Skip to main content
This FAQ is provided as a complement to the rest of this SCA documentation and our email communications. If your query is not addressed below or in the docs, please get in touch with our teams via the Dashboard.

Is the phone number mandatory for us? How should we handle existing phone number data?

A phone number is not mandatory for SCA if the individual chooses to set up the passkey factor. For the logic of how the factors are presented, see factor orchestration. Your end user can provide their phone number when they are redirected to the Mangopay-hosted webpage to enroll in SCA. If you wish, you can provide it via the API to pre-populate the field in on the page (read more).

If a user’s phone number is associated with another account, will they be blocked or prevented from enrolling in SCA?

No. Our system is designed to efficiently manage phone number associations.

If a user refreshes the hosted webpage or doesn’t receive the SMS, can it be resent?

Yes. If the user refreshes the page, or closes and re-opens the same link, they will remain on the OTP verification screen. The feature is designed to give users control over when they receive an OTP, ensuring that the process is transparent and efficient for them.

If a KYC/KYB document is refused due to data mismatch, can we modify the data on behalf of our users or do we need to contact them?

Only modifications to phone number and email require validation through SCA by the end user. SCA has no impact on the existing KYC processes surrounding documents or the downgrade mechanism.

Can we delay enrollment if we create the user when they are not present on our website or app?

No, it is generally not possible to delay SCA enrollment when the OWNER is created (or categorized as such). Account creation is not an action that triggers SCA, but SCA enrollment must ordinarily be completed at the moment of account creation. However, upon request in certain cases, Mangopay may allow account creation without simultaneous SCA enrollment. This possibility is considered on a case-by-case basis following a risk analysis. In such cases, it is essential that your platform ensures that users complete their SCA enrollment using the dedicated POST Enroll a User endpoint as soon as possible after account creation, and that you platform implements best practices to ensure that they do (such as periodic reminders). Following the rollout of SCA for Soletraders, Mangopay is proceeding with the application of SCA to the other Legal User types: Business, Organization, and Partnership. For SCA on Legal Users:
  • A single individual can complete SCA for a Legal User
  • The individual’s email and phone number must be registered as the Legal User’s
    • LegalRepresentative.Email
    • LegalRepresentative.PhoneNumber
    • LegalRepresentative.PhoneNumberCountry
The declared individual will be required to enroll in SCA and authenticate SCA-triggering actions. Your legal user may wish to update the data above for the person who will perform SCA on behalf of the entity. For more details, see the section on legal user integration

We already have SCA or MFA on our website or app. Can we use our existing feature and send validation to Mangopay through the API?

No. Applicable regulations require Mangopay to perform SCA directly with users that have a Mangopay account.

What are the specific actions that require SCA?

SCA has an impact on OWNER users at certain moments of their activity with Mangopay. Your platform must change its implementation as a result (see integration required for SCA). Prior to being able to authenticate actions, the user must:
  • Enroll at Mangopay Account creation (when a user is assigned the OWNER UserCategory)
  • Re-enroll if their contact details change (Email, PhoneNumber)
The actions taken by OWNER users that require SCA to be performed are:
  • Bank account registration (by OWNER users for use with payouts)
  • Transfer initiation (between two OWNER users)
  • Mangopay Account access by OWNER users to view wallet balance or list transactions
For more details, see the guides.

What should we expect regarding SCA for transfers between Mangopay wallets?

Only transfers initiated directly by your Owner users require SCA to be performed by the user. Automated or programmed transfers for technical purposes in workflows may be able to continue as before provided that the user consents and that a proxy is in place in your platform’s legal documentation with the user. For more details, see the proxy management guide. For more details on user-initiated transfers, see the transfers guide.

For SCA-applicable actions not taken by the user, but rather as part of automated workflows, will SCA be required?

For existing integrations, platforms were able to identify actions not taken by the user thanks to the USER_NOT_PRESENT value of the ScaContext parameter. Mangopay has released features to manage:
  • The proxy under which your platform takes such actions (e.g. in your terms and conditions)
  • The user’s consent, which must be declared to Mangopay via the hosted SCA session
Integration of this proxy management feature, including user consent, is mandatory to continue using the USER_NOT_PRESENT value for ScaContext, otherwise actions will fail. For transfers and wallet access requests, the default value of ScaContext is changing to USER_PRESENT on Dec 15, 2025.

What happens if we perform actions on behalf of users, without their direct involvement?

The USER_NOT_PRESENT value for ScaContext allowed platforms to identify actions where SCA redirection was not immediately required. The use of this feature in cases where your platform takes SCA-triggering actions on behalf of users requires the integration of Mangopay’s proxy management feature and the user’s consent (managed via the hosted SCA experience). The use of USER_NOT_PRESENT without the user’s consent will return an error. In these cases, your platform must either obtain the user’s consent or send the USER_PRESENT value and redirect the user to the SCA session to perform SCA.

When will SCA be triggered for our existing users, and how will it work?

For existing users, Mangopay’s features allow your platform to enroll them at a convenient point in their journey using the dedicated POST Enroll a User endpoint. SCA is be applied when the user takes an action requiring SCA. For more details, see existing user integration.

Will the legacy user endpoints be maintained? How long for until deprecated?

All platforms must integrate the SCA-enabled user endpoints for all user types. The legacy ones should be considered deprecated already as they are redundant. Mangopay plans to decommission these endpoints at the end of 2025 to make them no longer available.

Will the legacy bank account endpoints be deprecated?

Yes, the bank account feature will also be removed in mid-2026. Mangopay’s Recipients feature which completely replaces bank accounts. Once Recipients is live in Production, the bank accounts endpoints should no longer be used. The Bank Account endpoints will made unavailable in mid-2026.

Will we have to re-register bank accounts as Recipients?

No. You can continue using existing bank accounts (BankAccountId) for payouts. All active legacy bank accounts are available via the GET View a Recipient endpoint, by using the BankAccountId value as the RecipientId path parameter.

Can we do SCA with the user later if it’s triggered by an action initiated on their behalf?

No, the SCA session starts immediately when the action is triggered. The user has 10 minutes to complete the authentication on the hosted webpage before the session expires.

Will users be restricted if a user is not enrolled in SCA?

Initially, existing users are not restricted by the introduction of SCA. Existing users, who already have ACTIVE as their UserStatus, will not be restricted or transitioned to PENDING_USER_ACTION if you attempt to enroll them using POST Enroll a User and the SCA session is not successful. On Recipients, Transfers, and Account Access they will also not be restricted (their status remains ACTIVE), but the relevant action will not succeed. In this case, you need to retry the Recipient creation or Transfer to allow the user to complete SCA successfully. Mangopay may be required to start introducing consequences on users if they haven’t enrolled in SCA, but this will be done with sufficient notice to platforms. You will also be informed of the consequences of non-enrollment, which may include removing certain permissions, blocking the account, reverting the category to PAYER, or closing the account. Mangopay’s objective is to protect your users when they benefit from our services, via an authentication solution that is easy for your platform to adopt in its integration. We remain committed to maintaining the highest standards of security and compliance. See the guide section on existing user integration

If a user completes SCA enrollment and then registers a new Recipient (external account), will they need to authenticate again?

Yes. The user must perform SCA on each Recipient creation action. This systematic approach allows Mangopay to use the trusted beneficiary SCA exemption for payouts.

Is SCA implementation compulsory for us?

Yes, it is a regulatory obligation imposed by the PSD2 directive with the purpose of protecting you and your users against fraud and abuse. As a payment service provider (PSP), it’s our role to protect your users from credential attacks and account takeovers by verifying their identities and ensuring the legitimacy of their actions.

What happens if we don’t integrate the new endpoints? What are the consequences for us?

Implementation of SCA is mandatory. Failure to integrate the new endpoints exposes your users to fraud and abuse and would prevent us from providing payments services to them, as outlined in our terms and conditions.

Can we get an extension to the deadline?

No. SCA is a regulatory requirement for Mangopay Account holders. We will require you to undertake the integrations outline in our documentation and by the dates communicated. If you have any concerns about the deadline or integration timelines, please contact our teams via the Dashboard.

Do we need to sign a contract amendment?

No, you will not be required to sign any contract amendment – our existing contract remains in effect.

We have a Merchant Agreement. How will SCA impact us?

For platforms operating under a Merchant Agreement, SCA will be integrated as part of our ongoing commitment to regulatory compliance. While implementing SCA is mandatory, we are dedicated to supporting you through the transition and ensuring a smooth experience. Detailed guidance on the specific impacts will be provided shortly.

We use the Mirakl Connector. How will SCA impact us?

Mangopay is improving its Mirakl Connector to enable SCA during the vendor onboarding process. We will communicate changes required in due time. Until then, no action is required for SCA.

We use the WordPress plugin. How will SCA impact us?

As per Mangopay’s email of June 2025, Mangopay is deprecating the Mangopay WordPress plugin. It will be decommissioned and removed from WordPress once there are no further users. To continue using Mangopay’s services, platforms using the plugin need to integrate their website directly, which requires development resources and data hosting on the platform’s side. Mangopay provides solutions to simplify integration for developers. Please see the rest of this documentation for guides on our SDKs, enabling access to our API in a range of popular languages, as well as our Checkout SDK to power your website’s payment page. If you are using the WordPress plugin, please contact Mangopay as soon as possible via the Dashboard.

We have a specific workflow. Can we get an exemption?

Mangopay has released features to manage:
  • The proxy under which your platform takes such actions (e.g. in your terms and conditions)
  • The user’s consent, which must be declared to Mangopay via the hosted SCA session
Mangopay’s feature for proxy management and user consent addresses workflows where platforms wish to take action on behalf of their users under the proxy (or mandate) that is in place in their legal documentation (e.g. terms and conditions). If you believe your platform’s workflow cannot be addressed by this feature, please contact Mangopay via the Dashboard.

What should we say to our end users or customers who are asking us why we’re requiring them to perform SCA?

You can convey to your end users that their security is being strengthened through the implementation of strong customer authentication (SCA) on your platform as per regulatory requirements. This enhanced security measure provides additional protection against account takeovers resulting from phishing attempts, credential attacks, and personal data breaches. By adopting SCA, you are not only prioritizing their safety but also ensuring compliance with the latest regulatory standards. You can assure your end users that you and Mangopay remain committed to delivering a secure and seamless experience.