Strong Customer Authentication (SCA)

What Is Strong Customer Authentication?

Strong Customer Authentication is a security requirement introduced by the European Union under the revised Payment Services Directive (PSD2). It requires payment service providers to verify the identity of a customer using at least two independent factors before processing an electronic payment. The regulation applies across the European Economic Area and aims to reduce payment fraud in online and contactless transactions.

Article 97 of PSD2 mandates SCA whenever a payer accesses a payment account online, initiates an electronic payment, or performs any remote action that carries a risk of fraud. The technical standards governing implementation are defined in Commission Delegated Regulation (EU) 2018/389, which specifies the authentication factors, exemptions, and reporting requirements that payment service providers must follow.

The regulation reshaped how card-not-present transactions work across Europe. Before SCA, many online card payments required nothing beyond a card number and CVV. After SCA, most transactions need a second verification step: a one-time password, a push notification to a banking app, or a biometric confirmation.

How It Works

SCA requires authentication using at least two of three independent factor categories. The factors must be genuinely independent: compromising one must not weaken the security of the others.

The Three Factor Categories

A common SCA flow for an online payment combines possession (a smartphone running the bank's app) with inherence (fingerprint scan to approve the transaction). Another approach pairs possession (the phone receiving an SMS one-time password) with knowledge (the customer's PIN).

Dynamic Linking

For remote payment transactions, SCA includes an additional requirement called dynamic linking. The authentication code generated must be specific to the transaction amount and the payee. If either value changes, the code becomes invalid. This prevents attackers from intercepting an authentication code and redirecting it to a different payment.

Implementation via 3D Secure 2

The primary protocol for implementing SCA on card payments is 3D Secure 2 (3DS2), developed by EMVCo. Unlike the original 3D Secure protocol (which relied on clunky pop-up redirects and static passwords), 3DS2 shares over 150 data fields between the merchant and the issuing bank. This rich data enables a frictionless authentication flow where the issuer can verify the cardholder silently, without any user interaction, when the risk is deemed low.

When the issuer cannot verify the cardholder from data alone, a challenge flow is triggered. Modern challenges use biometric verification via the bank's mobile app, one-time passwords sent by SMS, or passkey-based authentication. These flows complete in under five seconds on average, compared to 45 to 60 seconds for the original 3D Secure protocol.

SCA Exemptions

Not every transaction requires SCA. The regulation defines several exemptions designed to balance security with usability. Payment service providers and merchants can request these exemptions, but the issuing bank ultimately decides whether to grant them.

Low-Value Transactions

Remote electronic payments under EUR 30 are exempt from SCA. However, SCA is triggered when the cumulative value of exempt transactions exceeds EUR 100 or the number of consecutive exempt transactions exceeds five. For contactless payments at physical terminals, the individual threshold is EUR 50 with a cumulative cap of EUR 150 or five consecutive transactions.

Trusted Beneficiaries

Payers can maintain a whitelist of trusted payees with their bank. SCA is required when adding or modifying the list, but subsequent payments to whitelisted beneficiaries are exempt. This is useful for repeat purchases from the same merchant.

Recurring Payments

SCA is required on the first payment of a recurring series. Subsequent payments are exempt as long as the amount and payee remain identical: a fixed-amount subscription to the same merchant. Variable-amount subscriptions do not qualify and are typically handled as merchant-initiated transactions, which fall outside SCA scope entirely.

Transaction Risk Analysis (TRA)

Payment service providers can exempt transactions from SCA based on real-time risk analysis, provided their fraud rates remain below regulatory thresholds:

Transactions above EUR 500 can never be exempted via TRA. Providers must deploy fraud detection systems that incorporate behavioral analysis, device fingerprinting, and known fraud pattern recognition. Fraud rates are reported quarterly, and an external audit of the methodology is required at least every three years.

Other Exemptions

• Transfers between accounts held by the same person at the same institution
• Secure corporate payment processes using dedicated protocols exclusively for non-consumer payers
• Mail order and telephone order (MOTO) transactions, which fall outside PSD2 scope entirely since they are not electronic

Implementation Timeline

SCA's rollout was notably uneven across Europe. PSD2 was adopted in October 2015 and entered into force in January 2016. Member states had until January 2018 to transpose it into national law. The original SCA enforcement date was September 14, 2019, but the European Banking Authority acknowledged that many payment providers were unprepared and extended the deadline to December 31, 2020 for e-commerce card payments.

Even after that deadline, enforcement remained fragmented. The Netherlands began enforcement in January 2021. France, Germany, Italy, and Spain rolled out compliance in phases during early 2021. The UK, which had left the EU but retained PSD2 in domestic law, granted the longest extension: the Financial Conduct Authority pushed the deadline to March 14, 2022.

Impact on E-Commerce

SCA's introduction had a measurable impact on online payment conversion rates. A 2019 study commissioned by Stripe projected EUR 57 billion in lost economic activity across Europe in the first year of enforcement. Research from CMSPI estimated that EU-wide SCA failure rates averaged 35% in August 2020, declining to 26% by August 2021 as implementations matured.

The impact varied by country. Italy experienced failure rates as high as 50% during early enforcement. Belgium reported 41% failure rates in August 2021. An estimated 20% of failed transactions were false declines: legitimate payments rejected by overly cautious fraud models, representing roughly EUR 20 billion in lost retail sales annually.

Over time, the shift to 3DS2 frictionless flows significantly improved the situation. Modern implementations route 90 to 95% of transactions through silent authentication with no user interaction required. Merchants that strategically apply TRA exemptions and optimize their data sharing with issuers have recovered most of the conversion loss. For a deeper look at how fraud prevention systems balance security and user experience, see the fraud prevention in digital payments research article.

SCA and Cryptocurrency

Self-custodial Bitcoin transactions are not subject to SCA. The regulation applies to payment service providers operating within PSD2's scope, and Bitcoin, as an unbacked crypto-asset, falls outside that framework. The European Banking Authority has clarified that exchanges of crypto-assets for funds or other crypto-assets are not payment services under PSD2.

However, there is a notable exception: stablecoins classified as e-money tokens under MiCA are treated as payment instruments. Custody and transfer of these tokens on behalf of customers is a payment service, meaning SCA requirements apply to custodial wallets holding regulated stablecoins.

From a technical standpoint, Bitcoin's cryptographic signing model mirrors the spirit of SCA. A hardware wallet satisfies the possession factor (a device storing the private key). A PIN or passphrase to unlock the wallet satisfies knowledge. Biometric authentication on the signing device satisfies inherence. Transaction signing also inherently provides dynamic linking: the signature is mathematically bound to the specific amount and recipient address. The difference is architectural: SCA relies on a regulated intermediary to enforce compliance, while Bitcoin's security is enforced by the protocol itself and the user's own key management. For more on how open banking and crypto rails are converging, see the global state of open banking research article.

PSD3 and the Future of SCA

The European Commission published proposals for PSD3 and the Payment Services Regulation (PSR) in June 2023. A provisional political agreement was reached in November 2025, with formal publication expected in mid-2026 and application 18 to 21 months later.

Key changes to SCA under PSD3 and PSR include:

• Expanded SCA triggers covering tokenized payment instrument creation, spending limit changes, and contact detail modifications
• Delegated authentication: merchants, payment gateways, and digital wallet providers can perform SCA on behalf of the issuing bank, subject to due diligence and audit requirements
• Mandatory IBAN and name verification before processing credit transfers, with discrepancies requiring refusal and payer notification
• Full reimbursement requirements for authorized push payment (APP) fraud, shifting liability toward payment service providers
• Multiple SCA methods required to be offered free of charge, addressing accessibility concerns for users who cannot use certain authentication factors

The shift from a directive (PSD2) to a regulation (PSR) means the new rules will apply directly across all EU member states without requiring national transposition, creating more uniform enforcement. For a broader view of how payment regulations are evolving globally, see the stablecoin regulation frameworks article.

Risks and Considerations

Conversion and Abandonment

Despite improvements in 3DS2 frictionless flows, the additional authentication step still introduces friction. Challenge flows reduce conversion by 10 to 18% on average. Merchants operating across borders face varying issuer behavior: French issuers challenge transactions at roughly double the rate of the rest of the EEA, while UK issuers accept exemption requests at rates 10 percentage points higher than EEA counterparts.

Uneven Enforcement

SCA enforcement varies significantly by country. Differences in how national regulators interpret exemptions, supervise compliance, and handle edge cases create an uneven playing field for merchants operating across the EEA. The move to PSR aims to address this by eliminating the need for national transposition.

False Declines

Overly aggressive fraud models can reject legitimate transactions. False declines damage customer relationships and drive revenue to competitors: research suggests 52% of shoppers whose transactions fail complete the purchase elsewhere. Transaction monitoring systems must balance fraud prevention with approval rates, and the velocity check thresholds built into SCA exemptions add another layer of complexity for merchants to manage.

Accessibility

Not all customers can use every authentication method. Biometric systems may fail for users with certain disabilities. SMS-based one-time passwords assume mobile phone access. PSD3 addresses this by requiring payment service providers to offer multiple SCA methods free of charge, but until those rules take effect, accessibility gaps remain.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.