What is Strong Customer Authentication?

What Is Strong Customer Authentication?

Strong Customer Authentication, commonly known as SCA, is a security requirement introduced under the European Union's revised Payment Services Directive (PSD2). It requires that electronic payments are verified using at least two independent authentication factors, making it significantly harder for criminals to make fraudulent transactions using stolen card details.

In practical terms, SCA means that when a customer makes a payment, they need to prove their identity using two out of three possible categories of evidence. Gone are the days when a card number and expiry date alone were enough to complete a transaction online or over the phone.

The Three Authentication Factors

SCA requires two of the following three categories:

• Something the customer knows: A password, PIN, or security question answer. This is the most traditional form of authentication
• Something the customer has: A mobile phone, a physical token, a smart card, or another device. Verification typically comes through a one-time code sent to the device or generated by an authentication app
• Something the customer is: A biometric identifier such as a fingerprint, facial recognition, or voice recognition

The two factors must come from different categories. Using two passwords, for example, would not satisfy the requirement because both fall under "something you know." The idea is that even if one factor is compromised -- a stolen password, for instance -- the attacker still cannot complete the transaction without the second factor from a different category.

When SCA Applies

SCA applies to customer-initiated electronic payments within the European Economic Area. This includes online card payments, bank transfers, and many types of contactless payments. However, there are several important exemptions:

• Low-value transactions: Payments under 30 euros may be exempt, though this is capped after a series of consecutive low-value transactions
• Recurring payments: After the first payment in a subscription or recurring series is authenticated, subsequent payments of the same amount to the same merchant may be exempt
• Trusted beneficiaries: Customers can add merchants to a "trusted" list with their bank, exempting future payments to that merchant from SCA
• Transaction risk analysis: Payment providers with low fraud rates can apply for exemptions based on real-time risk assessment of individual transactions
• Merchant-initiated transactions: Payments initiated by the merchant (such as utility bill collections) rather than the customer may fall outside SCA requirements

Why SCA Matters for Businesses

SCA has significant implications for any business that accepts electronic payments from European customers. The most immediate impact is on the checkout experience. Adding an extra authentication step to the payment process introduces friction, and friction can lead to abandoned transactions.

Businesses need to implement SCA in a way that satisfies the regulatory requirement without driving customers away. This means working with payment providers who support modern authentication methods like 3D Secure 2 (3DS2), which is designed to provide a smoother, less intrusive authentication experience than older methods.

Non-compliance with SCA is not just a regulatory risk -- transactions that should be authenticated but are not may be declined by the customer's bank, directly impacting revenue.

SCA and Telephone Payments

Telephone payments present interesting challenges for SCA. A traditional phone payment -- where the customer reads their card details to an agent -- is difficult to authenticate using two factors because the only channel available is the voice call itself.

Under PSD2, mail order and telephone order (MOTO) transactions are technically exempt from SCA requirements because the regulation focuses on electronic payment transactions. However, the exact classification of a phone payment can depend on how the transaction is processed and whether the customer or the merchant initiates it.

Despite the MOTO exemption, many businesses are looking to add authentication to phone payments as a fraud prevention measure. Modern telephone payment solutions can integrate with 3DS2 authentication by sending the customer a link via SMS or email during the call, allowing them to complete the authentication on their phone while the agent remains on the line.

This approach combines the convenience of agent-assisted telephone payments with the security of SCA, reducing fraud without requiring the customer to hang up and complete the payment through a different channel.

Practical Considerations

• Work with your payment provider to understand which of your transactions require SCA and which are exempt
• Implement 3DS2 for online payments -- it provides a better customer experience than older 3D Secure versions and supports a wider range of authentication methods
• Monitor your transaction decline rates after implementing SCA. A spike in declines may indicate that your authentication flow needs adjustment
• For telephone payments, understand how your processor classifies the transaction. MOTO exemptions apply in most cases, but the rules can be nuanced
• Consider how SCA interacts with your fraud prevention strategy. The exemptions based on transaction risk analysis can reduce friction for low-risk payments, but require your payment provider to maintain low fraud rates