What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a legal requirement introduced under European Union (EU) legislation (PSD2) and retained in the UK following Brexit to increase consumer protection and improve online payment security.

It requires consumer transactions to be verified using at least two independent authentication factors that comply with SCA requirements.

The European Banking Authority issued strict guidelines on what constitutes SCA compliance, with a particular focus on the independence and reliability of the authentication methods used.

So, to ensure frictionless payments and maintain a smooth user experience, payment service providers must ensure their authentication strategy involves methods, such as one-time passwords delivered to a mobile phone, push notifications for approval, or biometric verification through mobile devices.

This article explores what SCA is, where it comes from, how it works, and what merchants and payment providers need to know.

Where Does SCA Come From?

SCA is a core security requirement under the EU's Revised Payment Services Directive, commonly known as PSD2, which was introduced by regulators to address growing vulnerabilities driven by rising fraud and cybersecurity threats.

Under PSD2, businesses are required to comply with SCA for card-not-present transactions and other electronic payments, such as online or mobile purchases. SCA covers all customer-initiated online and contactless offline payments.

The impact of SCA is therefore global. SCA typically applies when both the customer’s bank (issuer) and the merchant’s payment provider (acquirer) are located within the EU, EEA, or the UK. In cases where one party is outside these regions, SCA may not be required.

Authentication requests are initiated by the payment provider or bank whenever a transaction requires additional verification under SCA rules.

Three authentication factors for strong customer authentication (SCA): something you know, something you have, and something you are, including passwords, OTP codes and biometric verification.

The Three Authentication Factors

At the heart of SCA is the requirement for multi-factor authentication, commonly referred to as two-factor authentication.

Previously, a static password could be used on its own for authentication. However, under PSD2, static passwords alone are no longer considered sufficient to meet SCA requirements.

Instead, a payment must be verified using at least two of the following three independent categories:

Something You Know

This factor relies on information that is known only to the user, making it difficult for fraudsters to replicate without access to the customer’s private credentials.

It refers to knowledge-based information that only the cardholder should possess. Examples include:

A password.
A PIN.
A security question answer.

Something You Have

This factor refers to possession of a physical or digital item belonging to the cardholder. Examples include:

A mobile phone receiving SMS verification codes.
A banking app used for authentication approvals.
A hardware token or security key.
A payment card itself (in some contexts), including PIN entry for offline or in-person card transactions.
A one-time passcode (OTP) sent to a registered mobile device.

This ensures that even if someone knows the password, they still need access to a trusted device or object to complete the transaction.

Something You Are

This category refers to biometric authentication, which uses the unique biological characteristics of the cardholder. Examples include:

Fingerprint scanning.
Facial recognition.
Voice recognition.
Iris scanning.

Biometrics are increasingly common in mobile banking apps and modern payment flows. They provide a high level of security and are generally more difficult to replicate than traditional credentials.

For a successful authentication, any transaction must combine at least two of these three factors. For example, a customer might approve a payment using a password (something they know) and facial recognition (something they are).

SCA Exemptions: When It Doesn't Apply

While applying SCA is a mandatory regulatory requirement, there are some exemptions designed to balance security with user convenience. These exemptions only apply in specific scenarios, such as low-value payments, recurring transactions, or trusted beneficiaries.

In such cases, a merchant or payment provider may request an exemption from SCA. The cardholder's bank has the final say on whether to grant or reject the request.

Even if an exemption applies, the cardholder's bank may require multi-factor authentication after a certain number of transactions or when transaction patterns trigger additional risk checks.

Low-Value Transactions

Transactions under €30 (or £25) can be exempt from SCA. However, this exemption is limited: SCA must be applied once five consecutive transactions have been made or when the cumulative value exceeds £100.

However, this exemption is not unlimited, as banks monitor both the number and value of transactions. Once certain thresholds or cumulative limits are reached, SCA may be required even for low-value payments.

Low-Risk Transactions

Exemptions for low-risk transactions can be granted based on real-time risk analysis. Payment providers use real-time transaction risk analysis to minimise friction and reduce the number of false declines. This allows them to identify low-risk payments and apply SCA exemptions where appropriate.

Payment providers can only apply for this exemption if their fraud rates are consistently low, which is assessed by acquiring banks and card schemes. If a transaction is deemed low risk in real time, SCA may be waived to reduce friction for the customer.

Trusted Beneficiaries

Customers can also choose to add certain merchants to a “whitelist” of trusted payees. The customer's bank is responsible for managing the trusted payees list and approving exemptions related to these merchants.

Once a merchant is added, future transactions to that recipient may not require full SCA authorisation. This is commonly used for regular payments such as subscriptions, utilities, or trusted retailers.

Recurring Transactions

Some recurring payments may be exempt from repeated SCA checks after the initial authorisation. For example, a subscription service may require SCA only at the first payment, with subsequent charges processed without additional authentication.

The exemption applies only if the recurring payment amount and agreement remain unchanged. If the amount changes or the agreement is modified, SCA may be required again.

Mail Order/Telephone Order (MOTO)

Payments made via mail order or telephone order (MOTO) are typically exempt from SCA because they do not occur in a digital authentication environment.

Instead, these transactions rely on alternative security measures and fraud monitoring. The cardholder's bank is responsible for tracking and enforcing exemption rules for MOTO transactions.

Corporate Cards

Electronic payments initiated by business entities via dedicated corporate processes and protocols, such as central travel accounts, may be exempted from SCA. These payments already offer high levels of protection from fraud since they are processed within controlled business environments using secure systems.

What SCA Means for Merchants

The introduction of additional authentication steps for online payments has significantly changed the checkout flow. Merchants must optimise the checkout experience for customers to maintain high conversion rates and reduce cart abandonment.

In order to do so, merchants can partner with payment providers to manage exemptions and ensure that only necessary transactions require additional verification steps.

When SCA is incorrectly applied, liability for fraudulent disputes may also fall upon the merchant, which increases their financial and operational risk. Merchants must use compliant solutions and technologies that meet regulatory standards to ensure secure and seamless authentication.

The introduction of technologies like 3D Secure 2 facilitates SCA compliance. 3D Secure 2 is an authentication protocol used by banks to verify the cardholder’s identity in real time. It is the primary method used to authenticate online card payments and support SCA enforcement.

Merchants should seek to achieve a balance between payment security and consumer convenience. A poorly implemented SCA flow can lead to abandoned baskets, while a seamless integration can make authentication almost invisible to consumers.

73 percent of UK retailers reported a decline in online payment fraud after implementing strong customer authentication (SCA), according to a Barclays study.

SCA in practice: What Customers See

Customers also see the impact of SCA at checkout. Unlike in-person payments, where the customers tap their card into a card reader, SCA introduces an additional verification step at checkout during an online card payment. Customers may:

Receive a push notification in their banking app to approve the payment.

Enter a one-time password sent via SMS or email.

Use fingerprint or facial recognition on a mobile device.

Be redirected to a bank authentication page (3D Secure screen).

Modern authentication methods have made the authentication process quicker and more intuitive. Digital wallets like Apple Pay and Google Pay typically have built-in SCA through biometrics and device possession. 3D Secure 2 further optimises the authentication process for mobile devices and improves the user experience during online transactions. In many cases, biometric approval via a smartphone app can take just a second or two.

SCA can also improve customer trust in digital payments, which leads to higher conversion rates over time as customers feel more secure making online purchases. A Barclays study revealed that 73% of retailers reported a decline in online payment fraud in the initial 200 days following the implementation of SCA in the UK. However, customers may still experience interruptions if the transaction is flagged as higher risk in real-time.

SCA & Online Banking: Secure Access & Payments

PSD2 requires payment service providers to implement SCA for online banking transactions. SCA plays an essential role in online banking by ensuring that access to accounts is properly verified. It requires customers to confirm their identity using at least two independent factors before they can log in or approve payments. This multi-factor authentication makes it much harder for unauthorised parties to gain access to the customer's bank account.

SCA also strengthens the security of online payments initiated through banking channels. By combining authentication methods such as passwords, mobile devices, and biometrics, it ensures that only the genuine account holder can approve transactions.

Implementing strong customer authentication in online banking is about striking the right balance between security and convenience. By leveraging advanced authentication methods and real-time risk analysis, payment providers can reduce online payment fraud, build customer trust, and deliver a seamless online banking experience that meets both regulatory and customer expectations.

The Broader Picture

SCA is part of a wider shift towards more intelligent and secure online payments. As each electronic payment transaction becomes more complex and globalised, the need to protect consumers from fraud and cybersecurity threats has grown significantly.

According to UK Finance, SCA plays an essential role in the prevention of unauthorised fraud. By requiring multi-factor authentication for most online shopping and eCommerce transactions, PSD2 ensures that consumers are protected from phishing scams, theft of their card details, and account takeover fraud.

SCA also supports the development of open banking and digital identity frameworks. By standardising authentication practices, PSD2 has contributed to a more secure foundation for innovation in payments and financial technology. Fintech business models are increasingly leveraging SCA to develop new payment solutions, often using APIs to enable secure data sharing, payments, and merchant-initiated transactions.

Regulators had to consider user experience and business impact as well. The introduction of exemptions and risk-based authentication reflects an attempt to balance security with user convenience. For example, 3D Secure 2 facilitates the transfer of risk analysis data from payment providers to the customer's bank, supporting better decision-making on authentication.

FAQs

Does SCA Apply to All Online Payments?

No, SCA does not apply to every online payment. SCA is required for customer-initiated online and contactless payments within the UK and EEA, unless an exemption applies. Certain transactions are exempt, such as low-value payments, low-risk transactions, and some recurring payments.

What Happens if a Merchant Doesn't Comply with SCA?

If a merchant fails to comply with SCA requirements, transactions may be declined by the issuing bank or payment provider. Liability for fraudulent transactions may also shift back to the merchant, which can result in financial losses and higher chargeback costs.

Does SCA Apply to In-Store (Card-Present) Payments?

In-store card-present transactions are subject to SCA, but it is typically fulfilled through methods such as Chip & PIN or contactless authentication limits.

Who is Responsible for Implementing SCA: The Merchant or The Payment Provider?

Both parties play a role. Payment providers and acquiring banks typically implement the technical infrastructure for SCA, such as 3D Secure 2. However, merchants must ensure their checkout systems are correctly integrated and compliant. In practice, this means merchants rely heavily on their payment partners to handle SCA correctly.

SCA-Ready Payment Processing with DECTA

DECTA plays an essential role in helping merchants navigate the complexities of SCA and meet the required regulatory technical standards. With payment processing solutions designed to support full SCA compliance, we enable merchants to focus on growing their business while ensuring their payment infrastructure remains secure and future-ready.

We combine technologies such as 3D Secure 2 and risk-based transaction monitoring to reduce fraud and minimise checkout friction. To balance regulatory compliance with conversion rates, DECTA uses intelligent risk assessment to determine when exemptions can be safely applied.

DECTA supports merchants in integrating SCA across multiple payment channels, including eCommerce platforms, mobile applications, and recurring billing systems. This ensures a consistent and compliant experience, regardless of how customers choose to pay.

Simplify your SCA compliance and master your payment performance today with DECTA.