What is Strong Customer Authentication (SCA) under PSD2?

Q: What is Strong Customer Authentication (SCA) under PSD2?

Strong Customer Authentication (SCA) is a requirement under PSD2 that mandates multi-factor authentication (MFA) for online transactions to enhance security and prevent fraud. SCA requires authentication using at least two of three factors: knowledge (e.g., passwords), possession (e.g., mobile device), or inherence (e.g., biometrics). Some transactions, like low-risk payments, may be exempt. Passkeys offer a phishing-resistant alternative to traditional methods, aligning with SCA's goal of securing digital banking.

What is Strong Customer Authentication (SCA) under PSD2?#

Strong Customer Authentication (SCA) is a security requirement introduced by PSD2 (Revised Payment Services Directive) to
enhance the security of online payments and reduce fraud. SCA
mandates that financial institutions and payment service
providers implement multi-factor authentication (MFA) for electronic transactions, ensuring that only legitimate users can access accounts and approve
payments.

SCA Requirements#

To comply with SCA, authentication must involve at least two of the following three
factors:

Knowledge – Something the user knows (e.g., a password or PIN).
Possession – Something the user has (e.g., a smartphone, hardware token, or
smart card).
Inherence – Something the user is (e.g., biometrics like fingerprints or facial
recognition).

How SCA Works in Online Payments#

SCA applies to most electronic payments within the European Economic Area (EEA). For
example:

A customer logging into an online banking account may need to
provide both a password (knowledge) and confirm the login via a mobile push
notification (possession).
A user making an online payment may be required to authenticate
using biometrics (inherence) and approve the payment
through their banking app (possession).

Exemptions to SCA#

Certain transactions may be exempt from SCA, such as:

Low-value transactions (below €30).
Recurring payments (e.g., subscriptions).
Transactions deemed low-risk based on fraud analysis.

SCA and Passkeys#

Traditional authentication methods like passwords and SMS OTPs are still widely used but
are vulnerable to phishing attacks. Passkeys, based on WebAuthn and
FIDO2, offer a phishing-resistant alternative by leveraging
cryptographic authentication and device-bound credentials. Banks and fintech companies
implementing passkeys can meet SCA requirements while improving both security and user
experience.

Passkeys enable strong authentication PSD2 compliance by leveraging cryptographic key pairs and device-bound credentials for seamless, phishing-resistant logins.

By enforcing Strong Customer Authentication (SCA), PSD2 enhances transaction
security, reducing fraud risks and increasing trust in digital banking and online
payments.

What is Strong Customer Authentication (SCA) under PSD2?

Buy vs. Build Guide

What is Strong Customer Authentication (SCA) under PSD2?#

SCA Requirements#

How SCA Works in Online Payments#

Exemptions to SCA#

SCA and Passkeys#

Read the full article#

Related FAQs

Why are MFA fallbacks important during passkey transition?

What are long-term benefits: passkeys vs traditional MFA?

Related Terms

Authenticator App

MFA (Multi-Factor Authentication)

Analysis of PSD2 & SCA Requirements (SCA & Passkeys II)

PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA

PSD3 / PSR Implications for Passkeys (SCA & Passkeys IV)