Strong Customer Authentication | Open Banking

PSD2: Strong Customer Authentication

What is Strong Customer Authentication?

Strong customer authentication or SCA is a new regulatory requirement that forms part of the wider European PSD2 Open Banking regulation. With its introduction, European customers will be required to provide more information when purchasing goods or services online. Currently all that is required is a customer’s card number, CVC digits and at times a 3D secure code or similar. SCA will mean further levels of authentication are needed at the time of payment.

A key concept of SCA is two-factor authentication which requires a second level of authentication before a transaction is approved. While many card issuers have implemented a form of two-factor authentication,(for example 3D secure, which requires a password to be entered on a separate webpage after card details have been entered), SCA will require banks to replace the current methods of two-factor authentication and ensure higher levels of security.

The current authentication flow offered by most banks involves a web redirect which provides a poor user experience and is prone to phishing attacks. Under SCA requirements, the updated authentication flow should include the least amount of additional steps and alternative flows have been suggested that involve either embedded, de-coupled or app-to-app redirect instead of traditional web redirect. SCA will also necessitate that two of the following are provided for a transaction to be authenticated:

  • Something you know e.g. a password, PIN or personal fact
  • Something you own e.g. mobile phone, wearable or token
  • Something you are e.g. fingerprint, facial features or voice patterns


Exemptions to SCA

Not all transactions will be required to adhere to SCA regulation. Low value and low risk transactions will be exempt from introducing SCA processes. For example, any transaction under €30 will not require SCA, nor will transactions where the average number of fraudulent cases is particularly low. Recurring payments or subscriptions will also be exempt after the first payment.

Customers will have the option to whitelist certain providers as well, meaning they will not have to provide SCA for every transaction they complete with a whitelisted vendor.


The Good and the Bad of SCA

For merchants the main benefits of introducing SCA are reduced fraud, increased trust amongst customers, smoother processes for customers and more payment options available. In general, it should promote safer online payments and lead to more ecommerce transactions being fulfilled.

However, there are fears that initially SCA will lead to high level of trolley abandonment and payment drop-off. Merchants need to introduce efficient systems to meet the new requirements and manage customers expectations of the payment process to reduce payment drop-off.


When does SCA come into Effect?

SCA was due to come into effect across Europe on September, 14th, 2019, however, due to a lack of readiness amongst payment providers and retailers, The European Banking Authority (EBA) allowed national regulators to grant an extension. On October 17th, 2019, the EBA announced that the new deadline for implementation of SCA is the 31st December 2020.

Blog post updated August 2020

digital banking newsletter