You are responsible for performing Strong Customer Authentication (SCA) on your cardholders for every session where they use functionality provided by a Card Issuing SDK. That is, for the following use cases:
Card Management SDKs:
Out-of-Band Authentication SDKs:
This applies to both the sandbox and production environments.