What is SCA and why is it essential under PSD2?

Strong Customer Authentication (SCA) is a European regulatory requirement introduced under the Revised Payment Services Directive (PSD2). It mandates the use of multi-factor authentication (MFA) for electronic payments to enhance security and reduce fraud.

PSD2 was designed to create a more secure and competitive digital payment ecosystem within the EU. SCA is essential because:

• It prevents unauthorized transactions by requiring at least two authentication factors.
• It reduces fraud risks, particularly for card-not-present transactions.
• It increases consumer trust in digital banking and payment services.

SCA requires authentication using at least two of the following three factors:

1. Something You Know (e.g., password, PIN)
2. Something You Have (e.g., smartphone, security key)
3. Something You Are (e.g., fingerprint, facial recognition)

This means one-time passwords (OTPs) sent via SMS are not sufficient on their own unless combined with another factor.

• Online payments (e.g., e-commerce transactions, bank transfers)
• Accessing a bank account online
• Performing actions that could be high-risk (e.g., adding a new payee)

Yes, certain low-risk transactions may be exempt, such as:

• Recurring payments (e.g., subscriptions)
• Low-value transactions (typically under €30)
• Trusted beneficiaries (pre-approved by the user)

Passkeys, based on WebAuthn and FIDO2, are an ideal SCA-compliant authentication method because:

• They provide phishing-resistant authentication.
• They eliminate the risks of stolen passwords and OTP interception.
• They enable seamless multi-factor authentication by combining biometric authentication (something you are) with device-based security (something you have).

SCA is a critical PSD2 security requirement that protects online transactions, reduces fraud, and enhances consumer trust. Passkeys offer a compliant, secure, and user-friendly alternative to traditional authentication methods, aligning with SCA’s security objectives.