Strong Customer Authentication (SCA): History & Compliance

More than half of all fraudulent card transactions in the Single Euro Payments Area (SEPO), which encompasses 35 European countries, involve online transactions. In 2019, the strong customer authentication, or SCA, requirements were enacted to help protect customers and financial institutions operating within the European Economic Area (EEA) from fraud and financial crime. 

A requirement of the European Union Revised Directive on Payment Services (PSD2), the SCA requires that electronic payments made through payment service providers in the EEA enact multi-factor authentication (MFA) to add an extra layer of security for payments made electronically or online.

What is strong customer authentication (SCA)?

In an effort to make contactless payments more secure and reduce fraud, as part of the revised Payment Services Directive (PSD2), the SCA (strong customer authentication) was enacted on September 14, 2019, for businesses who process payments in Europe. A European regulatory requirement, the SCA requires the use of MFA (multi-factor authentication) to make payments more secure by adding additional authentication to the checkout flow. 

To comply with SCA requirements, merchants are required to ask for at least two of the following elements during checkout of an online transaction:

  • Something a customer knows: This is often a password or PIN.
  • Something a customer has: This could be a smartphone, software, or hardware token.
  • Something a customer is: This typically involves a form of biometrics, such as a fingerprint or retina scan or facial recognition.

Banks are required to decline transactions that do not meet SCA requirements. The use of more dynamic data points can more accurately verify the identity of a customer. 

Prior to the SCA requirements, banks were only able to ask for a static password. SCA uses MFA to make online transactions more secure.

Who is in charge of strong customer authentication?

Strong customer authentication is enforced by the European Banking Authority (EBA) within the EU (European Union). In the UK, it is governed by the Financial Conduct Authority (FCA). 

Banks and financial institutions, not merchants, are required to comply with the PSD2 SCA regulations. Banks are required to maintain SCA compliance. They are in danger of violating the law in their country if they do not decline non-compliant transactions. 

The method of implementation for SCA regulations during these transactions can depend on the type of transaction. Online debit and credit card transactions often rely on 3D Secure 1 (3DS1) or the more secure 3D Secure 2 (3DS2). Local payment methods and e-wallets often use their own specific SCA-compliant authentication methods.

With 3DS2, which is supported by most European credit and debit card companies, an extra authentication step is added after checkout by their bank. This can commonly include a one-time code sent to the customer’s smartphone or fingerprint authentication within their mobile banking app. Digital wallets and international e-wallets, such as Apple Pay