Strong customer authentication: Securing digital transactions

Updated: 01/31/2025 - 3:51
Time to read: 7 minutes

Strong customer authentication (SCA) is a requirement enacted in Europe to reduce fraud by making online payments more secure.

Key takeaways

  • Strong Customer Authentication is a European regulatory requirement mandating multi-factor authentication (MFA) for online payments.
  • SCA requires at least two authentication factors: something the customer knows, has, or is (e.g., password, smartphone, biometrics).
  • Banks must decline non-SCA-compliant transactions, but certain exemptions exist for low-risk, low-value, and recurring transactions.
  • While primarily enforced in Europe, similar authentication measures are being considered or implemented in other countries to enhance online payment security.

Securing online payments with SCA

More than half of all fraudulent card transactions in the Single Euro Payments Area (SEPO), which encompasses 35 European countries, involve online transactions. In 2019, the strong customer authentication, or SCA, requirements were enacted to help protect customers and financial institutions operating within the European Economic Area (EEA) from fraud and financial crime. 

 

As a requirement of the European Union Revised Directive on Payment Services (PSD2), the SCA requires that electronic payments made through payment service providers in the EEA enact MFA to add an extra layer of security.

The fundamentals of strong customer authentication

To make contactless payments more secure and reduce fraud, as part of the revised Payment Services Directive (PSD2), the SCA was enacted on September 14, 2019, for businesses that process payments in Europe. A European regulatory requirement, the SCA requires using MFA to make payments more secure by adding additional authentication to the checkout flow. 

 

To comply with SCA requirements, merchants must ask for at least two of the following elements during an online transaction checkout:

 

  • Something a customer knows: This is often a password or PIN.
  • Something a customer has: This could be a smartphone, software, or hardware token.
  • Something a customer is: This typically involves a form of biometrics, such as a fingerprint, retina scan, or facial recognition.

 

Banks are required to decline transactions that do not meet SCA requirements. Using more dynamic data points can more accurately verify a customer’s Identity. 

 

Before the SCA requirements, banks could only ask for a static password. SCA uses MFA to make online transactions more secure.

SCA governance and compliance: Who’s responsible?

The European Banking Authority (EBA) within the European Union (EU). In the UK, the Financial Conduct Authority (FCA) governs it.

 

Banks and financial institutions, not merchants, must comply with and maintain SCA compliance per the PSD2 regulations. If they do not decline non-compliant transactions, they risk violating the law in their country. 

 

The implementation of SCA regulations during these transactions can depend on the type of transaction. Online debit and credit card transactions often rely on 3D Secure 1 (3DS1) or the more secure 3D Secure 2 (3DS2). Local payment methods and e-wallets frequently use their own specific SCA-compliant authentication methods.

 

With 3DS2, supported by most European credit and debit card companies, an extra authentication step is added after checkout by their bank. This commonly includes a one-time code sent to the customer’s smartphone or fingerprint authentication within their mobile banking app. Digital wallets and international e-wallets like Apple Pay and Google Pay may also support SCA requirements. 

When is strong customer authentication necessary?

Businesses must implement strong customer authentication for "customer-initiated" transactions, including bank transfers and online purchases. However, they need not apply SCA to "merchant-initiated" transactions, such as recurring debits.

 

SCA requirements

The SCA applies to online European payments when both the cardholder's bank and the business are in Europe. This requires online shoppers to complete an extra authentication step during checkout.

 

Regions mandating SCA compliance for online payments:

 

  • European Economic Area (EEA)
  • United Kingdom (UK)
  • Morocco

 

The EU implemented SCA in 2019, but many areas delayed enforcement until businesses could comply. For instance, the UK postponed SCA implementation until March 14, 2022. Regulators delayed enforcement to minimize disruption for merchants and reduce friction for consumers.

Exceptions to the SCA

In some cases, an SCA exemption can be used. The merchant requests an exemption from the bank or credit card company when processing the transaction. 

 

The merchant can assess the level of risk and determine if the transaction is out of the SCA’s scope. If it is, it can be exempt from the extra layer of authentication. This can be desirable in some cases, as SCA authentication regulations can mean more friction for the customer and more potential customer drop-off rates for the merchant. 

 

Common exemptions to the SCA regulations include the following:

 

  • Low-risk transactions: If the provider or bank’s fraud threshold is below the following threshold:  
    • 0.13% for transactions below €100
    • 0.06% for transactions below €250
    • 0.01% for transactions below €500
  • Low-value transactions: Transactions under €30 or €100 cumulative on the same card are exempt. However, the issuing bank must keep track of the number of exemptions.  
  • Recurring transactions: If the transaction is a fixed amount and recurs after the initial transaction fulfills SCA requirements, additional transactions are exempt. As these are fixed and recurring, they can fall under “merchant-initiated” transactions and, therefore, are no longer under the scope of the SCA.  
  • Trusted beneficiaries: The customer can put specific merchants on a whitelist held by their bank, which exempts them from following SCA regulations.  
  • B2B transactions: Transactions between two corporations can be exempt from SCA when using a payment instrument dedicated to B2B transactions.

 

As noted above, “merchant-initiated” transactions that do not involve direct customer involvement are outside the scope of SCA regulations. Regulators exclude phone and mail-order transactions from the scope as they are not considered electronic.

 

The SCA does not apply to card issuers or cardholders based outside the EEA, Monaco, or the UK.

Global perspectives on strong customer authentication

Other financial regulatory boards in countries outside the European Union, Morocco, and the UK are also looking to implement strong customer authentication. 

 

For example, the Reserve Bank of India has mandated an “additional factor of authentication” for card-not-present transactions, which are typically online.

 

In Australia, the Australian Competition & Consumer Commission (ACCC) blocked efforts to make 3D Secure mandatory due to complaints that it would disrupt UX and potentially cause merchants to lose sales.

 

As technology advances and financial fraud increases, additional countries are likely to adopt higher levels of authentication for online purchases, including protocols like the SCA.

How SCA has evolved

European regulators originally mandated strong customer authentication for digital payments in the financial services industry. Since then, other markets have voluntarily adopted it for financial and non-financial transactions. 

Industries that use SCA include:

  • Financial services
  • Healthcare
  • Manufacturing
  • Retail
  • Transportation and logistics

User Consent: An essential component of SCA

Informed approval is required to authorize payments and other types of sensitive transactions. SCA mandates that before any authorization, the user must view the payee and payment amount.

 

Understanding before authorizing

When it comes to financial transactions, SCA mandates that users clearly see crucial details before giving their approval. This includes:
 

  • The recipient's Identity
  • The exact amount being transferred
     

By presenting this information upfront, SCA ensures users make conscious, informed decisions about their transactions.
 

Beyond financial transactions

The principle of informed approval extends beyond the financial sector. Any sensitive transaction that involves personal data or security settings can benefit from this approach. This includes:
 

  • Modifying account security parameters
  • Updating user profile information (e.g., residential address)
  • Granting access to personal data

Dynamic linking in SCA

Dynamic linking, a security feature in PSD2, enhances transaction security by ensuring the approved details match the final transaction.

 

How it works:

  • Links transaction details to the approval prompt
  • Allows users to verify transaction accuracy before approval
  • Helps prevent transaction tampering

 

Process:

  • The payer initiates a payment
  • The transaction is linked to the amount and payee specified by the payer
  • The dynamic linking generates a unique "authentication code" for the transaction

 

Importance of the authentication code:

  • Specific to the transaction's payee and amount
  • Transfers through payment and authorization processes
  • Any change to payment data (amount or payee) invalidates the code and the transaction

Additional SCA resources

For more detailed information on SCA and related regulations, refer to:

FAQs

Q: What is strong authentication? 

A: Strong authentication is a method of secure customer data management that confirms a user's Identity beyond passwords. It combines two independent factors to confirm a person's Identity and access.

 

Q: What is the weakest form of authentication? 

A: Passwords are generally considered the weakest form of authentication due to issues like password fatigue, reuse across accounts, and susceptibility to phishing attacks.

 

Q: Is 3DS mandatory in the US? 

A: 3D Secure is not mandated by federal law in the United States, though some merchants may adopt it voluntarily to help reduce fraud and chargebacks.

Strong customer authentication starts with Okta

Learn how Okta's cloud-based authentication gives users high assurance with simple-to-use factors like biometrics and push notifications.

You Might Also Like

Defining Certificate Authority and How It Works

A certificate authority can help you prove that you own a digital entity like a website or an email address.

Learn more

What is Authentication? Methods, Importance and Processes

Authentication verifies that you are who you say you are, or that something you own is not a forgery.

Learn more

Strong Authentication: Definition & Security Factors

Strong authentication is a way of confirming a user’s identity when passwords are not enough.

Learn more

Dual Authentication: A Necessary Extra Layer of Security

Okta's cloud-based authentication gives users high-assurance with simple-to-use factors like biometrics and push notifications.

Learn more