Scope
Mangopay’s SCA features are applicable to Natural Users and Legal Users whoseUserCategory is OWNER.
Owner users are subject to Mangopay’s T&Cs and as such hold a Mangopay Account. The regulations require these account holders to perform SCA directly with Mangopay.
Users whose UserCategory is PAYER are not affected by Mangopay’s SCA features, but see the note below about SCA with their issuers on pay-ins.
For information and users whose UserCategory is PLATFORM, see below.
Actions requiring SCA
The regulations require Mangopay to apply SCA to situations where aOWNER user accesses their payment account or initiates certain payment activities, or to other situations considered at risk.
The SCA-triggering actions impact OWNER users at certain moments of their activity with Mangopay.
SCA enrollment
Prior to being able to authenticate actions, there are two actions relating to enrollment in SCA:- SCA enrollment at the point of Mangopay Account creation, which is when a user is assigned the
OWNERvalue forUserCategory - Re-enrollment if the user’s SCA contact details change, meaning their email and phone number
SCA authentication
The actions taken byOWNER users that require SCA to be performed are:
- Recipient creation, by
OWNERusers for use with payouts - Transfer initiation, between two
OWNERusers - Mangopay Account access by
OWNERusers to view wallet balance or list transactions
Note – SCA cannot be delayedOn all the actions above, SCA is triggered immediately when the API request is made. The API response contains the URL of a secure hosted SCA webpage to which your platform needs to redirect the individual.The SCA session (the
RedirectUrl in the API response) is valid for 10 minutes from when it is generated. The OWNER user must complete all the necessary steps for enrollment or authentication before the session expires.It is not possible to initiate an action and then ask the user to complete the SCA session later.Taking action by proxy with user consent
Due to your platform’s activity and integration workflow, you may wish to take actions on behalf of users in certain circumstances. If the action is one that is subject to SCA, then it is possible if:- The legal documentation (e.g. terms and conditions) between your platform and the user includes the actions that you take on their behalf by proxy
- Mangopay has the user’s consent to the proxy that allows your platform to act on the user’s behalf for the specific action – this is managed through the hosted SCA experience
Integration required for SCA
The following table lists the actions and endpoints on which SCA redirection is required (or may be required, because Mangopay may be able to exempt a given transfer or wallet access request). Additional integration is required if your platform is taking actions by proxy on behalf of the user (and sending theScaContext value USER_NOT_PRESENT) – read more →
Enrollment and authentication
| Action (and guide) | Endpoint |
|---|---|
User creation (if OWNER) | |
User categorization (from PAYER to OWNER) | |
| User modification if SCA contact details changed (re-enrollment) | |
Recipient creation (if OWNER and RecipientScope is PAYOUT) | |
Transfer initiation to another OWNER (unless specific transfer is exempted by Mangopay as low-amount or low-risk) using ScaContext | |
Wallet access (unless SCA for wallet access was performed in the last 180 days) using ScaContext |
Caution – ScaContext is mandatory in all casesFor all platforms, the
ScaContext parameter on transfers and wallet access is mandatory in all cases where the User is an OWNER.Its values in all cases mean:USER_PRESENT– The user is taking the SCA-triggering action. The platform must redirect the user using thePendingUserAction.RedirectUrlreturned so that the user can complete the SCA session (unless Mangopay applied an exemption, so no redirection link was returned).USER_NOT_PRESENT– The platform is taking the action under proxy from the user and the user has previously given consent to Mangopay (via the SCA hosted experience) to allow the action.
Enrollment of legacy users
Additionally, you need to integrate the following endpoint to proactively enroll any legacy existing Owner users who have not enrolled in SCA:Webhooks
Because SCA redirection is required on POST Create a Transfer, you must ensure your integration relies on the following webhook event types for the asynchronous outcome of SCA:TRANSFER_NORMAL_CREATEDTRANSFER_NORMAL_FAILEDTRANSFER_NORMAL_SUCCEEDED
SCA_ENROLLMENT_SUCCEEDEDSCA_ENROLLMENT_EXPIREDSCA_ENROLLMENT_FAILED
USER_ACCOUNT_VALIDATION_ASKEDUSER_ACCOUNT_ACTIVATED
Best practice – Start testing in PostmanThe Mangopay API Postman collection contains dedicated folders for SCA-enabled User endpoints, Recipient endpoints, and simulating SCA on transfers and wallet access.See the Postman guide for details on how to fork the collection and set up your environment with your
ClientId and API key.Hosted webpage
Mangopay is introducing SCA across its API through a secure and hosted webpage. On relevant endpoints across Mangopay’s API, the base URL for a user’s session is provided in the response parameterPendingUserAction.RedirectUrl. You are able to define a specific page for the user to be returned to after the session.
For the user, Mangopay’s SCA session provides a user-friendly experience that guides them efficiently through all the necessary steps relating to all required factors.
Mangopay’s hosted SCA session handles both enrollment and authentication.
Note – Add your return URL before redirectionYou must add your
returnUrl before you redirect the user on the RedirectUrl value, otherwise the hosted web page cannot return them upon completion.Factors
Mangopay’s hosted SCA session allows the user to both enroll in SCA and authenticate using the required factors. Read more →| Factor | Required | Type | Description |
|---|---|---|---|
| Trusted device using WebAuthn passkey | No | Possession (of device) and inherence (if biometrics) or knowledge (if password or passcode) | The individual uses the native authentication features (biometrics, password, passcode) of their device that they set up during enrollment. |
| Personal identification number (PIN) | Yes | Knowledge | The individual enters a 6-digit code they defined during enrollment. |
| Phone-based one-time passcode (OTP) | If passkey not used | Possession | The individual receives a 6-digit OTP via SMS to the phone number provided during enrollment. |
Exemptions on actions
The SCA regulations allow Mangopay to apply an exemption to a given instance of an SCA-triggering action. The exemptions that Mangopay can apply depend on the action being authenticated. Enrollment cannot be exempted, because it is necessary to enable SCA to be performed.Note – Exemptions applied by MangopayAs a regulated PSP, Mangopay applies and requests exemptions on behalf of platforms. The exemptions that Mangopay may apply are detailed below.Platforms cannot request specific exemptions in a given situation. Platforms also cannot be exempted from integration of SCA – it is mandatory requirement.
PendingUserAction.RedirectUrl was not returned on an action that is subject to SCA, then Mangopay was able to apply an exemption, and SCA redirection is not required for that instance of the action.
Exemptions available to Mangopay
| Action | Exemptions applicable by Mangopay |
|---|---|
User being assigned OWNER category (creation or categorization) | None, because this represents SCA enrollment |
| Change of SCA contact details | None, because this represents SCA re-enrollment |
| Recipient (bank/payment account) registration | None. Systematic SCA on Recipients enables your users to benefit from an SCA exemption when they request a payout, because the account can be considered a trusted beneficiary. |
Transfer initiation between OWNER users | Two kinds of exemptions may be applied by Mangopay on Owner-initiated transfers to other Owners. Note that for transfers between wallets held by the same Owner, SCA does not apply. An Owner also can’t transfer to a Payer. Low-amount transfers Transactions under €30 may be exempted from SCA until they reach one of the following limits:
Transaction risk analysis (TRA) calculations, done by Mangopay, may be able to exempt SCA on transactions up to €500 (in the absence of detected risks). The regulations apply thresholds of transaction amounts based on Mangopay’s overall fraud rate for transfers and payouts. The data and calculations used will not be shared with platforms. |
| Account access (wallet, transaction history) | Accessing wallet balances and listing transactions may be exempted if the last SCA for either of these actions occurred less than 180 days ago. SCA performed for a different action not related to account access, such as registering a Recipient (bank/payment account) or initiating a transfer, cannot be used to exempt account access. |
Notes on other actions
Payouts
While the payouts are in scope of SCA as per the regulations, Mangopay automatically applies the trusted beneficiary exemption because the Recipient registration was authenticated with SCA. This means thatOWNER users will not be asked to perform SCA on payout requests.
KYC and UBO
Submitting KYC Documents and UBO Declarations for review does not require SCA.FX conversions
Because FX conversions take place between two wallets held by the same user, conversions are not impacted by SCA.Refunds
Refunds of all types are not impacted by SCA. Pay-in and transfer refunds continue to be possible forPAYER users. Furthermore, refunds that use payouts (by citing the reference of the initial transaction as the PAYIN_REFUND reason) continue to be possible for PAYER users, because a Recipient can be created for this purpose (see Recipient scopes - Pay-in).
Disputes
The dispute process is unaffected by Mangopay’s SCA features.Pay-ins
In a pay-in context, aPAYER (or OWNER) is asked to authenticate the transaction by their issuing bank or PSP. This authentication may also be mandated by the same European regulations (PSD2). For example, 3DS on card transactions addresses the requirements of SCA.
On pay-ins, Mangopay enables redirection for users to perform this authentication with third-parties, such as card networks, issuing banks, and payment method providers. In the API, this takes place via the SecureModeRedirectURL (e.g. direct and recurring card pay-ins, preauthorizations, etc.) or other RedirectURL (e.g. on APMs and web card pay-ins) that Mangopay returns in response to the pay-in request.
However, in the pay-in scenario, the issuing bank or PSP of the user is in charge of applying SCA and allowing any exemptions.
Mangopay’s introduction of SCA on OWNER users does not have any impact on pay-in authentication or your existing checkout or payment page integrations.
Connecting to the Mangopay Dashboard
Your platform’s team members use multi-factor authentication (MFA) to log in to the Mangopay Dashboard. This security feature is not changing and will remain in place, and it is entirely separate from the SCA requirements regarding end users of Mangopay’s payment and/or e-money services.Using the Mangopay Dashboard
SCA is applicable to all the SCA-triggering actions that theOWNER user takes, whether via the API or via the Dashboard.
For SCA-triggering actions taken via the Dashboard on behalf of end users, your platform needs to ensure that:
- The legal documentation (e.g. terms and conditions) between your platform and the user includes the proxy under which you take the action on their behalf
- Your platform collects and manages the user’s consent for the action
PAYER to OWNER via the Dashboard, that action uses the legacy PUT Update a User endpoint, and as such it will not trigger SCA, even if the PAYER was created using the new SCA-enabled endpoint. Such a user will still need to enroll as an existing user via the POST Enroll a User endpoint.
Platform user category
TheUserCategory value PLATFORM indicates a specific user approved by Mangopay that represents the platform.
Initially, SCA will not be applied to a User whose UserCategory is PLATFORM.
SCA is applicable to actions taken by these users, however, and Mangopay is defining a suitable solution. This will involve an additional authentication factor (a mTLS certificate) to apply SCA to your platform’s interactions with Mangopay – read more about SCA on your platform →
Your platform’s MFA features
Your platform may already require users to complete multi-factor or two-factor authentication (MFA or 2FA) when they connect to your platform. Any existing MFA features your platform operates cannot be used to substitute or replace Mangopay’s independent SCA onOWNER users. The regulations require Mangopay Account holders to perform SCA with Mangopay directly.