back to insights


February 10, 2021

What is Strong Customer Authentication (SCA)?

The latest PSD2 regulation (the second Payment Services Directive by the Europen Union) required the implementation of Strong Customer Authentication (SCA) as a means of heightened security measures during the processing of online payments. Luckily, 3D Secure 2 is fully aligned with the PSD2 directive and includes SCA as a key feature that promotes safer-than-ever online payments.

PSD2 requirement for SCA

As a part of the PSD2 regulation launched in September 2019, Strong Customer Authentication (SCA) requirement came to life. The regulation covers types of payments that are impacted by SCA, as well as exempted payment scenarios that are not subjected to the new requirement. To learn more about this topic, we prepared a short read covering the definition of SCA, how it works, and online payment scenarios in which SCA is not necessary.

SCA in action

Strong Customer Authentication (SCA) is defined as an additional layer of security for online payments. To make this definition more precise, we have to mention that the SCA is based on at least two pieces of information from the following categories:

  • knowledge (what the cardholder knows, e.g., PIN, password),
  • possession (what the cardholder has, e.g., phone, hardware token),
  • inherence (what the cardholder is, e.g., facial recognition, fingerprints).
Strong Customer Authentication SCA 3D Secure_by_Asseco

What this means in practical terms, consumers will perform additional checks in order to verify their authenticity.

SCA is additionally enhanced with Dynamic Linking, which aims to prevent social engineering attacks such as the ''man-in-the-middle'' attack.

SCA exemptions

To ease the online payment process for both cardholders and merchants, PSD2 includes SCA exemptions, online payment scenarios that are not subjected to the new requirement. It is important to emphasize that not all SCA exemption qualified transactions will be automatically exempted. The issuing bank is the one that has the last word on whether the exemption is granted or not. In other words, even if the transaction meets all the criteria to be classified as an SCA exemption, the cardholder might still be obligated to authenticate themself using the standard SCA method if the issuing bank requires such an approach.

Following transactions are classified as SCA exemptions:

Low-value transactions – online payments under 30 euros (limited by a certain number of possible low-value transactions in a day or by a cumulative value spent in a predefined time period).

Subscriptions and recurring payments – transactions whose value is the same each time a payment is being processed.

Transaction risk analysis – transactions that are deemed low risk based on predefined technical criteria rather than the transaction's value.

Whitelisting – a cardholder is enabled to flag individual online merchants as ''trusted'' with their issuing bank in order to avoid SCA during the checkout process.

SCA, 3D Secure 2 and PSD2

Luckily for merchants and issuing banks, 3D Secure 2 is fully aligned with the PSD2 directive and includes SCA as a key feature that promotes safer-than-ever online payments.

Security concerns are not the only ones being taken care of by implementing the new 3D Secure 2 protocol. This upgrade solves the issue of high cart abandonment rates,  promotes ''frictionless authentication'' and does not interfere with user experience during the online checkout process.

For more information, contact us at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

download datasheet
Request Trial

Interested in TriDES2?

Subscribe to our newsletter
© Asseco South Eastern Europe 2021. All rights reserved
clouddownload linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram