Strong Customer Authentication (SCA) is a security requirement introduced under the EU’s Revised Payment Services Directive (PSD2) that obligates payment service providers to verify user identity using a minimum of two independent authentication factors before granting access to a payment account or processing an electronic payment transaction. The technical framework governing how SCA must be implemented is set out in the EBA Regulatory Technical Standard on SCA and secure communication, which specifies the requirements for factor independence, dynamic linking, encryption, delivery reliability, and the conditions under which exemptions may be applied.
As illustrated in a typical SCA-compliant authentication flow, a user initiates a payment or account access request. The payment service provider requires the user to verify their identity using two independent factors drawn from different categories. For a payment transaction, the authentication must also incorporate dynamic linking, meaning the authentication code generated must be mathematically linked to the specific transaction amount and payee. Once both factors are verified and the dynamic link is confirmed, the transaction is authorised and the full interaction is logged for audit purposes.
Key Takeaways: #
- Strong Customer Authentication (SCA) is a mandatory security requirement under PSD2 that requires payment service providers to authenticate users using at least two independent factors from the categories of knowledge, possession, and inherence;
- The SCA Regulatory Technical Standard (RTS), issued by the European Banking Authority (EBA), defines the technical and operational requirements that payment service providers must meet when implementing SCA, including rules on dynamic linking, secure communication, and permitted exemptions;
- SCA applies to electronic payment transactions and access to payment accounts within the European Economic Area (EEA), with defined exemptions for low-value transactions, trusted beneficiaries, recurring payments, and transactions assessed as low risk through Transaction Risk Analysis (TRA).
The Core Components of Strong Customer Authentication #
Two-factor authentication and the three factor categories: SCA requires authentication using at least two independent factors from the following categories. Knowledge covers something only the user knows, such as a password or PIN. Possession covers something only the user has, such as a registered mobile device, a hardware token, or a smart card. Inherence covers something the user is, such as a fingerprint, facial recognition, or voice pattern. The two factors used must be independent, meaning that the compromise of one factor must not undermine the reliability of the other. A combination drawn from two different categories is required; two factors from the same category do not satisfy the independence requirement.
Dynamic linking: For the authentication of payment transactions, the SCA RTS requires dynamic linking. This means that the authentication code generated during the process must be uniquely and mathematically linked to both the transaction amount and the payee. The user must be shown the transaction details clearly before confirming, and any alteration to the amount or payee after authentication has been completed must invalidate the authentication code. Dynamic linking prevents authentication codes from being intercepted and reused to authorise a different transaction, and ensures the user has explicitly consented to the specific payment being initiated.
Secure communication: The SCA RTS requires that all communication between the user, the payment service provider, and any third-party providers involved in the authentication process is conducted through encrypted, tamper-resistant channels. Authentication data, transaction details, and session information must be protected against interception, modification, and replay attacks throughout transmission. The cryptographic standards used must meet the requirements specified in the EBA RTS.
Transaction Risk Analysis (TRA): The SCA RTS permits payment service providers to apply Transaction Risk Analysis as a basis for exempting certain transactions from the full SCA requirement. TRA involves assessing each transaction against fraud rate benchmarks and risk indicators to determine whether it presents a low risk of fraud. Where a transaction meets the defined thresholds, the provider may process it without applying SCA. TRA exemptions are subject to strict conditions, including the requirement that the provider’s fraud rates remain within the EBA-defined limits for the relevant transaction value band. If fraud rates exceed those limits, the exemption is suspended until compliance is restored.
SCA exemptions: In addition to TRA, the SCA RTS defines several other categories of transaction that are exempt from the full SCA requirement. These include contactless payments below defined value thresholds, low-value remote transactions below 30 euros, payments to trusted beneficiaries that the account holder has previously whitelisted, recurring transactions of the same amount to the same payee where SCA was applied at the time the series was established, and transactions initiated by the payer through specific unattended terminals for transport or parking. Each exemption is subject to defined conditions and cumulative value or frequency limits.
FAQ: #
Does SCA apply to business payment accounts?
- SCA requirements under PSD2 apply to payment accounts accessible online, including those held by businesses. However, the SCA RTS includes a dedicated exemption for corporate payments where the payer is not a consumer and the payment service provider has assessed and documented that equivalent security procedures are in place. Payment service providers serving business customers should assess whether the corporate payment exemption applies to their specific use case and confirm this with their national competent authority.
What is the difference between SCA and 3D Secure?
- 3D Secure (3DS) is a technical protocol used in card payment authentication, developed by the card networks, that provides a mechanism for applying SCA to online card transactions. SCA is the regulatory requirement; 3D Secure version 2 (3DS2) is one of the primary technical implementations used to meet that requirement for card-based payments. 3DS2 supports dynamic linking and risk-based authentication, making it compatible with SCA RTS requirements in a way that the original 3DS protocol was not. Payment service providers processing card transactions typically use 3DS2 as their primary SCA mechanism for online card payments.
The introduction of Strong Customer Authentication is undoubtedly a monumental step in promoting secure online banking. Balancing robust security measures with user experience, it paves the way for a future where customers can transact online with confidence. By complying with SCA RTS, payment service providers adhere to PSD2 requirements, thus safeguarding the interests of their customers while ensuring a seamless user experience. Wish to learn how Baseella ensures compliancce with the SCA? Reach out to us and discover what is the best approach to the implementation of the SCA within your PayTech and how we can assist you with.
