What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a regulatory requirement aimed at improving the security of electronic payments and reducing fraud.  

SCA modifies the identification verification process for online purchases, mainly in the UK and Europe, introducing supplementary protection measures.  

While primarily concerned with the EEA, SCA’s principles are impacting global payment security standards.

As part of the EU’s PSD2, online payments must use multi-factor authentication, which requires at least two of three elements:  

• knowledge (what the user knows) 
• possession (what the user possesses) 
• inherence (who the user is).  

SCA is built on identity verification and authentication, which improves security by requiring several verification elements.  

SCA solutions provide a supplementary security measure against cyber risks, such as phishing and account takeovers, subject to compliance reviews by the European Banking Authority (EBA). 

SCA exemptions are exceptions to Strong Customer Authentication rules that aim to balance security and user experience.  

Examples of common exemptions include:  

• low-value transactions (usually under €100) 
• transactions viewed as low-risk based on the acquirer’s fraud levels 
• fixed-recurring transactions  

Contactless payments below a particular level, as well as cumulative payments totaling less than a predetermined sum, may also be excluded.  

Implementing SCA requires cross-functional coordination across product, legal, operations, and finance teams.  

1. Implement robust identity verification and authentication procedures.  
2. Ensure compliance by requiring at least two authentication factors during online transaction checkouts.  For example, to finish a purchase, a buyer may enter a password and a one-time code given to their phone.  

SCA impacts the checkout process by introducing another layer of authentication.  Here is how:  

• SCA has been observed to correlate with fewer fraudulent transactions, potentially affecting security levels for businesses and customers.
• It may influence trust and confidence in online transactions.
• SCA’s presence in the checkout process may be associated with variations in cart abandonment.
• Tassi di conversione may be affected by the implementation approach.
• Some clients may find the extra authentication stages complicated.  

SCA protects against fraud by mandating multi-factor authentication for online payments.  This makes it substantially more difficult for unauthorized parties to obtain financial information and conduct fraudulent activities.  

Furthermore, SCA distributes the burden for fraud from the online business to the payment provider, limiting potential economic losses.  The European Banking Authority introduced SCA to safeguard consumers from online fraud.  

SCA brings forward the following benefits:  

• SCA implementation has an impact on the security of online transactions and could correlate with customer trust, potentially relating to loyalty. 
• SCA is critical to assuring the security of online payments and financial transactions in the digital era. 
• Membership in the SCA community relates to industry visibility and may affect the industry’s future.  

Strong Customer Authentication (SCA) is not currently mandated across the United States.  

As global payment security standards change, the appearance of SCA-related initiatives in the U.S.  is a possibility.  In the future, potentially at the state level.  

For example, U.S. companies that conduct business in the European Economic Area (EEA) must comply with PSD2 and SCA regulations for transactions involving EU customers.  

U.S.  merchants should proactively adapt their capabilities and consider implementing solutions like 3D Secure 2.0 to prepare for potential future SCA requirements and benefit from enhanced security.