What is Strong Customer Authentication (SCA) under PSD2?

Strong Customer Authentication (SCA) is a security requirement introduced by PSD2 (Revised Payment Services Directive) to enhance the security of online payments and reduce fraud. SCA mandates that financial institutions and payment service providers implement multi-factor authentication (MFA) for electronic transactions, ensuring that only legitimate users can access accounts and approve payments.

To comply with SCA, authentication must involve at least two of the following three factors:

1. Knowledge – Something the user knows (e.g., a password or PIN).
2. Possession – Something the user has (e.g., a smartphone, hardware token, or smart card).
3. Inherence – Something the user is (e.g., biometrics like fingerprints or facial recognition).

SCA applies to most electronic payments within the European Economic Area (EEA). For example:

• A customer logging into an online banking account may need to provide both a password (knowledge) and confirm the login via a mobile push notification (possession).
• A user making an online payment may be required to authenticate using biometrics (inherence) and approve the payment through their banking app (possession).

Certain transactions may be exempt from SCA, such as:

• Low-value transactions (below €30).
• Recurring payments (e.g., subscriptions).
• Transactions deemed low-risk based on fraud analysis.

Traditional authentication methods like passwords and SMS OTPs are still widely used but are vulnerable to phishing attacks. Passkeys, based on WebAuthn and FIDO2, offer a phishing-resistant alternative by leveraging cryptographic authentication and device-bound credentials. Banks and fintech companies implementing passkeys can meet SCA requirements while improving both security and user experience.

By enforcing Strong Customer Authentication (SCA), PSD2 enhances transaction security, reducing fraud risks and increasing trust in digital banking and online payments.