Log in
Contact Us
Contact Us

Glossary

Strong Customer Authentication

Strong Customer Authentication (SCA) is a fundamental security requirement introduced under the Revised Payment Services Directive (PSD2) by the European Union to enhance the safety of electronic payments, mitigate fraud, and protect consumers throughout the European Economic Area (EEA). Implemented starting in September 2019, SCA requires that payment service providers (PSPs) authenticate electronic payments using a more stringent set of measures compared to traditional methods.

SCA was introduced in response to the increasing volume of online transactions and the growing prevalence of digital banking. It requires the use of multi-factor authentication (MFA) to validate the identity of a user performing an electronic transaction. This measure aims to establish the trustworthiness of transactions while safeguarding customer data and financial assets.

Components of SCA Authentication

The multi-factor authentication required by SCA must include at least two of the following three categories of authentication elements, each belonging to a distinct group:

  1. Something the User Knows:
    • This is knowledge that only the customer should be privy to, such as:
      • Password
      • PIN (Personal Identification Number)
      • Answer to a Security Question
  2. Something the User Has:
    • This involves possession of a physical item owned by the customer. Examples include:
      • Smartphone (used for receiving one-time passwords or generating authorization codes)
      • Token (a hardware device used to generate unique codes)
      • Smart Card
  3. Something the User Is:
    • This refers to inherence, or biometric data that is unique to the individual, such as:
      • Fingerprint
      • Facial Recognition
      • Voice Recognition
      • Retina Scan

This combination provides a robust security layer that is much harder for fraudsters to compromise than single-factor authentication methods.

SCA in Practice: How It Works

When a consumer initiates an electronic payment that falls under the scope of SCA, they are required to verify their identity by providing two of the three above elements. Here's an example of how SCA works in practice:

  • Suppose a customer wants to make an online purchase using their credit card. When proceeding to checkout:
    • The customer enters their card details (something they know).
    • They are then prompted to confirm the payment through a mobile app by either entering a one-time password (OTP) sent to their smartphone or through facial recognition on the app (something they have and something they are).

This layered authentication makes it exceedingly difficult for unauthorized individuals to complete fraudulent transactions.

Transactions Subject to SCA

SCA is required for most electronic payments initiated within the EEA, including:

  • Online Card Payments: To verify the identity of the user before processing payments.
  • Bank Transfers: Especially when initiated through online or mobile banking applications.
  • Access to Payment Accounts: When customers log into online banking, they must be authenticated using SCA.

Exemptions from SCA

While SCA is broadly applicable, there are certain exemptions in place to balance security and user convenience. These exemptions include:

  1. Low-Value Transactions:
    • Payments below €30 may be exempt from SCA. However, if the total cumulative value of consecutive low-value transactions exceeds €100, or if five consecutive low-value payments are made without SCA, then SCA is required again.
  2. Recurring Payments (Merchant-Initiated Transactions):
    • Regular, fixed-amount subscription payments (e.g., streaming subscriptions) may be exempt after the first transaction, which must be authenticated.
  3. Trusted Beneficiaries:
    • Consumers can designate certain recipients or merchants as “trusted beneficiaries,” exempting future payments to these merchants from SCA.
  4. Corporate Payments:
    • Transactions made using corporate cards or through dedicated payment processes (e.g., certain B2B payments) may be exempt.
  5. Low-Risk Transactions (Transaction Risk Analysis):
    • PSPs may assess transaction risk based on various factors such as the transaction value, merchant history, or consumer behavior. For transactions deemed low-risk (based on fraud rates below regulatory thresholds), exemptions from SCA may apply.
  6. Contactless Payments:
    • Payments made using contactless cards may be exempt from SCA for transactions under €50. However, SCA will be required after a cumulative value of €150 or five consecutive payments without SCA.

Benefits of SCA

  1. Fraud Reduction:
    • The main benefit of SCA is the substantial reduction in fraud and unauthorized payments. The multi-layered approach significantly decreases the likelihood of someone else accessing or using customer payment data.
  2. Increased Trust:
    • SCA fosters greater consumer trust in digital payments by ensuring that financial transactions are secured. Customers can feel confident that their data and assets are protected during online transactions.
  3. Harmonized Security:
    • SCA brings a uniform approach to securing payments across the EEA, thereby standardizing the security protocols used by payment service providers and ensuring compliance across all countries.

Challenges with SCA Implementation

  1. User Experience:
    • Introducing additional steps in the payment process can cause friction for users, potentially leading to cart abandonment during online shopping. Companies have needed to adapt their authentication flows to maintain a balance between user convenience and security.
  2. Technical Complexity:
    • Payment service providers, banks, and merchants have faced significant challenges in integrating the required technologies, including biometrics, OTP systems, and integration with multi-factor authentication platforms.
  3. Awareness and Adoption:
    • Not all consumers were initially aware of SCA requirements, which sometimes led to confusion or delays when making payments. Educating users on how to authenticate transactions properly has been a key challenge for financial institutions.

SCA and 3D Secure 2.0

3D Secure 2.0 is a technology often used by banks and payment gateways to comply with SCA requirements. It is an upgrade to the original 3D Secure protocol (used by services like Verified by Visa and Mastercard SecureCode) and aims to provide:

  • Seamless Authentication: 3D Secure 2.0 enhances the customer experience by making the authentication process smoother, often incorporating biometric authentication or risk-based verification that happens in the background.
  • Frictionless Flow: If a transaction is deemed low-risk, the customer may not need to perform additional steps, ensuring minimal disruption to the purchase experience.

Impact of SCA on the Industry

  1. E-commerce:
    • Merchants have had to adjust their checkout flows to integrate multi-factor authentication, often collaborating with payment providers to comply with SCA. This added requirement has led some businesses to upgrade their payment solutions to more sophisticated systems that support biometrics and risk-based authentication.
  2. Banks and Financial Institutions:
    • Banks have implemented various forms of SCA to support PSD2 requirements, ranging from the use of OTPs to mobile app-based biometrics. This has often required significant investment in upgrading legacy systems to ensure compliance.
  3. Payment Service Providers (PSPs):
    • PSPs, acting as intermediaries, have played a crucial role in providing SCA-compliant solutions that balance security with user convenience. These solutions often involve flexible integration methods that are designed to reduce friction for customers during checkout.

Future of SCA

The implementation of SCA under PSD2 marks a significant milestone toward improving payment security across Europe. As consumers increasingly migrate to digital and mobile-first experiences, it is likely that the biometric authentication methods supported by SCA (e.g., fingerprints, facial recognition) will become even more prevalent and sophisticated.

Additionally, as payment methods evolve, SCA requirements may be adapted to new technologies, such as digital wallets, tokenization, and blockchain. Ensuring that payment solutions continue to provide both security and convenience will be an ongoing priority for regulators, merchants, and financial institutions.

Back to Glossary

Ready To
Start Saving?

Get started
Get started