Merchant-initiated transactions

Merchant-initiated transactions, such as paperless Direct Debit mandates are out of scope of SCA.


One key type of transactions that are out of scope of SCA, particularly for subscription businesses and those with recurring revenue, are merchant-initiated transactions:

Merchant-initiated transactions

A merchant-initiated transaction is a payment that is taken on an agreed upon date with the payer’s consent, and, as the name suggests, is initiated by the merchant collecting the payment.

If a transaction is merchant initiated, both fixed and variable payments will be exempt from SCA.

Unlike most transactions initiated by end customers, the payment flows of merchant-initiated transactions are frequently not instant. The end customer’s details are collected at one point in time and submitted to the end customer’s bank at another point in time. As such, the communication between the end customer, bank and payment provider does not happen in real-time. In SCA parlance, this is known as an asynchronous transaction. It would be impractical, and in some cases, impossible for SCA to be applied to these transactions.

However, note that for most merchant-initiated transactions, such as recurring card transactions, SCA will still need to be applied to the first payment if that is done with the involvement of the payer’s PSP (e.g.a card issuer).

Electronic ‘paperless’ Direct Debit mandates

One type of merchant-initiated transactions are electronic ‘paperless’ Direct Debits. In order to collect direct debits, a ‘mandate’ must be provided by the end customer from whom payments will be collected, to the merchant/PSP collecting those payments.

There has been a great deal of confusion as to whether SCA is required at the point of setup of the mandate by the payer - specifically, whether the action of setting up the mandate is an “action through a remote channel which may imply a risk of payment fraud or other abuses”.

On 7 June 2019, the EBA confirmed via its Q&A tool that Strong Customer Authentication (‘SCA’) is not required for the set up of electronic ‘paperless’ Direct Debit mandates provided in favour of merchant payees, so long as the end customer’s PSP (e.g. their bank) is not directly involved in that setup.

Specifically, the EBA confirmed:

“Mandates given by the payer to the payee set up without the direct involvement of the payer’s PSP are not subject to SCA.”

‹ View table of contents Next page ›

Latest features

Security vs. convenience in the payment experience: What matters most to online shoppers?

We surveyed 4,000 customers across the UK, France, Germany and Spain about their attitudes to security and convenience when shopping online. Get all the insights here.

The new CFO: How 4 CFOs have seen their roles evolve

Hear from the CFOs at GoCardless, SideTrade, The FD Centre and Wolffepack as they discuss how the role has evolved – with insight into the challenges and opportunities they face in a changing financial landscape.

How to scale a fintech: Strategic advice from industry leaders

Learn from the leaders of Monzo, TransferWise, Funding Circle and more, with over 30 pieces of wisdom for scaling your fintech. Get your free copy now.

View all


Reference guides

View all