This is one of the concerns we have with SCA. By the nature of the additional authentication steps, they are necessarily hosted off-site in some situations.
Is this a necessity though? Couldn't they just enter the 2FA code in the same manner that they enter their card details on the merchant site? i.e. After entering their card details, it will just prompt them for more info if necessary.
I’m not sure exactly what PSD2 requires in this respect without checking it again, but in practice I think all of the major schemes for card payments that actually exist do work that way, so it’s probably beyond the ability of any service like Stripe to avoid at the moment.
Is this a necessity though? Couldn't they just enter the 2FA code in the same manner that they enter their card details on the merchant site? i.e. After entering their card details, it will just prompt them for more info if necessary.