backend Service
Remove the Postal Code Requirement
Troubleshoot
How It Works
Verify a Buyer
Quick Pay Checkout
Square Order Checkout
Subscription Plan Checkout
Checkout Settings
Checkout Configurations
Manage Checkout
Guidelines and Limitations
Common Pitfalls and Solutions
Subscription Plans and Variations
Manage Subscriptions
Subscription Actions and Events
Pause, Resume, or Cancel Subscriptions
Subscription Billing and Invoices
Swap Subscription Plan Variations
Create and Publish Invoices
Retrieve, List, or Search Invoices
Create or Delete Invoice Attachments
Update Invoices
Cancel or Delete Invoices
Pay or Refund Invoices
Walkthrough: Create and Publish Invoices
Manage Cards
Create a Card on File from Payment ID
Create a Card on File and Make a Payment
Create a Shared Card on File and Make a Payment
Manage Card Declines
List Payouts
Get Payout
List Payout Entries
Bank Accounts
How It Works
Build with Mobile Authorization
Get Authorization Code on Command Line
Payment Methods by Country
Payments Pricing
Strong Customer Authentication
Payment Minimums

/

Payments

Strong Customer Authentication

Applies to: In-App Payments SDK - Android | In-App Payments SDK - iOS | Web Payments SDK | Payments API | Customers API

Learn how to use Strong Customer Authentication to verify buyers for online and in-app payments.

Overview
Requirements and limitations
What is 3DS?
Liability shift
Do I need to authenticate?
How is Square helping me prepare for SCA?
SCA in non-mandated markets
Digital wallets
How it works
Link to section

Overview

Use Strong Customer Authentication (SCA) with the Web Payment SDK and In-App Payments SDK to verify the buyer and reduce the chance of fraudulent transactions. Strong Customer Authentication refers to the usage of the 3-D Secure (3DS) protocol to verify the identity of a buyer at the time of an online purchase. Square applies 3DS to a payment in accordance with the UK/EEA PSD2 SCA Mandate, the Japan SCA METI Mandate, and/or individual seller risk rules set up in Risk Manager.

Link to section

Requirements and limitations

Currently, when paying online, buyers must enter their card number, expiration date, CVV, and postal code to make a payment. Buyers are required to complete two of the three factors of authentication when initiating a payment: something they know, something they own, and something they are. For online card payments, the SCA requirements are met by implementing 3DS. For in-store payments, SCA requirements are met through the use of chip and PIN or mobile wallets. Payments without this additional authentication are declined by the cardholder's bank. Payments initiated by sellers, such as recurring transactions or mail-order/telephone order (MOTO), don't require SCA.

A graphic showing the three elements of a multi-factor authentication, which are something you know, something you have, and something you are.

Link to section

What is 3DS?

3DS - also known as "3-D Secure" is a standard protocol developed by a collaboration of several payment card issuers. It defines a multi-factor authentication mechanism that can be used to satisfy authentication requirements in markets wherever Strong Customer Authentication (SCA) is required by local mandates.

3DS can also be used to authenticate buyers in countries where SCA isn't a requirement. In those countries, Square provides the 3DS mechanism for those sellers who opt to use it in Risk Manager. 3DS creates the same buyer experience regardless of whether it's initiated from an SCA-required country. For more information, see Strong Customer Authentication FAQ.

Link to section

Liability shift

With 3DS, the liability for fraudulent chargebacks is shifted to the card issuer in most cases. This liability shift to the issuer occurs when the payment is successfully authenticated through 3DS and the card involved is a Mastercard, American Express, JCB, Visa, Diners Club International or Discover card. Any of these cards that can be saved on file with Square can also use 3DS. For more information, see Charge and Store Cards for Online Payments.

Link to section

Do I need to authenticate?

Square advises all Square developers and partners operating in the European Economic Area (EEA), including the UK, or in Japan to take appropriate steps to be compliant with SCA enforcement to avoid an increase in declined payments for European or Japanese cardholders, respectively.

In the UK, banks have required cardholders to complete SCA, with full requirements in place since March 14, 2022. Across the rest of the EEA, banks have applied SCA in full since January 1, 2021, following a staggered rollout through 2021. In Japan, banks have required SCA for their cardholders since April 1, 2025.

Square provides SCA features for the Web Payments SDK and In-App Payments SDK within Europe, where the business taking the payment and the cardholder's bank are both in the EEA.

Note

SCA isn't required for in-person payment solutions such as the Square Point of Sale API or Reader SDK applications.

Link to section

How is Square helping me prepare for SCA?

Important

Implementation details of Strong Customer Authentication depends on the SDK used. For more details, see the Web Payments SDK and In-App Payments SDK guides. In this topic, Square refers to the SCA process as “verify the buyer.”

Sellers that integrate their applications with Square APIs need to flag buyer-initiated or seller-initiated payments by using the CustomerDetails object with the Payments API CreatePayment endpoint. The CustomerDetails object accepts Booleans on buyer initiated payments and seller keyed-in payment details:

PropertyValue (Boolean type)
customer_initiatedtrue or false
seller_keyed_intrue or false

Developers and partners that use Square developer products (such as the Web Payments SDK, In-App Payments SDK, and Square APIs) must ensure that their applications are SCA-compliant to minimize the impact of declined payments by following these guidelines:

Sellers that use Square Online and Square Invoices have their integrations managed by Square and don't need to flag transactions for SCA authentication.

Important

  • Verify the buyer only when they are present and have initiated the transaction.
  • In SCA mandated markets, payments that don't provide authentication get a CARD_DECLINED_VERIFICATION_REQUIRED error for transactions that require authentication on the payment request. This error means that the seller didn't verify the buyer on the buyer-initiated payments.
Link to section

SCA in non-mandated markets

The SCA flow is started for a buyer if their payment card meets any of the conditions listed in the Square Risk Manager Glossary. For sellers outside of markets that require SCA, Square provides a mechanism in Risk Manager to let them opt in for 3DS on a location basis. For example, a seller might have an in-person location, an in-person and online location, and an online only location. Online payments are card-not-present payments and benefit from the added security of 3DS. In this case, a seller might opt in for 3DS in those locations.

A payment card might trigger the SCA authentication flow and verify the identity of the buyer without generating a payment alert. A payment alert is only created in Risk Manager if the payment appears to be suspicious or fraudulent.

Link to section

Enable SCA

To enable SCA in a non-mandated market, the seller uses an application integrated with a Square payments SDK to take a payment with a debit or credit card. If the application can verify a buyer, the seller can enable SCA in Risk Manager for the location that is taking the payment. When enabled, SCA is active until the seller disables it. SCA cannot be enabled until the integration has been added by the application.

Link to section

Digital wallets

For in-app transactions that require SCA and are made with a digital wallet, we recommend verifying the buyer. See Integrate Digital Wallets with the In-App Payments SDK for more information. For the Web Payments SDK, tokenizing the digital wallet will automatically verify the buyer’s card.

Link to section

How it works

Learn how SCA works by walking through the steps in the following example:

StepFlow illustration
  1. Call tokenize() with verification details included in the request
A diagram showing a verifyBuyer() call with the payment token or the buyer card ID and the transactional details.
  1. Square automatically checks if authentication required during tokenization
A diagram showing Square automatically checking whether the transaction requires Strong Customer Authentication.
  1. If challenge needed, display authentication challenge inline
A diagram showing the Bank Verification challenge.
  1. Single payment token returned
sca-overview-how-it-works-payment-token

Important

Custom risk-score based SCA authentication private beta

If the seller has set up custom score rules and logic in Risk Manager, you can trigger SCA authentication based on the custom risk score by passing the custom risk score value when verifying the buyer. To try out this feature, contact your Square representative.

Link to section

Next steps

Implement SCA in your application to start the SCA flow by reading the following topics:

On this page
OverviewRequirements and limitationsWhat is 3DS?Liability shiftDo I need to authenticate?How is Square helping me prepare for SCA?SCA in non-mandated marketsDigital walletsHow it worksNext steps