PSD2 SCA (strong customer authentication)



What is PSD2 strong customer authentication

Strong customer authentication (SCA) is a European regulatory requirement to reduce fraud, make online and contactless payments more secure. SCA was integrated in the PSD2 directive as a solution to ensure an elevated level of security for customers when making payments.

The solution presented itself as two-factor authentication (2FA), where customers need to provide two independent pieces of information to confirm their identity.

With the growth of online services, there is a greater need to authenticate the identify of users during online transactions and banking activities. With that in mind, SCA was conceived with 4 main goals in mind:

  • Reduce the cost of processing fraudulent transactions
  • Reduce the potential for online fraud
  • Comply with international regulations such as PCI-DSS and PSD2
  • Increase cardholder confidence in using online services

PSD2 strong customer authentication regulation in Europe

In Europe, PSD2 strong customer authentication is regulated by the drafted regulatory technical standards (RTS). These standards specify all the authentication requirements for payment providers to comply with SCA and offer their customers a reduced risk of fraud.


PSD2 SCA requirements

To comply with the strong customer authentication requirements, payment providers need to confirm customer identity through at least two independent pieces of information. These pieces of information can be organised in three categories:

  • Something they own (e.g., smartphone)
  • Something they know (e.g., PIN code)
  • Something they are (e.g., fingerprint)

For a transaction to be confirmed and accepted, at least two of the previous conditions must be fulfilled.

These requirements are only applicable to transactions in the European Economic Area (EEA), were both payer and payee are in the region.

PSD2 SCA exemptions

Strong customer authentication is required by PSD2 in most online or remote transactions, but there are a few situations where exemptions are applied.

Under the new regulation, specific types of low-risk payments may be exempted from strong customer authentication. Even though the payment provider might request authorisation for an exemption to be applied, the customer bank always makes the final decision.

7 of the most common PSD2 SCA exemptions

  • Low-risk transactions
  • A payment provider is allowed to do a real-time risk assessment to decide whether to apply, or not, SCA to a transaction. This is only possible if the provider’s or bank’s overall fraud rates for card payments are below pre-determined thresholds:
  • 0.13% - up to 100 euros
  • 0.06% - up to 250 euros
  • 0.01% - up to 500 euros
  • Payments below €30
  • If a transaction is below 30 euros, may be exempted from SCA. There is still a condition that banks need to request authentication if the exemption has been used five times in a row or if the sum of exempted payments exceeds 100 euros.
  • Fixed-amount subscriptions
  • When a customer starts a fixed-amount subscription, SCA is only applied on the first payment. All recurring payments to the same merchant and for the same amount can be processed without SCA.
  • Merchant-initiated transactions
  • Payments made with saved cards when the customer is not present in the checkout flow may qualify as merchant-initiated transactions, falling outside the scope of SCA.
    To use this type of payments, the customer always need to authenticate the card with it’s saved or when the first payment is processed. It is important to highlight that, like in any other exemption, the bank still has the last decision in the process.
  • Trusted beneficiaries
  • During the first authentication for a payment, customers might be presented with the option to mark a business has a “trusted beneficiary”. When a business is included in this list, future purchases won’t require SCA.
    The list of trusted beneficiaries is maintained by the customer’s bank or payment service provider.
  • Phone sales
  • Whenever card details are acquired over the phone this type of payment is classified as “mail order and telephone orders” (MOTO) and do not require SCA. Although, like any other transaction, needs to be flagged appropriately and the final decision is made by the bank.
  • Corporate payments
  • This exemption is mostly used within the travel industry, where an online travel agent holds a corporate card to manage employee travel expenses.


What is dynamic linking in SCA?

In the context of the PSD2, dynamic linking is one of the most important topics of SCA, even though it might be a little confusing at times.

Essentially, dynamic linking involves dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction. These token should be present through every step of the payment and authentication process. If at any stage the token is lost or modified, the transaction must be cancelled.

According to the regulatory technical standards (RTS) there are specific requirements for the implementation of dynamic linking in SCA. When discussing dynamic linking, four main requirements need to be considered:

  • The payer has to be aware of the transaction amount and the payee.
  • The generated authentication token has to be specific to the payment transaction amount that the payee agreed to with the payer.
  • The authentication token accepted by the payment service provider (PSP) must match the original specific transaction amount and the identify of the payee.
  • The authentication token must be invalidated if either one of the transaction details has been altered.


PSD2 SCA deadline

Originally, strong customer authentication requirements went into effect on 14 September 2019, but the European Banking Authority (EBA) decided that all the providers would have until the 1st of January 2021.

Even though the PSD2 SCA deadline was established for the beginning of 2021, many countries in Europe have communicated their individual enforcement timelines, going against EBA's decision.

Strong customer authentication is already in full enforcement throughout all the European Economical Area (EEA), with only the United Kingdom and Switzerland extending their deadline until April 2022.

Inside the European Union, we have seen 7 countries adopting different timelines for the SCA full enforcement:

  • France - March 2021
  • Belgium - May 2021
  • Germany - March 2021
  • Italy - April 2021
  • Ireland - July 2021
  • Spain - March 2021
  • Austria - March 2021
Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.