Strong Customer Authentication (SCA): History & Compliance
More than half of all fraudulent card transactions in the Single Euro Payments Area (SEPO), which encompasses 35 European countries, involve online transactions. In 2019, the strong customer authentication, or SCA, requirements were enacted to help protect customers and financial institutions operating within the European Economic Area (EEA) from fraud and financial crime.
A requirement of the European Union Revised Directive on Payment Services (PSD2), the SCA requires that electronic payments made through payment service providers in the EEA enact multi-factor authentication (MFA) to add an extra layer of security for payments made electronically or online.
What is strong customer authentication (SCA)?
In an effort to make contactless payments more secure and reduce fraud, as part of the revised Payment Services Directive (PSD2), the SCA (strong customer authentication) was enacted on September 14, 2019, for businesses who process payments in Europe. A European regulatory requirement, the SCA requires the use of MFA (multi-factor authentication) to make payments more secure by adding additional authentication to the checkout flow.
To comply with SCA requirements, merchants are required to ask for at least two of the following elements during checkout of an online transaction:
- Something a customer knows: This is often a password or PIN.
- Something a customer has: This could be a smartphone, software, or hardware token.
- Something a customer is: This typically involves a form of biometrics, such as a fingerprint or retina scan or facial recognition.
Banks are required to decline transactions that do not meet SCA requirements. The use of more dynamic data points can more accurately verify the identity of a customer.
Prior to the SCA requirements, banks were only able to ask for a static password. SCA uses MFA to make online transactions more secure.
Who is in charge of strong customer authentication?
Strong c