What is Strong Customer Authentication (SCA) under PSD2?
Vincent
Created: January 31, 2025
Updated: April 30, 2025
Read the full article
Are passkeys the best form of phishing-resistant MFA that is compliant with PSD2 and SCA requirements? This blog post answers all the questions.
Read the full articleRead by 5,000+ security leaders.
What is Strong Customer Authentication (SCA) under PSD2?#
Strong Customer Authentication (SCA) is
a security requirement introduced by PSD2 (Revised Payment Services Directive) to
enhance the security of online payments and reduce fraud. SCA
mandates that financial institutions and payment service
providers implement multi-factor authentication (MFA) for electronic transactions,
ensuring that only legitimate users can access accounts and approve
payments.
SCA Requirements#
To comply with SCA, authentication must involve at least two of the following three
factors:
- Knowledge – Something the user knows (e.g., a password or PIN).
- Possession – Something the user has (e.g., a smartphone, hardware token, or
smart card). - Inherence – Something the user is (e.g., biometrics like fingerprints or facial
recognition).
How SCA Works in Online Payments#
SCA applies to most electronic payments within the European Economic Area (EEA). For
example:
- A customer logging into an online banking account may need to
provide both a password (knowledge) and confirm the login via a mobile push
notification (possession). - A user making an online payment may be required to
authenticate
using biometrics (inherence) and approve the payment
through their banking app (possession).
Exemptions to SCA#
Certain transactions may be exempt from SCA, such as:
- Low-value transactions (below €30).
- Recurring payments (e.g., subscriptions).
- Transactions deemed low-risk based on fraud analysis.
SCA and Passkeys#
Traditional authentication methods like passwords and SMS OTPs are still widely used but
are vulnerable to phishing attacks. Passkeys, based on WebAuthn and
FIDO2, offer a phishing-resistant alternative by leveraging
cryptographic authentication and device-bound credentials. Banks and fintech companies
implementing passkeys can meet SCA requirements while improving both security and user
experience.
Passkeys enable strong authentication PSD2 compliance by leveraging cryptographic key pairs and device-bound credentials for seamless, phishing-resistant logins.
By enforcing Strong Customer Authentication (SCA), PSD2 enhances transaction
security, reducing fraud risks and increasing trust in digital banking and online
payments.
Read the full article#
Read the full article
Are passkeys the best form of phishing-resistant MFA that is compliant with PSD2 and SCA requirements? This blog post answers all the questions.
Read the full articleRead by 5,000+ security leaders.
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
Share this article
