What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) refers to a robust framework for payment systems in Europe. It applies to customer-initiated payments in order to reduce fraudulent transaction opportunities and increase confidence in card transactions.

Payment Services Directive

SCA has been introduced as part of a larger regulatory framework, the Payment Service Directive, which is now in its second iteration (PSD2). The PSD2 was formed by the European Banking Authority in 2015 with a 4-year implementation window for those required to comply.

In particular, this regulation highlights the importance of application program interfaces (APIs). APIs are integrated technological programs which increase the simplicity and security of data transfer; such as that required in online payments. They largely feature as part of online banking regulatory technical standards.

The purpose of the PSD2 is predominantly to decrease the potential for online fraud. Naturally, this is likely to increase the confidence of cardholders and improve risk management processes. This has been reflected in a sharp rise in the percentage of payments made with contactless methods over the past couple of years, accelerated by the Covid crisis. 

Features of Strong Customer Authentication

The framework for SCA is simple: your digital payments system must integrate at least two of the following three features:

1. Knowledge (ie. the customer must know the answer to a security question)
2. Possession (ie. the customer must possess a response code)
3. Inherence (ie. the customer must be aligned with the biometric data on record)

Your system can have any combination of the features listed. For example, you might require a biometric login, followed by a texted code of authorisation. Common SCA compliance can manifest through the use of 2-factor authentication, or one time passwords. 

Dynamic linking

Another feature of PSD2 is dynamic linking, which refers to the tokenisation of payments. The key challenge with data sharing in FinTech is ensuring that data remains anonymous, while still being trackable. Therefore, tokenisation will create a valid data set specific to the payee and transaction amount. If a merchant attempts to change this amount later, a new token is required to re-validate the transaction. The process is known as ‘3D secure 2 protocol’.

Who must comply with Strong Customer Authentication

SCA applies to any payment service provider, including bank account providers, that facilitate “customer-initiated” payments. This refers to active participation from the cardholder at the moment of authorisation. For example, an online transaction is considered customer initiated, alongside contactless payments in stores.  

On the contrary, direct debits and subscription payments are considered merchant initiated, so hold an SCA exemption.

Compliance, in this case, refers to the building of a multi factor authentication process into your payment system. You may have noticed that Apple Pay and Google Pay now require both biometric authentication as well as the use of passwords- this is an SCA requirement.

However, the regulatory framework comes with several exceptions. For example, the contactless limit in the UK previously stood at £30. This meant that any payments with a value of £30 or less could be exempted from the strong customer authentication process. In the last year, this limit has been raised to £100. Likewise, some “low-risk” online payment transactions are also cleared from the process – such as those facilitated by Stripe. 

From SCA to PSD2, CUBE understands financial regulation for EU-based firms and provides automated regulatory intelligence – so you know what your regulatory obligations are now, and for the future. Information governance is our bread and butter – from record retention to defensible disposal.