Strong Customer Authentication (SCA): Definition, Benefits, and Exemptions

Strong Customer Authentication (SCA): Definition, Benefits, and Exemptions

Strong Customer Authentication is one of the core regulations payment services must abide by under the new European Revised Payment Service Directive, PSD2

With the rise of open banking and online payments, governments implemented SCA to reduce fraud, to help secure the transaction of digital payments, and to protect consumers across digital channels. 

It requires customers to verify their identity before payment transfers can occur online, whether with an institution, financial service, or third-party business. 

Authentication provides an extra layer of security for customers and payment service providers alike. Since PSD2 simplified payments systems along electronic channels, it opened up banking platforms into a single market. 

To combat the potential fraud found with online services, SCA forces banks to uphold a standard of security by verifying users before any payments are authorized. 

You can expect SCA to enter into enforcement throughout 2021. To help you prepare, we will tell you everything you need to know to get SCA compliant, what that means for your business or service, and how you can leverage SCA to your advantage. 

Do you have a project idea?
Discuss it with our experts.
Contact Expert
Strong Customer Authentication (SCA): Definition, Benefits, and Exemptions - photo 2
Strong Customer Authentication (SCA): Definition, Benefits, and Exemptions - photo 3

What is Strong Customer Authentication? 

SCA requires that all banks or financial services collect at least two out of three verification factors:

1. Possession

A unique item that only the user has or owns. 

Phone Hardware Token Smart Watch Smart Card

2. Knowledge

Something that the customer knows, or knowledge only they are privy to.

Passwords Pin Numbers Security Questions Passphrases

3. Inherence

Something that the customer is and uniquely identifies their physical state.

Finger Scan Voice Recognition Facial Recognition DNA or Iris Format

Under SCA regulations, these authentication conditions must integrate within your checkout flow before you can accept or conduct payment transactions for your customers.

If a user does not meet the criteria, your service or bank must decline all initiated payment requests. Of note, the two factors you select as authenticators must be from different categories in case of a breach (i.e. a phone is stolen).

Benefits of Using SCA

Having such strict verification methods helps keep customer data safe and secure while meeting all privacy guidelines expected from governing regulators. 

Even though SCA creates user-end friction and adds additional complexity to online payment systems, it does present a series of benefits for both the merchant and the customer. 

Benefits for the Merchant

1. Reduce The Cost of Inaccurate Processing

SCA ensures that each client is making an active and conscious request when initiating a money transfer. Overall limits to the number of transactions can lower total transfer expenditures, and it also significantly lowers the number of incorrect payment requests. 

Considering that reports state that “friendly fraud” could have cost banks $50 billion in 2020, a reduction in accidental transfers is a huge boon. 

2. Deter Fraudulent Attempts By Bad Actors

Large digital firms saw an increase of fraudulent attacks by 39.48% in 2020. For every dollar of fraud, financial services pay $3.78 in average costs

Determining the validity of all users and each transaction is a critical step in the fight against fraudulent bad actors. SCA infrastructure may create upfront overhead, but its ability to protect against illegitimate claims will be good in the long run. 

3. Additional compliance with PCI-DSS

SCA coincides with PCI-DSS, regulations that govern the use of credit card data. A large majority of digital payments (i.e. online wallets or contactless purchases) still transfer through credit card company systems, so SCA helps keep you compliant under several required directives.

Benefits for the User

Confidence In Online Services

73% of respondents in an Accenture study stated they would be comfortable sharing personal information if the bank was transparent about how the data would be used. Consumers are willing to engage with financial services electronically if they know they can rely on their service to remain safe and secure. Login credentials and authenticators provide a level of security that boosts user confidence.

Better Protection From Fraud

It is not just banks that pay from fraudulent attacks. Over half of customers surveyed in a KPMG study reported that they received less than 25% of their fraud losses. 

Client engagement will go down, and as fintech services become ubiquitous, fraudulent scenarios can ruin long-held business-to-customer relationships.

Flexible authentication Can Lower User Friction

It may seem counterintuitive, but safe logins offer better user experiences than unsecured ones across time. While limits to payments systems always add traction to the UX design of an interface, the long-term results from secure transactions outweigh the cost of long login credential times. 

Consistent services and secure transactions across multiple payment gateways retain high-priority clients.

How To Implement Strong Customer Authentication

At the moment, the simplest way to create SCA conditions is with 3D Secure or 3D Secure 2. 

It is an authentication standard found in most European credit cards or financial services. It applies an additional step at a point of sale processor, such as requiring a finger or facial scan from a smartphone. 

Authenticators have moved on beyond the standard password, text and email verifications. Here are some of the newest and strongest authenticators you can utilize when you select your two-factor verifications: 

One-Time Passwords

Users can request a randomized password for a single session. One-Time Passwords presents a high level of security because each login requires a new algorithmically designed password string in order to gain access. The continual code updates create additional user friction and require two devices (e.g. a computer and smartphone) to implement, but particular applications may prefer this newest level of security.

Security Tokens

By incorporating a third party authenticator, you can store numerous unique passwords into singular "buckets." Each password is accessible by a master password, while the data string remains secured, preventing fraud. Hold a different password for each bucket to protect individual services from a breach, all while creating a generally frictionless user experience.

2FA Apps

Several apps have built authenticators based on the zero trust model (everything is a threat till verified). While secure, it introduces immense login friction. 

For example, two-factor authentication requires validation from your primary network access as well as out-of-band (timed codes delivered to a smartphone) verification to identify the user. 

No matter which two conditions you choose, make sure that each of your authenticators are dynamically linked. For example, an ATM card transaction only works with the physical card and a pin that are used simultaneously. 

Other commonly linked authenticators are when a one-time security code is texted to a smartphone to help verify a desktop login. At a high level on the back end, dynamic linking sends authentication tokens to both the payment services and the payee that will expire if the transaction does not proceed as planned. 

Exemptions To SCA

For those worried about the extent of verification rules, you do not need to apply SCA in every instance. 

Strong Customer Authentication is only required when the transaction is customer-initiated, which means you can take advantage of several exemptions: 

Low-Risk Transactions

Services are allowed to make real-time calculations about the level of risk each transaction has. 

If the issuer's Transaction Risk Analysis and Fraud Rate meets a certain threshold compared to the transfer size, the SCA requirement can be waived. Businesses can request an exemption at any time, but the issuer has the right to refuse or grant that exemption.

Low Cost

Transactions that are below 30 Euros qualify for an exemption. This exemption comes with some stipulations — the bank must track the amount and the frequency of payments made. 

If a customer makes five consecutive transactions with a combined value of more than 100 Euros, SCA applies. The purpose of the rules helps limit fraudulent transactions of low value accomplished at set intervals in hopes of raising undue attention. 

Recurring Subscriptions

Recurring, subscription, or fixed payments of an exact amount from a consistent vendor only require SCA once. Once the transfer amount fluctuates, then each new transaction must include Secure Customer Authentication. 

For merchants who employ sliding scale or adjustable pay periods, you may still be exempt since merchant initiated transactions are not regulated under SCA.

Business-to-Business Transactions

Transfers made between two corporations that initiate requests between a secure payment system do not need to apply SCA. For example, a business may have a lodged card or virtual number that employees can use for expense accounts.

These transactions do not require SCA. Additionally, some corporations can assign or “white list” other services as trusted beneficiaries. Those who are whitelisted do not need 3Dsecure or Secure Customer Authentication for each transaction. 


While Secure Customer Authenticators are now required, there is still freedom for each business or financial service to select the verification methods that work best. 

Your applications may not require biometric scanning as a login credential — employing that as a verification method will only cause more hassle for users who are trying to access your product (not to mention the undue expense). 

The ideal scenario is a combination of linked authenticators that keep you compliant but also maintains a balance with user experience. For example, Privat Bank implemented a QR-code based authenticator that achieved compliance but also improved customer access. 

Some companies only require basic SMS and text two-factor control to stay secure while offering ease of use. Choose the combination that fits your business best, and keep it simple. 

If you struggle with deciding between all the verification options available, or if you need more details about how to incorporate SCA,  S-PRO can help you integrate a wide range of solutions. Discover the most optimal authenticators for your service, and implement two-factor methods with minimal hassle. 

Contact us here for the right Secure Customer Authentication strategy.

CEO, Co-founder. Innovative and commercially-minded Creative Technologist. Solid experience in product & market needs analysis, business strategy development & team leadership.
Get technical, business insights, and industry news straight to you inbox