Why Strong Customer Authentication is important?

Strong Customer Authentication (SCA) becomes a hot topic every time there is a deadline for its implementation. Since the arrival of 1st January 2021 means it should indeed come to life in most of the European Economic Area (EEA) countries, we think it’s the right moment to summarize all the information about it.

From our text, you’ll learn what it is and why you should or shouldn’t be concerned about it.

Pragmatic spoiler: we think you should.

Why is SCA important?

SCA will influence all people who use digital banking or spend money on-line. We are sure you are in both of those groups. So, as a customer, you will notice something has changed, you may find it strange or inconvenient, but that’s it.

But if you are an online business owner, your situation is entirely different. You have to be ready for Strong Customer Authentication. Even if you decide not to do anything, we believe you have to at least be aware of what’s happening. So the right question is:

What’s happening?

From the beginning of 2021, every payer-initiated transaction when both the card issuer and payer are within the EEA needs to undergo SCA. We will tell you more about what an SCA is and how to approach it in the next chapter. For now, we want you to learn that the technicalities are going to be tackled by your payment provider. What you have to keep in mind is the additional friction that’s going to be added to the buying process.

When the solution very similar to the SCA was implemented in India, it caused a 25% drop in online transactions. Of course, the situation in 2021 is very different since 2020 moved many activities to the virtual world. Still, being extra cautious and proactive can’t hurt your business.

What is SCA?

Strong Customer Authentication was introduced by the Revised Payment Services Directive (PSD2) as a part of a package preparing Europe for open banking. The idea of opening the banking industry for new players was revolutionary, so it needed some additional legal acts to protect customers’ rights.

GDPR to protect data

One of those acts is General Data Protection Regulation (GDPR). It was created to protect customers’ data in a digital world. GDPR made legal obligations for companies to treat their users’ data with care and provide extra security. This meant that digital companies could no longer trade with their users’ data, or at least they need to ask permission. And what GDPR is for data, SCA is for money.

SCA to protect money

Open banking means there may be many non-banks providing banking-like services. Customers’ valuable data were already protected with GDPR; there was a need to minimize the risk of fraudulent activities. Moreover, the need was burning since on-line fraud constitutes 73% of fraud in Europe, and this number is steadily rising. This is where the idea for Strong Customer Authentication came from. And, in fact, SCA is just a multifactor authentication with a set of rather strict rules of what can be used as a method. The next chapter will examine those rules in detail.


Strong Customer Authentication = strict multifactor authentication

When you first heard the term Strong Customer Authentication, and especially when accompanied by the terms like PSD2 and European regulation, you probably thought that the EU had invented some supercomplex procedure that needs like 500 pages of documentation to be implemented. Fortunately, the reality is much simpler. SCA is just a rigorous multifactor authentication. What is multifactor authentication, then?

Multi-factor authentication (MFA) is an authentication method (you would’ve never guessed that, right?) that uses at least two ways of verification before it confirms a person’s identity. If you need to first enter your password and then confirm it’s you with a code sent via text message – that’s an MFA.

SCA is indeed an MFA, but the methods of authentication are strictly defined. Here is what the PSD2 says about it:

…an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data…

Let’s have a look at what can constitute each of those three elements under the PSD2.

Knowledge – something only the user knows

This factor is maybe the most straightforward out of the three. Something a user knows may be a password, a code, a PIN number, or an answer to the security question. Below you can find a table illustrating what can be considered a knowledge element under SCA according to the European Banking Authority opinion.

ElementCompliant with SCA?
Password👍 Yes
PIN👍 Yes
Passphrase👍 Yes
Memorized swiping path👍 Yes
Knowledge-based challenge questions👍 Yes
Email address or user name👎 No
Card details (printed on the card)👎 No
OTP generated by, or received on, a device (hardware or software token generator, SMS OTP)👎 No
Printed matrix card or OTP list👎 No

Of course, the list is non-exhaustive, which means it doesn’t include all the possibilities. What can be understood from this list, however, is that the knowledge element is something that cannot be checked in the outside sources. It is very symptomatic that the one-time password (OTP) printed on the OTP card is not a knowledge element. One can easily think of a scenario where such a card is stolen from its owner. A memorized password or a PIN code only exists in its owner’s mind, thus cannot be stolen.


Possession – something only the user possesses

The concept of possession is a bit more complicated than the one of knowledge. Why? Because under the requirement of possession, having something is not enough. The user has to be able to verify their access to the item in real-time. This is why the OTP list cannot be counted as a possession element. Just the same as we did for the knowledge element, we prepared a table illustrating what can be considered a possession element under SCA according to the European Banking Authority opinion.


ElementCompliant with SCA?
Possession of a device evidenced by an OTP👍 Yes
Possession of a device evidenced by a signature generated by a device (hardware or software token)👍 Yes
Card or device evidenced through a QR code (or photo TAN) scanned from an external device👍 Yes
App or browser with possession evidenced by device binding — such as through a security chip embedded into a device or private key linking an app to a device, or the registration of the web browser linking a browser to a device👍 Yes
Card evidenced by a card reader👍 Yes
Card with possession evidenced by a dynamic card security code👍 Yes
App installed on the device👎 No
Card with possession evidenced by card details (printed on the card)👎 No
OTP generated by, or received on, a device (hardware or software token generator, SMS OTP)👎 No
Card with possession evidenced by a printed element (such as an OTP list)👎 No


Inherence – something the user is

Not long ago, the inherence element belonged to science fiction. Thanks to technological advancement, we can now authorize transactions with fingerprint scans or heart rate. We think that this method of authorization will steadily gain popularity as it is both secure and convenient. As with the previous two elements, we present the non-exhaustive list of what can be seen as an inherence element according to the European Banking Authority opinion.


ElementCompliant with SCA?
Fingerprint scanning👍 Yes
Voice recognition👍 Yes
Vein recognition👍 Yes
Hand and face geometry👍 Yes
Retina and iris scanning👍 Yes
Keystroke dynamics👍 Yes
Heart rate or other body movement pattern identifying that the PSU is the PSU (e.g. for wearable devices)👍 Yes
The angle at which the device is held👍 Yes
Information transmitted using a communication protocol, such as EMV® 3-D Secure👎 No
Memorized swiping path👎 No


Wild west

When SCA doesn’t apply – exemptions

Does SCA apply to every single on-line transaction within the EU? In fact, it doesn’t. EBA (European Banking Authority), together with payment providers, agreed on the list of exemptions to this requirement. It is worth knowing that sellers cannot apply for the exemption themselves. Instead, they need to ask the payment provider to apply on their behalf. Also, the final decision on whether or not to apply SCA to a particular transaction belongs to the cardholder’s bank.

Let’s examine the exemptions one by one.


It is reasonable that small transactions don’t need as much protection as big ones. Under PSD2, the limit of transaction that doesn’t require SCA is 30 euro. However, there is one extra layer of security. Additional authentication can be required when the combined purchase value exceeds 100 euro or every sixth payment.


Another situation that is considered relatively safe is an ongoing subscription on the same amount. This is excellent news for all SaaS providers and other businesses that rely on a fixed recurring payment.

Trusted Seller

Negotiations with banking institutions brought another exemption to the SCA requirements. It gives the customer an option to add an on-line seller to the whitelist of trusted providers. This means that transactions made on their website won’t have to undergo SCA.

Low-Risk Transactions

This exemption relies heavily on the payment provider. But first of all, it can only apply to transactions smaller than 500 euro. Payments that exceed this amount are always considered risky. Under this exemption, payment providers can use real-time risk assessment algorithms to skip SCA on certain transactions. The ability to do this relies on the payment provider’s record, so it’s good to make an informed decision when considering one for your business.

3-D Secure 2.0 – how does it relate to SCA?

When writing about SCA, it is a must to mention 3-D Secure 2.0. But before we start talking about 3DS2 (sounds like a robot name from Star Wars, doesn’t it?), let’s learn something about 3DS1.

3DS1 is an additional security layer for online card payments. The most recognizable are Verified by Visa, Mastercard SecureCode, and American Express SafeKey. It was first introduced back in 1999 and was hated since then. Why? Because it was “ridiculously non-user-friendly.” At the end of the XX century, online payments were nothing like what we are used to today. No surprise, the standard from that era was not suitable anymore. Yet, with the introduction of PSD2 and SCA in Europe, big players have to come up with something. And this is how 3DS2 was born.

3DS1 relied on a password. 3DS2 is fully SCA compliant which means it makes use of inherence, possession, and knowledge. It supports face recognition, thumb scanning, etc. It’s also fully mobile-friendly.

Comparing to 3DS1, 3DS2 is a huge step forward, and it’s a reliable option to consider when you need to implement an SCA for your transactions.


The internet had brought the world to a new era. 2020 had accelerated the changes we’ve been observing for a while. With lockdowns and social distancing, the internet became the first choice for shopping, even for those who’d been wary of such activities before. We tend to believe that once you try online shopping, you are not likely to give up on it. But the surge in online shopping and other online transactions had been a great opportunity not only for business but also for frauds.

The beginning of 2021 was the final deadline for implementing SCA – a mechanism that was designed to protect online transactions. Some players were afraid that its introduction is going to bring a decline in online transactions due to the extra effort necessary to complete the payment. Luckily, those forecasts were far from real. Be it the increased demand or merchants being well prepared for the upcoming changes; it appears that the SCA did only what it was designed for – protect customers’ money.