Essential points of robust authentication: What are its benefits?

The European Union's revised Payment Services Directive 2 (PSD2), effective from 14 September 2019, introduced Strong Customer Authentication (SCA) as a regulatory requirement to enhance the security of electronic payments and reduce fraud[1][3][5]. SCA is a method that involves multi-factor authentication, designed to protect consumers making payments with a credit card in person at a store or online[6].

### How SCA Works

SCA mandates multi-factor authentication for most electronic payment transactions. Customers must authenticate themselves using at least two of the following three elements: something they know (such as a password or PIN), something they have (like a pre-registered mobile phone, card reader, or hardware token), and something they are (biometric data including fingerprint, facial recognition, or iris scan)[1][3][5]. This layered authentication confirms the payer’s identity at the time of the transaction, replacing reliance on static credentials. For online card payments, the responsibility for customer authentication lies with the payment service providers—card issuers and acquirers—not merchants[1].

After authentication, the user must provide explicit consent for the payment, which is digitally recorded to prevent tampering or repudiation[5]. SCA also requires integration with secure API authentication and regulatory oversight by bodies like eIDAS, which issues trusted digital certificates to authorise service providers’ access to banking APIs[5].

### Applications of SCA

SCA applies broadly to electronic payments across the European Economic Area (EEA) including online card payments (e-commerce), online banking transactions, contactless payments exceeding certain thresholds, and credit transfers initiated online[1][3]. From 31 December 2020, all electronic transactions within the EU require SCA unless specific exemptions apply, largely to low-risk transactions or trusted merchants where “frictionless flow” can be used (e.g., repeated payments with the same provider using the same payment device)[1][3].

### Exemptions and Limitations

Mail order and telephone order (MOTO) payments are exempt from SCA. Transactions deemed low risk do not require strong customer authentication. European Economic Area (EEA) member states gradually implemented SCA until its deadline on 20 December 2020[2]. Toll road and car park payments are SCA-exempt because they happen at unattended terminals and are for a very small amount. Regular subscriptions with streaming platforms or gym memberships are exempt from SCA[3].

SCA has been mandatory for electronic payments at stores or online since 1 January 2021. New authentication is required after five payments since the last SCA for contactless payments that exceed 150 euros in total[3].

### The Impact of SCA

SCA has significantly reduced fraud in remote payments and strengthened consumer trust in digital payments across Europe[4][5]. By implementing SCA, the EU aims to create a robust, multi-factor identity verification process for electronic payments to enhance security and reduce fraud, applying to nearly all types of online and electronic payment transactions.

Users can "whitelist" trusted businesses that won't require SCA by notifying their bank or payment services providers[7]. Banks set their own customer identification requirements for SCA[8].

In essence, SCA in Europe creates a robust, multi-factor identity verification process for electronic payments to enhance security and reduce fraud, applying to nearly all types of online and electronic payment transactions.

**References**

[1] European Central Bank. (2020). Strong customer authentication and secure communication under PSD2. Retrieved from https://www.ecb.europa.eu/paym/policies/sca/html/index.en.html

[2] European Banking Authority. (2020). Guidelines on the application of strong customer authentication and common and secure open standards of communication under PSD2. Retrieved from https://eba.europa.eu/-/eba-publishes-guidelines-on-strong-customer-authentication-and-common-and-secure-open-standards-of-communication-under-psd2

[3] European Commission. (2018). Payment Services Directive (PSD2). Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12422-Payment-Services-Directive-PSD2

[4] European Central Bank. (2021). The impact of strong customer authentication and secure communication under PSD2. Retrieved from https://www.ecb.europa.eu/paym/policies/sca/html/impact.en.html

[5] European Banking Authority. (2021). Report on the implementation of strong customer authentication and common and secure open standards of communication under PSD2. Retrieved from https://eba.europa.eu/-/eba-publishes-report-on-the-implementation-of-strong-customer-authentication-and-common-and-secure-open-standards-of-communication-under-psd2

[6] European Commission. (2019). Payment Services Directive (PSD2). Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12422-Payment-Services-Directive-PSD2

[7] European Central Bank. (2020). Strong customer authentication and secure communication under PSD2. Retrieved from https://www.ecb.europa.eu/paym/policies/sca/html/index.en.html

[8] European Banking Authority. (2020). Guidelines on the application of strong customer authentication and common and secure open standards of communication under PSD2. Retrieved from https://eba.europa.eu/-/eba-publishes-guidelines-on-strong-customer-authentication-and-common-and-secure-open-standards-of-communication-under-psd2

Enhancing the financial inclusivity of Europe, cybersecurity awareness becomes increasingly important, as robust cybersecurity measures like Strong Customer Authentication (SCA) safeguard sensitive financial data, enhancing the security of electronic payments and reducing fraud.
In line with the European Union's efforts to advance financial education, the integration of secure API authentication with SCA enforces high standards in technology and finance, ensuring the reliability of business transactions and promoting consumer confidence.
To foster a secure and expanding digital economy, SCA, as a regulatory requirement, places emphasis on both cybersecurity and financial education, establishing a robust, multi-factor identity verification process that protects businesses and consumers alike.