• Skip to primary navigation
  • Skip to main content
  • Skip to footer
CUBE announces its acquisition of The HubCUBE announces its acquisition of The HubCUBE announces its acquisition of The Hub

CUBE global

  • Products
        • RegPlatform product overviewOur enterprise product, providing regulatory intelligence for large, global financial institutions looking to tackle complex compliance.
        • RegAssure product overviewOur highly intuitive, seamless compliance product, that grows with your small or medium sized business.
        • View all products
  • Solutions
        • PrivacyGlobal governance for data privacy regulations, the world over
        • RecordsHolistic oversight of ever-growing regulations for records
        • CybersecurityAutomated workflows for up to date, relevant data on cyber
        • Technology riskEffective policies and controls to mitigate technology risk
        • Financial crime and AMLWatertight audit trails to show risk-based rationale
        • View all solutions
  • Resources
        • Resource hubLifting the lid on financial services, compliance, and regulation
        • Read

        • Case Studies
        • Blog posts
        • Reports
        • Brochures
        • Find

        • Compliance Corner
        • Compliance Confessions
        • ESG Conference
        • CUBE’s regulation game
        • Listen

        • Videos
        • Webinars
        • Podcasts
  • Partners
        • Advisory and consulting partnersEnhance your regulatory compliance offering with the entire suite of CUBE regulatory data.
        • Integration partnersCompliance is complex enough without over-complicated integration procedures.
        • Technology partnersAdd value to existing customer applications with a unified window into regulatory intelligence.
        • Partners overview
  • About us
        • About usThe story of who we are, how we got here and why we’re exceptionally proud of what we do
        • TeamThe visionaries and leaders powering CUBE’s success
        • NewsThe latest news from CUBE
        • CareersOur movement to transform regulatory data into regulatory intelligence
        • ContactWant to know more? Get in touch
  • Request a demo
Customer login
Home » Resources » Strong Customer Authentication (SCA): what is it?

Estimated reading time: 3 minutes

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) refers to a robust framework for payment systems in Europe. It applies to customer-initiated payments in order to reduce fraudulent transaction opportunities and increase confidence in card transactions.

Payment Services Directive

SCA has been introduced as part of a larger regulatory framework, the Payment Service Directive, which is now in its second iteration (PSD2). The PSD2 was formed by the European Banking Authority in 2015 with a 4-year implementation window for those required to comply.

In particular, this regulation highlights the importance of application program interfaces (APIs). APIs are integrated technological programs which increase the simplicity and security of data transfer; such as that required in online payments. They largely feature as part of online banking regulatory technical standards.

The purpose of the PSD2 is predominantly to decrease the potential for online fraud. Naturally, this is likely to increase the confidence of cardholders and improve risk management processes. This has been reflected in a sharp rise in the percentage of payments made with contactless methods over the past couple of years, accelerated by the Covid crisis. 

Features of Strong Customer Authentication

The framework for SCA is simple: your digital payments system must integrate at least two of the following three features:

  1. Knowledge (ie. the customer must know the answer to a security question)
  2. Possession (ie. the customer must possess a response code)
  3. Inherence (ie. the customer must be aligned with the biometric data on record)

Your system can have any combination of the features listed. For example, you might require a biometric login, followed by a texted code of authorisation. Common SCA compliance can manifest through the use of 2-factor authentication, or one time passwords. 

Dynamic linking

Another feature of PSD2 is dynamic linking, which refers to the tokenisation of payments. The key challenge with data sharing in FinTech is ensuring that data remains anonymous, while still being trackable. Therefore, tokenisation will create a valid data set specific to the payee and transaction amount. If a merchant attempts to change this amount later, a new token is required to re-validate the transaction. The process is known as ‘3D secure 2 protocol’.

Who must comply with Strong Customer Authentication

SCA applies to any payment service provider, including bank account providers, that facilitate “customer-initiated” payments. This refers to active participation from the cardholder at the moment of authorisation. For example, an online transaction is considered customer initiated, alongside contactless payments in stores.  

On the contrary, direct debits and subscription payments are considered merchant initiated, so hold an SCA exemption.

Compliance, in this case, refers to the building of a multi factor authentication process into your payment system. You may have noticed that Apple Pay and Google Pay now require both biometric authentication as well as the use of passwords- this is an SCA requirement.

However, the regulatory framework comes with several exceptions. For example, the contactless limit in the UK previously stood at £30. This meant that any payments with a value of £30 or less could be exempted from the strong customer authentication process. In the last year, this limit has been raised to £100. Likewise, some “low-risk” online payment transactions are also cleared from the process – such as those facilitated by Stripe. 


From SCA to PSD2, CUBE understands financial regulation for EU-based firms and provides automated regulatory intelligence – so you know what your regulatory obligations are now, and for the future. Information governance is our bread and butter – from record retention to defensible disposal.

Request a demo

Related resources
View all articles
What is RegTech
Compliance Corner

What is RegTech?

What is hemp banking and what regulations are there
Compliance Corner

Hemp Banking

Find out all about the UK's Big Bang 2.0 financial regulation
Compliance Corner

UK government Big Bang 2.0

current US ESG regulations blog
Compliance Corner

What are the current US ESG regulations?


Want CUBE updates and latest industry news sent straight to your inbox?

Footer

Add CUBE logo here

  • Products
    • Partners
    • Solutions
  • Resource hub
    • Blogs
    • Reports
    • Brochures
    • Compliance Corner
    • Webinars
    • Podcasts
    • Videos
  • Behind CUBE
    • About us
    • Meet the team
    • Careers
    • News
    • Contact us
  • The legal bits
    • Privacy policy
    • Cookie policy
    • Terms of use
    • Accessibility
Follow us:
  • LinkedIn
  • Twitter
  • YouTube

© 2023 CUBE Content Governance Global Limited

  • English
  • US

envelope

Want CUBE updates and latest industry news sent straight to your inbox?

Sign up to our Newsletter here