Strong Customer Authentication (SCA) is a new requirement for authenticating online payments that was introduced in Europe as part of the second Payment Services Directive (PSD2).
As a result, most card payments and all bank transfers require SCA (unless out of scope or an exemption can be applied).
SCA requires authentication to use at least two of the following three elements:
- Knowledge: something the customer knows (e.g password, PIN)
- Possession: something the customer has (e.g. phone, hardware token, wearable, OTP via SMS)
- Inherence: something the customer is (e.g. fingerprint, face recognition, voice)
The actual authentication methods, flow and logic depend on the solution implemented by customer bank (e.g issuer bank for card payments).
Although the PSD2 regulation was introduced on 14 September 2019, the European Banking Authority (EBA) has given a new deadline as all stakeholders in the market were not ready for the switch. There is a soft enforcement period announced to ensure the delivery of the requirements and we expect these requirements to be fully enforced by regulators by 31 December 2020.
Note: With regard to card payments the requirement for SCA is achieved by using 3DS authentication protocol, however it is not tight to 3DS version (3DS v1 versus EMV 3DS/ 3DS v2) as such. While 3DS v2 is expected to introduce a better user experience it does not necessarily mean that 3DS v2 is the equivalent of SCA and 3DS v1 is not – strong customer authentication can be performed as well with 3DSv1 – the specific authentication method is implemented and handled by the customer bank (Issuer), regardless of the 3DS version