Learn about Mangopay’s SCA features applicable to Owner users
UserCategory
is OWNER
.Owner users are subject to Mangopay’s T&Cs and as such hold a Mangopay Account. The regulations require these account holders to perform SCA directly with Mangopay.Users whose UserCategory
is PAYER
are not affected by Mangopay’s SCA features. See below for information about the PLATFORM
category.OWNER
user accesses their payment account or initiates certain payment activities, or to other situations considered at risk.
SCA has an impact on OWNER
users at certain moments of their activity with Mangopay. Your platform must change its implementation as a result (see integration required).
Prior to being able to authenticate actions, the user must:
OWNER
UserCategory
)Email
, PhoneNumber
)OWNER
users that require SCA to be performed are:
OWNER
users for use with payouts)OWNER
users)OWNER
users to view wallet balance or list transactionsRedirectUrl
in the API response) is valid for 10 minutes from when it is generated. The OWNER
user must complete all the necessary steps for enrollment or authentication before the session expires.It is not possible to initiate an action and then ask the user to complete the SCA session later.Integration required | Available |
---|---|
New user-creation endpoint for enrollment when you register a Owner user for the first time (Natural and Legal, all types). | Now |
New user-categorization endpoint for enrollment when you transition a Payer to Owner (Natural and Legal, all types) | Now |
New user-modification endpoint to re-enroll an enrolled Owner if contact details changed (Natural and Legal Soletrader). | Now |
New endpoint to enroll an existing Owner (Natural and Soletrader) at an appropriate moment in your user journey | Now |
Webhooks for the OWNER user account, when enrollment is triggered and completed:
| Now |
SCA enrollment and authentication for Business, Partnership, and Organization types of Legal user | See Legal user integration, date to be announced |
Registration of new bank accounts as Recipients with SCA for Owners | Now |
SCA on Transfers that are user-initiated between two Owners using ScaContext | Now |
Webhooks for transfer event types:
| Now |
SCA on Mangopay Account access for Owners using ScaContext | Now |
ClientId
and API key.PendingUserAction.RedirectUrl
. You are able to define a specific page for the user to be returned to after the session.
For the user, Mangopay’s SCA session provides a user-friendly experience that guides them efficiently through all the necessary steps relating to all required factors.
Mangopay’s hosted SCA session handles both enrollment and authentication.
returnUrl
before you redirect the user on the RedirectUrl
value, otherwise the hosted web page cannot return them upon completion.Factor | Required | Type | Description |
---|---|---|---|
Trusted device using WebAuthn passkey | No | Possession (of device) and inherence (if biometrics) or knowledge (if password or passcode) | The individual uses the native authentication features (biometrics, password, passcode) of their device that they set up during enrollment. |
Personal identification number (PIN) | Yes | Knowledge | The individual enters a 6-digit code they defined during enrollment. |
Phone-based one-time passcode (OTP) | If passkey not used | Possession | The individual receives a 6-digit OTP via SMS to the phone number provided during enrollment. |
Action | Exemptions applicable by Mangopay |
---|---|
User being assigned OWNER category (creation or categorization) | None, because this represents SCA enrollment |
Change of SCA contact details | None, because this represents SCA re-enrollment |
Recipient (bank/payment account) registration | None. Systematic SCA on Recipients enables your users to benefit from an SCA exemption when they request a payout, because the account can be considered a trusted beneficiary. |
Transfer initiation between OWNER users | Two kinds of exemptions may be applied by Mangopay on Owner-initiated transfers to other Owners. Note that for transfers between wallets held by the same Owner, SCA does not apply. An Owner also can’t transfer to a Payer.Low-amount transfersTransactions under €30 may be exempted from SCA until they reach one of the following limits:
|
Account access (wallet, transaction history) | Accessing wallet balances and listing transactions may be exempted if the last SCA for either of these actions occurred less than 180 days ago.SCA performed for a different action not related to account access, such as registering a Recipient (bank/payment account) or initiating a transfer, cannot be used to exempt account access. |
OWNER
users will not be asked to perform SCA on payout requests.
PAYER
users. Furthermore, refunds that use payouts (by citing the reference of the initial transaction as the PAYIN_REFUND
reason) will continue to be possible for PAYER
users, because a Recipient can be created for this purpose (see Recipient scopes - Pay-in).
PAYER
(or OWNER
) is asked to authenticate the transaction by their issuing bank or PSP. This authentication may also be mandated by the same European regulations (PSD2). For example, 3DS on card transactions addresses the requirements of SCA.
On pay-ins, Mangopay enables redirection for users to perform this authentication with third-parties, such as card networks, issuing banks, and payment method providers. In the API, this takes place via the SecureModeRedirectURL
(e.g. direct and recurring card pay-ins, preauthorizations, etc.) or other RedirectURL
(e.g. on APMs and web card pay-ins) that Mangopay returns in response to the pay-in request.
However, in the pay-in scenario, the issuing bank or PSP of the user is in charge of applying SCA and allowing any exemptions.
Mangopay’s introduction of SCA on OWNER
users does not have any impact on pay-in authentication or your existing checkout or payment page integrations.
OWNER
user takes, whether via the API or via the Dashboard. Initially, your platform needs to change its API implementation.
Mangopay is defining a strategy for Dashboard-based actions. Until then, your usage of the Dashboard can continue as before.
When actions are executed on behalf of Mangopay Account holders without direct user authentication, each case will be evaluated individually to determine the appropriate SCA process. It is essential that we understand the context and legal justification for such actions, as bypassing direct user consent could expose us to security risks. We remain committed to maintaining the highest standards of security and compliance.
The Dashboard will integrate the API-based SCA-features (e.g. Recipients), but presently it has the legacy user endpoints integrated.
Note that if you change a PAYER
to OWNER
via the Dashboard, that action uses the legacy PUT Update a User endpoint, and as such it will not trigger SCA, even if the PAYER
was created using the new SCA-enabled endpoint. Such a user will still need to enroll as an existing user via the POST Enroll a User endpoint.
UserCategory
value PLATFORM
indicates a specific user approved by Mangopay that represents the platform.
Initially, SCA will not be required a User whose UserCategory
is PLATFORM
. SCA is applicable to actions taken by these users, however, and Mangopay is defining a suitable solution.
OWNER
users. The regulations require Mangopay Account holders to perform SCA with Mangopay directly.