A Comprehensive Guide to Strong Customer Authentication and PSD2 Compliance

SCA- Wallester

The volume of e-commerce businesses and mobile banking is skyrocketing, as is the risk of online payment fraud. A recent survey found that 1 in every 4 Europeans with internet shopped online at least once a week in 2016. In the same year,approximately €309 million was lost to credit card fraud in online transactions. This compares to just €13.6m in 1998. With this in mind, the European Parliament enacted the Strong Customer Authentication (SCA) under the Revised Payment Services Directive (PSD2) to create a safer environment for consumers to process online payments.

If you reside in the EU and have made an online payment, SCA would have affected you. The SCA regulation has revolutionized the payment process, from entering a code sent to your smartphone to scanning a fingerprint to confirm an online transaction. In this guide, we break it down for you to better understand what SCA is, how it works, and what it means for your business.

The background to PSD2 and SCA

A few years ago, the European Central Bank rolled out a detailed set of directives that would significantly affect online payments. It announced that a new system that provided Strong Customer Authentication (SCA) under the PSD2 would be adopted to enhance security. The SCA was introduced to strengthen consumer protection, increase legal certainty and promote fintech innovations.

Fundamentally, the SCA was enacted on September 14th, 2019, and all e-commerce businesses were required to implement it in their online transactions. Nonetheless, several countries requested an extension, and the European Banking Authority granted a migration period. A final implementation deadline was set on January 1st 2021, for all countries in the EU. In the UK, the SCA directive was implemented on March 14th, 2022, following a delay by the FCA, which wanted to allow companies more time to adjust their payment processes accordingly.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a regulation under the Revised Payment Services Directives (PSD2) focused on reducing fraud and securing online payments. It provides that consumers must verify their identity before exchanging their payment information between a financial institution and a third-party provider (TPP). In practice, the SCA requires two-factor authentication whenever you access your online accounts, authorize online payments or involve third parties in service provision.

3D Secure 2 is a term connected to SCA and refers to the method used by payment service providers to authenticate online payments. This protocol protects both online retailers and customers when processing electronic transactions. Typically, a 3D Secure 2 transaction redirects the cardholder to the issuing bank’s website to validate the payment. As part of the SCA directive, payment service providers must adopt the necessary adjustments to implement the 3DS2 protocol.

SCA compliance has several benefits to businesses, including reduced instances of financial fraud, increased levels of customer trust, and standardization throughout the market, resulting in better user experience.

When is Strong Customer Authentication Required?

SCA compliance is mandatory for online European payments, where the merchant and consumer have European banks. Other regions, like India and Monaco, have also introduced this requirement. SCA mainly affects card payments and bank transfers because they are instant and often initiated by the end customer. Notably, this directive applies when a consumer initiates an online payment, accesses their online payment account, or carries out any remote command that may imply a risk on payments. It is essential because electronic payments are instant, creating financial fraud risk. A recent study found that SCA has helped stop over 2,000 cases of online fraud per month.

For recurring online payments of the same amount that the end customer initiates, the SCA directive only applies to the first payment. Nonetheless, if the amount changes, then SCA applies. Similarly, the SCA typically applies for the initial payment in a series of recurring payments for merchant-initiated transactions. If the same merchant initiates the subsequent payments, the directive will not apply as long as the charged amounts are within the reasonable expectation of the end customer. This implies that e-commerce, SaaS, and membership businesses must focus on implementing SCA to improve the security of the customer’s online transactions and reduce payment fraud.

How does Strong Customer Authentication Work in Practice?

Generally, SCA impacts ‘two-leg transactions” in the European Economic Area (EEA) or within the European Union, where the consumer and the merchant’s bank are both located in Europe. Some European banks must also apply SCA for “one-leg out transactions,” where the customer is within the EU, and the merchant is not.

SCA is a two-factor authentication that verifies the end customer’s identity. Successful identity verification must satisfy two of the following factors:

  • Knowledge: something the customer knows, such as a passphrase or pin.
  • Possession: something that belongs to the customer, such as a wearable or smart card.
  • Inherence: something the customer “is,” referring to biometrics such as facial recognition or fingerprint.

According to the SCA directive, the two factors should be chosen from different categories to ensure that a breach of one does not affect the validity of the other. For example, anyone who gets a hold of a customer’s phone cannot access any payment information without their passcode or biometrics. A successful SCA authentication should generate a code that allows a customer to make online payments securely. However, if two of the authentication factors are not fulfilled, the payment will not go through.  This form of verification securely protects customer data and prevents any breach.

What Does This Mean for Businesses?

Generally, your customers may need to provide two-factor authentication to complete an online transaction with you. This SCA requirement applies to face-to-face payments and e-payments in the UK and the EEA. If your customer does not fulfill the two-factor verification, their payment will be declined. Importantly, you need to ensure that your payment service provider switches on the technology required to ensure SCA compliance.

Face-to-Face Payments

Essentially, Chip and PIN transactions are SCA compliant. Nonetheless, your customer may be prompted to input their PIN when making contactless payments. In this regard, you should update your payment terminal to ensure that it supports these security requirements. You can always consult your business bank to ensure everything is in order.

Online Payments

As an online retailer, your customers may be prompted to validate their identity with two factors at the checkout. In this case, the 3DS2 technology will give your buyers a seamless experience as they check out their purchases. It works best on mobile devices. Generally, this technology removes friction from the purchase process by eliminating the likelihood that your customer may require any additional steps. Not to mention, your bank or checkout provider may help you filter the e-commerce transactions that are exempt from the SCA directive.

What does this mean for Issuers and Acquirers?

Issuers and acquirers are responsible for ensuring SCA compliance by adopting the necessary solutions and providing optimal user experience. They can also make use of the Transaction Risk Analysis (TRA) exemption by maintaining a fraud rate that is in line with PSD2 regulations. Typically, smaller transactions worth several hundred euros or pounds could be exempt in cases where the merchant acquirer has maintained a consistently low fraud rate. Other e-payments exempt from SCA guidelines include:

Low-risk Transactions

Notably, transactions are categorized as low-risk depending on the average fraud level of the payment provided and the bank processing the payment. The fraud rates should not go over the following thresholds:

  • 0.06% to exempt payments under €250.
  • 0.01% to exempt payments under €500.
  • 0.13% to exempt payments under €100

Where relevant, these thresholds are usually converted to the equivalent local amounts.

Payments below €30

Payments under €30 are considered “low-value” and may be exempt from SCA. Nonetheless, SCA will be needed if the consumer makes five or more payments above €30 or when the summation of the previous exemptions surpasses €100. In this case, the cardholder’s bank tracks such occurrences and determines whether verification is necessary.

Fixed amount Subscriptions

For subscriptions, SCA is only compulsory for the first payment. However, if the subscription amount changes, it will be required for each change.

Merchant initiated Transactions

Merchant-initiated transactions are categorized as out of the scope of SCA requirements, and therefore no exemption is required. These transactions refer to payments initiated by a retailer based on an agreement that they have in place with the customer, allowing the merchant to initiate the payment on their behalf. In practice, they ensure convenient management of regular payments to a merchant, where the amount changes each time- such as mobile bills, retained professional services, and utility bills. Notably, the customer’s payment service provider must authenticate the card when it is saved by the customer or upon the first payment.

Trusted beneficiaries

Customers can approve their trusted merchants to their white list. This exempts authentication of future purchases from these merchants. However, some aspects must be factored in. First, the cardholder needs to be aware that they can provide this permission and be comfortable doing so. Secondly, the payment service provider or the bank must have a way of retaining these permissions and activating them. 3DS2 supports whitelisting of merchants.

Phone Sales

Card payments made over the phone, where the consumer provided the card information, are also exempt from SCA. This form of payment is sometimes identified as “orders by mail” and must be reported to the issuing bank so that they can decide whether to accept or decline the transaction.

Corporate Payments

A payment is exempt from SCA in cases where a corporate card has been used. For instance, booking travel arrangements or buying stationery. According to Article 17 of the RTS, SCA is not required for corporate payments if the following conditions are met:

  • Dedicated payment protocols are used.
  • The dedicated protocols are only available to payers who are not consumers
  • The dedicated protocols are considered sufficiently secure by the competent national authorities.

Protect yourself from Fraud

The SCA guidelines protect your money from fraudsters. With the new authentication process, your issuing bank or payment service provider can confirm that it’s really you making the payment. SCA impacts your online payments as well as access to your online accounts. Therefore, your payment services provider should ensure that you are up to date with any changes to the way you are authenticated.

To protect yourself from scams and fraudsters, you should never share your credit card or bank account details with any third parties, unless you are confident of who you are engaging with. You should contact your bank or the payment service provided immediately if you suspect that an unauthorized party has accessed your payment details.

How Wallester helps you meet strong Customer Authentication Requirements?

The new rules have drastically changed how customers authenticate their identity when making electronic payments. With the enforced deadline already passed, some businesses fail to satisfy the SCA guidelines successfully. At Wallester, we believe that security should not interfere with user experiences. Therefore, our dynamic team will help you meet regulatory compliance effortlessly based on your customer’s distinct needs. With our solutions, you can ensure safe transaction confirmation with 3D Secure 2.0 and dynamic linking PSD2 compliance. All cards issued on the Wallester platform support 3D secure technology; thus, you will not incur unnecessary integration costs. Learn more about Wallester’s SCA-compliant products.


How does SCA work?

SCA is a two-factor authentication that helps verify the cardholder’s identity during an online transaction.

How to authenticate a payment?

A payment is authenticated if the customer satisfies two of the following categories:

  • Knowledge (something only the cardholder knows) – examples include password, passphrase, PIN, or secret answer.
  • Possession (something only the consumer owns) – examples include wearables, phones, smartcards, or tokens.
  • Inherence (something that the cardholder is) – examples include biometrics such as facial recognition and fingerprint.

What happens if an exemption fails?

If an exemption fails, the bank returns the declined codes, and payments must be resubmitted with a request for SCA.

Why is SCA coming into force?

SCA is part of the PSD2 requirement to protect consumers from online payment fraud.

Please, improve your experience!

You’re using an unsupported web browser. As Wallester supports the latest versions, we highly recommend you use an up-to-date version of one of these browsers: