---
url: 'https://www.corbado.com/faq/sca-psd2-importance'
title: 'What is SCA and why is it essential under PSD2?'
description: 'Strong Customer Authentication (SCA) is a PSD2 requirement that enhances security by enforcing multi-factor authentication for online payments.'
lang: 'en'
keywords: ' Strong Customer Authentication,'
---

# What is SCA and why is it essential under PSD2?

## What Is Strong Customer Authentication (SCA) and Why Is It Essential Under PSD2?

### What Is SCA?

**Strong Customer Authentication (SCA)** is a **European regulatory requirement**
introduced under the **Revised Payment Services Directive (PSD2)**. It mandates the use of
**multi-factor authentication (MFA)** for electronic [payments](https://www.corbado.com/passkeys-for-payment) to
**enhance security and reduce fraud**.

### Why Is SCA Required Under PSD2?

[PSD2](https://www.corbado.com/blog/psd2-passkeys) was designed to create a **more secure and competitive**
digital [payment](https://www.corbado.com/passkeys-for-payment) ecosystem within the EU. **SCA is essential
because:**

- **It prevents unauthorized transactions** by requiring at least two authentication
  factors.
- **It reduces fraud risks**, particularly for **card-not-present transactions**.
- **It increases consumer trust** in digital [banking](https://www.corbado.com/passkeys-for-banking) and
  [payment](https://www.corbado.com/passkeys-for-payment) services.

### How Does SCA Work?

SCA requires authentication using **at least two of the following three factors**:

1. **Something You Know** (e.g., password, PIN)
2. **Something You Have** (e.g., smartphone, [security key](https://www.corbado.com/glossary/security-key))
3. **Something You Are** (e.g., fingerprint, facial recognition)

This means **one-time passwords (OTPs) sent via SMS are not sufficient** on their own
unless combined with another factor.

### When Is SCA Required?

- **Online payments** (e.g., [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) transactions, bank
  transfers)
- **Accessing a bank account online**
- **Performing actions that could be high-risk** (e.g., adding a new payee)

### Are There Any Exemptions?

Yes, certain low-risk transactions may be exempt, such as:

- **Recurring payments** (e.g., subscriptions)
- **Low-value transactions** (typically under €30)
- **Trusted beneficiaries** (pre-approved by the user)

### What Role Do Passkeys Play in SCA?

Passkeys, based on **WebAuthn and FIDO2**, are an **ideal SCA-compliant authentication
method** because:

- They provide **phishing-resistant authentication**.
- They eliminate the **risks of stolen passwords and OTP interception**.
- They enable **seamless multi-factor authentication** by combining **biometric
  authentication** (something you are) with **device-based security** (something you
  have).

## Conclusion

SCA is a **critical PSD2 security requirement** that **protects online transactions**,
reduces fraud, and enhances consumer trust. Passkeys offer a **compliant, secure, and
user-friendly** alternative to traditional authentication methods, aligning with SCA’s
security objectives.

## Read the full article