Glossary>SCA (Strong Customer Authentication)

SCA (Strong Customer Authentication)

Strong Customer Authentication (SCA) is a regulatory requirement under the EU Payment Services Directive (PSD2) that mandates multi-factor authentication for electronic payments to reduce fraud.

SCA is mandated by the EU Revised Directive on Payment Services (PSD2), which went into effect across the European Economic Area in 2021.SCA requires authentication using at least two of three independent factors: knowledge (password), possession (phone/token), and inherence (fingerprint/face).The European Banking Authority reports that SCA compliance has contributed to a significant reduction in online payment fraud across EU member states since its enforcement began.

What is SCA (Strong Customer Authentication)?

Strong Customer Authentication (SCA) is a security requirement established under the European Union's Revised Directive on Payment Services (PSD2). It applies to all electronic payment transactions within the European Economic Area. SCA requires payment service providers to authenticate users using multi-factor authentication that incorporates at least two of three independent categories: knowledge (something only the user knows, like a password or PIN), possession (something only the user possesses, like a phone or hardware token), and inherence (something the user inherently is, like a fingerprint or facial recognition).

When SCA applies. SCA is required for most electronic payment transactions, including online card payments, bank transfers, and e-money transactions. Exemptions exist for low-value transactions (under €30), recurring payments of the same amount, and transactions with trusted beneficiaries. Each exemption has specific conditions and cumulative limits. Payment service providers must dynamically assess transaction risk and apply SCA unless an exemption is justified.

Implementation and 3D Secure. In practice, SCA is most commonly implemented through the 3D Secure 2 (3DS2) protocol. When a user makes an online purchase, the issuing bank prompts the user to authenticate via their banking app (possession + inherence) or a one-time passcode sent via SMS (possession). 3DS2 supports a frictionless flow where the bank assesses risk in the background and only challenges the user when necessary, balancing security with user experience.

Analogy

SCA is like needing both your house key and a fingerprint scan to open your front door. The key alone works for most days, but when you make an online payment, the door requires both — something you know and something you are — to ensure it is really you making the transaction.

Types and Use Cases

  • Online card payments: E-commerce transactions require SCA authentication through 3D Secure 2 (3DS2), where the card issuer challenges the user with a biometric or OTP verification.
  • Bank transfers and bill payments: Online banking platforms apply SCA when users initiate new payee transfers above the €30 threshold or cumulative transaction limits.
  • Digital wallet transactions: Apple Pay, Google Pay, and similar wallets inherently satisfy SCA by requiring device biometrics as part of the payment flow.
  • Subscription and recurring payments: The first transaction typically requires SCA, while subsequent recurring charges of the same amount may qualify for the recurring transaction exemption.

How it Works

1
User initiates an electronic payment (e.g., online purchase or bank transfer) on a merchant or banking platform.
2
Payment service provider assesses whether SCA is required based on transaction amount, risk level, and available exemptions.
3
If SCA is required, the user is prompted to provide two authentication factors — e.g., a password (knowledge) plus a one-time passcode sent to their phone (possession).
4
The issuing bank validates both factors and sends an authentication result to the payment processor.
5
Upon successful SCA, the transaction is authorized; if SCA fails or is not completed, the transaction is declined.
terminal
```json
{
  "paymentAuthentication": {
    "transactionId": "txn_9f8e7d6c5b",
    "amount": 150.00,
    "currency": "EUR",
    "scaRequired": true,
    "scaExemption": "none"
  },
  "authenticationFactors": {
    "factor1": {
      "type": "knowledge",
      "method": "online_banking_password",
      "status": "verified"
    },
    "factor2": {
      "type": "possession",
      "method": "sms_otp",
      "status": "verified"
    }
  },
  "scaResult": "success",
  "authenticationTime": "2026-06-01T15:30:00Z"
}
```

SCA (Strong Customer Authentication) vs MFA (Multi-Factor Authentication)

SCA (Strong Customer Authentication)
MFA (Multi-Factor Authentication)

SCA is a regulatory mandate specifically for payment transactions under PSD2

while MFA is a general security practice applicable to any system or application regardless of industry regulation.

SCA requires exactly two of the three factor categories (knowledge, possession, inherence)

while MFA can use any combination of factors and may require two or more.

SCA includes dynamic transaction risk assessment and specific exemptions (low value, recurring, trusted beneficiaries)

while MFA typically applies uniformly to all authentication attempts.

Best Practices for SCA (Strong Customer Authentication)

  • Implement 3D Secure 2 (3DS2) for online card payments — it supports frictionless authentication where the issuing bank assesses risk silently without challenging the user for every transaction.
  • Understand and apply SCA exemptions correctly — low-value transactions under €30, recurring payments, and trusted beneficiary exemptions can reduce authentication friction while remaining compliant.
  • Monitor transaction correlation IDs to track SCA flows end-to-end and identify issues with authentication success rates or exemption application.
  • Prepare for cross-border scenarios — SCA applies when either the payer's payment service provider or the payee's payment service provider is located in the EEA.

How LoginRadius Powers SCA (Strong Customer Authentication)

LoginRadius CIAM platform supports Strong Customer Authentication compliance by providing flexible multi-factor authentication capabilities that align with PSD2 requirements. Organizations can configure authentication policies that require multiple factors (password, OTP, biometric) for payment-related transactions. LoginRadius also integrates with third-party 3D Secure providers and supports risk-based authentication to apply SCA only when necessary.

FAQs

"No. SCA has several exemptions: transactions under €30 (with cumulative limits), recurring payments of the same amount, transactions with trusted beneficiaries, mail order/telephone order payments, and one-click payments at the same merchant. Each exemption has specific conditions that must be met."

SCA is the regulatory requirement under PSD2 mandating strong authentication. 3D Secure (specifically version 2) is the technology protocol used to implement SCA for online card payments. 3DS2 is the most common implementation of SCA in e-commerce, but SCA can also be implemented through other methods like bank-issued OTP tokens or biometric verification within banking apps.

LoginRadius supports SCA compliance by providing multi-factor authentication capabilities that meet the knowledge/possession/inherence requirements. The platform integrates with 3D Secure authentication flows and provides adaptive authentication policies that can enforce step-up authentication for payment-related transactions based on risk assessment and transaction value thresholds.

Related Terms

strong customer authentication scamfa multifactor authentication

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales