Strong Customer Authentication: How SCA changed payments

Way back in January 2013, the European Central Bank compiled and released a comprehensive set of recommendations that would significantly impact the online payment scene.

It announced that, in the name of internet payment security, a new system be adopted that provided Strong Customer Authentication (SCA). This recommendation didn’t come out of nowhere - it was built on a previous directive made in 2007.

That one had two main purposes:

  • To lay down rules for payment services such as credit transfers, direct debits and card payments

  • Bring structure to the information requirements for payment services providers, as well as rights and obligations linked to the use of payment services.

This is the foundation that Payment Services Directive 2, or PSD2 as it came to be known, built on.

This directive had numerous different purposes, such as further integrating the internal market for electronic payments within the EU. However, it’s most infamous for its approach to security, giving the European Banking Authority the ability to:

“develop regulatory technical standards on strong customer authentication and secure communication channels with which all payment service providers must comply”

Come January 2021 (or March 2022 for the UK), these ‘regulatory technical standards’ as outlined PSD2 finally came into full force. We are, of course, referring to strong customer authentication.

Now that we’re a few months removed from this, now seems like a good time to ask: What is strong customer authentication and how has it affected the payment industry?



Understanding strong customer authentication (SCA)

What are the SCA requirements?

How has SCA changed the payment market?
The positive effects of SCA on payments
Should we expect any more changes in the future?


Understanding Strong Customer Authentication (SCA)

If you're in the EU and have made any sort of online payment, then you would have been affected by SCA.

Whether you had to enter a PIN that was sent to your phone, or scan your fingerprint to confirm a payment, the implications of this regulation has shaken up the payment process for millions.

Let's break it down to get a better understanding of how SCA works, when it was introduced and why:

Strong customer authentication [infographic]




What is strong customer authentication?

Strong customer authentication refers to the one of the key regulatory requirements of the EU’s PSD2.

The regulation states that all online and card payments are required to be confirmed independently to ensure that the cardholders themselves are the ones initiating or authorizing the payment, making credit card payments more secure.

In practice, it requires the use of two-factor authentication (2FA) whenever you:

  • access your online accounts

  • involve third parties in the provision of services

  • authorize electronic payment transactions

When did strong customer authentication come into force?

SCA was initially enacted on September 14th 2019. From this date, the SCA requirements were supposed to officially come into effect.

However, with several countries requesting extensions from the European Banking Authority, a migration period was granted, and a final implementation deadline of January 1st 2021 was set across the European economic area.

In the UK, the implementation was delayed (multiple times) until March 14th 2022, when it ultimately came into force in the country. This delay was brought about by the FCA to allow more time for companies to adjust their processes in order to follow the regulatory guidelines of PSD2.

Why was strong customer authentication introduced?

The official reasoning for the introduction of SCA is clearly outlined in PSD2:

  • To strengthen consumer protection

  • To promote the introduction of technological innovations

  • To increase legal certainty

But to fully understand why, we need to understand the context in which it was implemented. So, let’s take ourselves back to 2013 and look at the payment landscape:

Growth in online transactions

By this point, it was clear that online shopping would grow to become a massive market. In Western Europe, 72% of internet users were expected to buy goods or services online for a total value of $291 billion. This, of course, was projected to grow further in the coming years. [1]

Security concerns

At the same time, however, we became wearier of the security of purchasing goods online. Back in 2013, Europol noted a trend that would see the growing e-commerce industry resulting in a parallel growth of card-not-present fraud. [2]

Bringing online payments in line with in-person payments

Another key factor in the decision is linked to how payments are secured in-person. When making payments using a physical card while in-store, for example, a kind of strong customer authentication already took place.

As mentioned, Chip and PIN transactions are often compliant for SCA purposes as it demonstrates both possession and knowledge. Contactless payments, another increasingly common payment method, follows the same logic. However, this method benefits from exemption when payments below a certain limit are made. More on that later.

In this context, the European Commission began to explore potential remedies to this, ultimately resulting in PSD2.

But what exactly are the requirements?

What are the SCA requirements?

As mentioned, SCA requires the use of two factor authentication in certain scenarios. Most importantly for our topic today, that includes authorizing electronic payment transactions.

SCA applies for all payment services provided within the EEA by European payment service providers, meaning a 2FA process must take place in order to make an online payment.

After the customer fills in their card details and confirms their payment, they will be sent to a page where additional authentication measures must be completed.

These fall into three categories: knowledge, possession and inherence.

The customer must then be able to demonstrate two out of the three categories to be able to proceed with the

  • Knowledge refers to things that only the payer would know, like a PIN or a password

  • Possession refers to something that only the payer has, like a mobile phone or another device that can be sent one-time codes

  • Inherence refers to something that only the payer is, like their fingerprint or facial recognition technology

For ‘face to face’ purchases, there is also a need to follow these regulations. However, many common traditional payment methods (i.e. cash) don't require this, while typical Chip and PIN card payments are often already compliant.

It's worth noting that, following Brexit, there is a growing divergence between the implementation of SCA in the EU and the UK. For the purposes of this articles, we'll be focusing more on the EU side of things.

SCA exemptions

There are also plenty of exemptions to the requirements of strong customer authentication. These were implemented to make life easier in certain situation – often where the SCA requirements would be particularly disruptive.

Here are a few of the most important exemptions:

- Transaction risk analysis

Payments under a certain threshold, currently €50, along with those that are considered ‘low risk’ based on parameters such as a fraud rate of 0.13% by the bank or payment provider, are exempt from SCA.

- Trusted beneficiaries

This is basically where customers whitelist specific merchants so that they no longer have to perform 2FA every time a payment is made.

- Recurring payments or subscriptions

Repeat payments of the same amount to the same merchant are exempted from SCA requirements.

- B2B payments

Certain corporate payment cards meet a high enough security standard that they do not require 2FA verification with each purchase, saving a lot of time.

Did you know?

All AirPlus products either fully comply with these requirements (AirPlus Corporate Card) or have been exempted from 2FA by demonstrating exceptional security (such as the AirPlus Company Account and AirPlus Virtual Cards Single-use).

The point here is that, between these exemptions, many transactions will not require strong customer authentication and help minimize the disruption caused. This balances the need for security and ease of use of payments online.

Now that we have covered the background of strong customer authentication, let's see how it has changed the payment scene.

How has SCA changed the payment market?

As you may expect, the change proved controversial at first. There were a few issues that became immediately clear once SCA was introduced:


Strong customer authentication in the form of 2FA codes can be disruptive to the payment experience

- Increased friction

Many detractors claim that it added friction at the checkout stage, making online payments more difficult. In fact, data suggested that Europe-based merchants could lose €100 billion in online sales in 2021. [3]

- False declines

It wasn't a perfect implementation either. There were many occasions where perfectly legitimate payments were declined. According to Barclaycard Payments, 664,000 online transactions were declined in the month following SCAs introduction in the UK. [4]

- General confusion

The confusion caused by the implementation of SCA compounded these other issues – so much so that the requirement was postponed multiple times in the UK. One survey found that less than a third of respondents in Italy and France were aware of SCA. [5]

This is all not to mention the confusion amongst businesses about how to go about implementing SCA-approved practices. This led to many of the declines mentioned above.

For context, this change came about in the middle of the pandemic , which made it all the more pronounced due to the increase in online shopping following the lockdowns that saw many physical stores close.

However, a lot of this confusion was due to 'teething issues', and so this issue seems to have been mostly resolved.

So, we've all likely experienced the impact of SCA personally by this point – but how has SCA impacted businesses?

SCA’s impact on businesses

Payment processes in businesses are often very tightly controlled. What this means is that these processes will need to be overhauled in order to facilitate the SCA-mandated authentication process as outlined in the regulatory technical standards. [6] This will likely result in increased costs and disruption, at least in the short term.

Namely, incorporating the technology to verify the identity of customers as required in the guideline will take some time to do. This technology will need to be found, integrated and tested to the high standards of the corporate payment world before going live.

The latest implementation of 3D Secure is going a long way in realizing this, though.

The role of 3D Secure

No discussion of SCA would be complete without mentioning 3D Secure.

Put simply, 3D Secure is a protocol that was developed to increase the security of online transactions that involve credit and debit cards. It involves the three parties involved with the processing of payments: the issuer, the acquirer, and the network processing the transaction.

It's latest implementation, dubbed 3DS 2.2, has built on its previous renditions to not only improve the online payment experience, but also enable a smoother payment experience when it comes to SCA.

So what does 3D Secure have to do with SCA and how does it help?

3D Secure 2 and Strong Customer Authentication

Basically, it is a more standardized approach to the requirements of SCA. It enables merchant to be compliant with the directive while also reducing the impact on the user experience.

As SCA relies heavily on risk-based authentication, 3D Secure 2 offers even more data points along with every transaction – more than 100, even. Think IP address, shipping address, device information and more. That, in turn, can be used by the bank to better process the risk factors associated with the payment, thus helping to authenticate it.

The latest version of the protocol comes into play not just once a transaction has been commenced, but even before by allowing the request for merchants of low-risk or trusted merchant exemptions (more on that below) via their acquirer.

Unfortunately, adoption of the latest version of 3DS Secure is quite slow, meaning these advantages are not be realized by customers, including businesses, in many cases.

Check out our dedicated article on 3D Secure for more information and data on the topic.

The need to adjust internal payment processes

At the same time, this additional step adds further friction to the payment process. Among consumers, this has led to an increased transaction failure rate, reaching 31% by February 2021 [7] compared to an average of just 2-5% from before the requirement came into effect.

This number does seem to be dropping however, with the January rate having stood at 33%. In addition, businesses are arguably less likely to cancel out of a transaction just because of an added step in the process.

Most business expenses need to be processed and approved, rather than just happening on a whim. Essentially, the purchase intent is much stronger.

Another issue revolves around the payment processes at some businesses. It is not uncommon for an office to use the credit card of their manager. This has led to many colleagues having to chase up their manager for the PIN code sent to their mobile – a tedious and insecure solution.

That's not to mention the work of assistants for executives who are booking and paying for business travel on their behalf. SCA regulations are specifically designed to ensure the person whose name is on the card is the one paying, after all. This means companies will need to change up their internal payment processes.

It's clear that businesses have been impacted greatly by PSD2. However, there are some arguments on the benefits it can and had been providing to the payment market.

Hindering invisible payments

For many invisible payments are seen as the end game for payment solutions.. For a payment to be 'invisible' it should not require any input from the customer and simply be a seamless, frictionless and background process.

That means that SCA by it's very nature hinders this. But there are exemptions (see below for examples). In many cases, it is up to the merchant to manage this to ensure the least amount of friction is experienced when making payments to them.

Ultimately, SCA requirements may end up disrupting adoption of invisible payments in the B2B world – a massive shame for sure.

The positive effects of SCA on payments

While this all sounds negative so far, you must remember that we are still in the beginning phases of SCA adoption. There was always going to be disruption when it came into force, and we are experiencing that right now.

- Reducing fraud

Let’s not forget that the main premise of SCA implementation is to protect against fraud and theft of funds. It is an added layer of protection that could potentially save businesses millions in approached correctly. It seems to be working too, according to data from the European Banking Authority.

According to a recent report from them, progress made towards SCA compliance has led to a significant reduction of the volume and value of fraudulent e-commerce card-based payment transactions in the EU over the same period.

The volume of fraudulent transactions for issuers fell around 50% between December 2020 and April 2021 while the value dropped about 33%. [8]

Many businesses will welcome this protection to their bottom line as online card payments begin to become the norm.

- Consumer trust

Naturally, the concerns of consumers is an important consideration in all of this.

Sure, the friction it adds to the process was a concern for many, but others actually welcomed SCA. Based on a UK report, 27% are actually driven to shop online thanks to the implementation of SCA. 42% of those surveyed also said that SCA made them feel safer when making payments online. [9]

- Standardization

While there are some arguments focusing on customer confusion relating to the new process, there are thankfully strides being made here.

A new standard for user payment authentication appeared in the form of the new 3D Secure 2.0 protocol. This software is able to offer SCA-compliant services, helping to facilitate the necessary processes.

This standard has been adopted by the biggest names in the payment space - Mastercard and VISA – who have both implemented their own authentication services based on it. This is helping to standardize the authentication step.

Overtime, it should essentially just become part of the standard payment process for online.

- New security innovation

Then there is the argument that it is setting the trend for further innovation when it comes to online payment security. This is one of the main reasons behind the implementation –  to bring about innovation in the security space (under the umbrella of 'promoting the introduction of innovations').

We've already seen some progress here: SCA sets a standard that has been developed further with new technologies like Card-on-File Tokenization or Behavioral Analytics in Payments, importantly benefiting the customer.

- Pushing new payment trends

While we did just mention how SCA can be a hindrance to some innovations, it could also be having the opposite effect.

The increased friction that SCA is bringing about is not just inspiring new security innovation, but also payment. The ‘in the moment’ feeling of making a payment can get disrupted by the growing number of steps involved and lead to failures.

The way that PSD2 regulations focus heavily on card payments means that other digital payment methods will start to gain ground. Digital wallets and buy now, pay later services will see increased adoption as customers look for the path of least friction to make their purchases when shopping online.

Another surprising outcome is that more than 60% of transactions in Europe are being authenticated without the direct involvement of custoemrs - a frictionless payment. [10]

Does SCA make mobiles the most convenient and compliant payment device?

SCA is all about security, authentication and biometrics. Thankfully, we have all that on one single device – our smartphone. It's a fair guess then that SCA regulation has played a role in the growing adoption of mobile payments.

In fact, we've delved deeper into whether SCA is pushing users towards making mobile payments in a separate post.

In the end, it appears that SCA is working as planned. Signs are showing that it is indeed protecting the confidentiality and the integrity of the payment service users’ personalized security credentials. But it is still too early to come to any real conclusion.

Keep in mind that criminals are also upping their game when it comes to the tactics and technologies they use. With the directive being several years old already, it will be interesting to see how it is adapted to the changing payment landscape – specifically the growth of digital payment.

Should we expect any more changes in the future?

As with any major change in regulations, things have got off to a rocky start.

The world doesn’t stand still, so we should always be ready for new directives, regulations and more. This is especially true at such a critically important time as now, where many countries have started or are on the verge of a shift towards digital payments. In the future, further adoption of cryptocurrencies may also lead to more changes.

This in turn is fueled by online shopping, which was a major driving force behind PSD2 and the implementation of SCA. Fraud and theft are very difficult to stamp out, so it usually ends up like a game of cat and mouse, where regulations look to catch up with the tactics that criminals implement.

However, one thing that PSD2 proves is that those in charge are willing to make wide-reaching changes that impact businesses of all sizes. Like the GDPR before it, SCA is an example of how the EU is not afraid to implement regulations that have huge ramifications. Ultimately though, it is keeping people in mind.

With that in mind, we should definitely expect more changes to come as the industry changes. How and in what form?

PSD3 has now begun to enter discussions with a firm focus on frictionless security for ecommerce customers. In the meantime, we should just continue to innovate, improve, and consider the user experience.

Subscribe to our newsletter today for more news, trends and insights into the corporate travel and payment worlds.



Banner photo by Icons8 Team on Unsplash

Photo by Christina @ wocintechchat on Unsplash












Share this post

Subscribe now