PSD2 SCA - Strong Customer Authentication - Nordigen

What is SCA and why it's important for PSD2

| Article by: Vitor UrbanoProfile Image Vitor Urbano 10 min

Strong Customer Authentication, or SCA, is one of the most important implementations on PSD2, being the needed tool to guarantee user ID verification and significantly reduce fraud on remote/online payments.

SCA is supported by a short list of standards and regulations, which draw the path for companies to comply with all the requirements. It creates an effortless and secure environment for their customers.

It is important to highlight that there are two main goals with SCA, to make sure transactions are as secure as possible while at the same time guaranteeing the best user experience.


SCA regulations in Europe and UK eliminate margin for errors

With its integration with PSD2, some regulations were introduced to help guide and ensure the correct enforcement of strong customer authentication. More specifically, we are talking about Regulatory Technical Standards, also known as RTS.


Regulatory Technical Standards (RTS)

These are a set of technical compliance standards that, once endorsed by the European Commission (EC), need to be met by all parties. They were drafted and implemented by the European Banking Authority and have the goal to establish minimum conditions that need to be met for businesses to be compliant with PSD2.

The EC felt the need to draft these standards since both strong customer authentication and secure open standards of communication were only lightly described in the regulation.

With the enforcement of RTS, they highly increased the protection of user’s safety and privacy.


Common and Secure Communication (CSC)

Common and Secure Communication standards, also referred to as CSC, were specified in the RTS draft to ensure that the communication between banks and regulated third party providers (TPPs) happens  through secure messaging.

According to these standards, banks have to develop a communication channel that allows TPPs to access necessary data securely. Moreover, these communication channels enable both the banks and TPP to identify each other when accessing customer data.

With the implementation of RTS and its CSC standards, TTPs are no longer allowed to access customer data through the use of “screen scraping”. However, to facilitate the transition, some exceptions were put in place during a transitional period.


Sustainable Open banking

Sustainable Finance Disclosure Regulation (SFDR)

This regulation was meant to come into effect from March 10th, 2021, but the EC ended up deciding that it was not feasible for it to be adopted within the timeframe previously anticipated. After a first set of delays, SFDR  was once again pushed back, having its implementation deferred to January 1st, 2023.

Sustainable Finance Disclosure Regulation was created to ensure that any business providing financial services and products is comprehensively disclosing just how committed they are to sustainability. One of the main goals of the regulation is to prevent “greenwashing” by financial firms, which consists in exaggerating their environmental commitments on paper, without their application in practice.


Revised Markets in Financial Instruments Directive (MiFID 2)

The MiFID 2 rolled out on January 3rd, 2018, to regulate financial markets and improve protections for investors. It’s a legislative framework instituted by the European Union, that aims to standardize practices across the EU and restore confidence in the industry.

This directive was used as a legal basis on the RTS.


SCA requirements are simple, but extremely efficient

To comply with the strong customer authentication requirements, payment providers need to confirm customer identity through at least two independent pieces of information. These pieces of information can be organised in three categories:

  • Something they own (e.g., smartphone)
  • Something they know (e.g., PIN code)
  • Something they are (e.g., fingerprint)

For a transaction to be confirmed and accepted, at least two of the previous conditions must be fulfilled.

These requirements are only applicable to transactions in the European Economic Area (EEA), where both payer and payee are in the region.


SCA x 2FA - Open banking

Two-Factor Authentication (2FA) is the new “normal” for user authentication

Two-Factor Authentication (2FA) is being adopted in virtually every industry that needs to proceed with customer authentication, since it is the most reliable and secure. In some markets, it’s also referred to as Multi-Factor Authentication (MFA).

2FA is used to establish an added security layer by minimising the risk of fraud while safeguarding buyers’ sensitive data. As an example, if someone acquires login details to a Facebook account, they can try to use it and hijack the personal account. Here, 2FA comes in good use since the hacker probably resorted to an unusual device which is not linked to the account.

Therefore, Facebook perceives it as a potential risk and blocks the login attempt while it sends an ID verification prompt to the user. With the need of providing two separate pieces of information, the hacker efforts are neutralised.


PCI DSS, what is it?

The Payment Card Industry Data Security Standard, also known as PCI DSS, was drafted to ensure that every company that deals with credit card data needs to provide a secure environment.

Merchants are divided into 4 levels, defined by the volume of Visa transactions over the previous 12 months. These levels determine the steps that need to be followed to satisfy PCI DSS requirements. All the documentation regarding PCI DSS can be found on the PCI Security Standards Council website.

Unlike 2FA, PCI DSS is applied to any situation where cardholder data is processed. Examples of situations where a merchant needs to be PCI compliant:

  • Taking card information over the phone
  • Organisations who use third party providers
  • e-Commerce shops
  • Companies who only accept payments but don’t store data
  • Any type of card from American Express, Discover, JCB, MasterCard and Visa

For additional information regarding PCI DSS, please visit the website


SCA is mandatory, but there are some possible exemptions

Strong Customer Authentication is required by PSD2 on most online or remote transactions, but there are a few situations where exemptions might be applied.

Under the new regulation, specific types of low-risk payments may be exempted from strong customer authentication. Even though the payment provider might request authorisation for an exemption to be applied, the customers’ bank always makes the final decision.


7 most common SCA exemptions

  • Low-risk transactions
    • A payment provider is allowed to do a real-time risk assessment to decide whether to apply, or not, SCA to a transaction. This is only possible if the provider’s or bank’s overall fraud rates for card payments are below predetermined thresholds:
      • 0.13% — up to 100 euros
      • 0.06% — up to 250 euros
      • 0.01% — up to 500 euros
  • Payments below €30
    • If a transaction is below 30 euros, it may be exempted from SCA. There is still a condition that banks need to request authentication if the exemption has been used five times in a row or if the sum of exempted payments exceeds 100 euros.
  • Fixed-amount subscriptions
    • When a customer starts a fixed-amount subscription, SCA is only applied on the first payment. All recurring payments to the same merchant and for the same amount can be processed without SCA.
  • Merchant-initiated transactions
    • Payments made with saved cards when the customer is not present in the checkout flow may qualify as merchant-initiated transactions, falling outside the scope of SCA.
    • To use this type of payments, the customer always needs to authenticate the card with its saved details or when the first payment is processed. It is important to highlight that, like in any other exemption, the bank still has the last word in the process.
  • Trusted beneficiaries
    • During the first authentication for a payment, customers might be presented with the option to mark a business as a “trusted beneficiary”. When a business is included in this list, future purchases won’t require SCA.
    • The list of trusted beneficiaries is maintained by the customer’s bank or payment service provider.
  • Phone sales
    • Whenever card details are acquired over the phone, this type of payment is classified as “mail order and telephone orders” (MOTO) and does not require SCA. Although, like any other transaction, it needs to be flagged appropriately and the final decision is made by the bank.
  • Corporate payments
    • This exemption is mostly used within the travel industry, where an online travel agent holds a corporate card to manage employee travel expenses.


Why could an SCA exemption fail?

There is no doubt that exemptions are a very important addition to Strong Customer Authentication, helping to make low-risk transactions effortless both for the customer and the business.

Exemptions are not guaranteed, and every so often they fall short. Independently of the situation, it’s ultimately the cardholder’s bank that decides whether to accept an exemption, or not.

If the bank has denied it, the payment will need to be resubmitted to the customer with a request for SCA, which can cause unnecessary hurdles if there are no fallback options in place.


What is the purpose of the Trusted Beneficiary exemption?

The trusted beneficiary exemption can become extremely useful when the customer makes constant payments with the same merchants. Essentially, allows the cardholders to create a list of trusted beneficiaries which is held by the issuing bank. This process is known as Merchant White Listing (MWL) and after performing it, a cardholder can complete further electronic payment transactions without the need of SCA.

To successfully use MWL, concerned parties must follow guidelines defined by the PSD2 regulations:

  • To enable whitelisting a merchant, a cardholder must perform SCA.
  • Ensure that a merchant cannot enable MFL themselves.
  • Issuers must follow GDPR, therefore, changes to their terms and conditions should be adjusted respectively. The privacy notice should familiarise cardholders with the erudition on the MFL usage and storage.
  • The issuer must ensure that a cardholder has the possibility to exclude merchants from their MFL whenever they demand it.

These are fundamental guidelines to ensure performance while using the trusted beneficiary exemption.

There are potential risks for merchants when this exemption is applied

This exemption permits cardholders to perform a transaction without needing to use 2FA under the SCA requirements, improving considerably the purchase experience. But when it comes to the other parties involved, the merchant will be responsible for any fraud-related chargebacks, for example.

Furthermore, a merchant might face an inability to avoid chargebacks that had no hint of fraud relation. The European Payment Council states that if there was no SCA used on a cardholder's transactions, then the payer can demand full compensation. This is only in cases where the cardholder showed no fraudulent activity when performing the transaction.

What is dynamic linking in SCA?

Dynamic linking was introduced as one of the most important topics of SCA, adding an invaluable extra layer of security against online payment fraud.

Essentially, this involves dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction. This token should be present through every step of the payment and authentication process.

If at any stage the token is lost or modified, the transaction must be cancelled.


Requirements for dynamic linking

According to the regulatory technical standards, there are specific requirements for the implementation of dynamic linking in SCA. When discussing dynamic linking, four main requirements need to be considered:

  • The payer has to be aware of the transaction amount and the payee.
  • The generated authentication token has to be specific to the payment transaction amount that the payee agreed to with the payer.
  • The authentication token accepted by the payment service provider (PSP) must match the original specific transaction amount and the identity of the payee.
  • The authentication token must be invalidated if either one of the transaction details has been altered.


UK European Union - Open banking

SCA enforcement deadlines in Europe and UK

The first guidelines introduced by PSD2 regarding the enforcement of SCA pointed at the end of 2020 as the goal, but not all countries managed to meet the deadline.


Countries in the European Union fully SCA compliant by the end of 2020

  • Bulgaria
  • Cyprus
  • Czech Republic
  • Finland
  • Greece
  • Hungary
  • Lithuania
  • Luxembourg
  • Malta
  • Norway
  • Poland
  • Portugal
  • Romania
  • Slovenia
  • Sweden


EU countries that met the requirements during 2021

  • Austria (March 15th)
  • Belgium (May 18th)
  • Denmark (January 11th)
  • France (March 31st)
  • Germany (March 15th)
  • Ireland (July 1st)
  • Italy (April 1st)
  • Spain (March 1st)
  • Switzerland (September 15th)


United Kingdom have decided to extend their deadline into 2022

At first, the UK was in line with the rest of Europe, with a planned deadline established for September 14th, 2021. The FCA has swiftly realised the ongoing challenges the industry is facing to be ready for SCA enforcement, extending the deadline for another six months.

As it stands, the current deadline for SCA enforcement in the UK is March 14th, 2022.

If you still have doubts about the meaning of some concepts and definitions around PSD2 terms, feel free to consult our FAQ page.

Recommended articles