Understanding Strong Customer Authentication

From the Morris Worm, to PSD2 - everything you need to know about strong customer authentication (SCA)

On the 2nd of November 1988, an ambitious Cornell University student called Robert Morris released a computer worm into the internet. Why? Well, mostly because he wanted to see if it could be done (it could). But also because he wanted to attract the attention of the Massachusetts Institute of Technology (MIT) (he did). The result? The worm went rogue, it literally broke the internet, and Morris was arrested (although he later became a tenured professor at MIT).

This is one of the earliest forms of internet fraud since it exploited weak passwords. And, while he caused a lot of chaos, Morris’ escapade helped improve internet security by highlighting a critical vulnerability.

Ever since then, legislators have sought to strengthen the internet against fraud attacks. This is no mean feat. The rise of the volume of online transactions is matched by the increasing sophistication of fraud techniques. So to clamp down on fraud and make online shopping safer, the EU (supported by its major banks) created the Revised Payments Services Directive (PSD2). A central part of this is strong customer authentication (SCA). Learn more about SCA and how it fits into PSD2 in the video summary below.

Youtube video will be rendered here

So what does all this mean in practical terms? How does SCA impact your business and what action do you need to take and when? In this article we’ll walk you through everything you need to know about SCA; what it is, how it works, and how you can implement it correctly.

What is Strong Customer Authentication (SCA)?

As the name suggests, SCA is a more robust means of authentication. Rather than simply relying on a single password (which Morris proved back in 1988 to be extremely fallible), SCA requires two forms of authentication. This can be two of three things: something you know (a password), something you own (a smartphone), and something you are (biometrics).

strong customer authentication examples

When is strong customer authentication required?

As is often the case, the roll-out of PSD2 legislation was easier in theory than practice. The requirements were officially introduced on September 14, 2019. But the European Banking Authority then extended this deadline to December 31, 2020 because banks weren’t ready. As of now, however, all EEA countries are enforcing PSD2 SCA requirements, although final implementation in the UK has been delayed to March 14, 2022.

If you only sell to customers based in the UK, you have until next March. But, if you accept payments from customers based in the EEA, you need to be ready now.

Find out how each country is enforcing PSD2 / SCA

Go to article

How does strong customer authentication work in practice?

We know that SCA requires two separate forms of identification. For example, a combination of a fingerprint and a code sent to your smartphone:

illustration of a strong customer authentication shopper flow

Examples of SCA: combining a fingerprint or a one time authentication code sent to a smartphone with your account login

But implementing SCA will also depend on payment methods. For credit and debit cards, for example, 3D Secure is the authentication method used. All major card schemes have their own version of 3D Secure although the most widely known are Mastercard SecureCode and Verified-by-Visa. Its latest iteration (3D Secure 2) provides a much better user experience.

Learn more about the differences between 3DS1 and 3DS2.

Read 3D Secure guide

Local payment methods and e-wallets

Local payment methods and e-wallets will also need to be subjected to strong authentication. And it’s worth getting these right, especially if you’re looking to sell to customers in the EEA. For example, we see the following local payment methods converting well:

  • Bancontact Mobile in Belgium
  • iDEAL in The Netherlands
  • MobilePay, Vipps and Swish in Norway, Sweden, Denmark, and Finland
  • EPS in Austria
  • Blik in Poland
  • MBWay in Portugal

International e-wallets like Apple Pay and Google Pay™ also provide checkout flows that meet the new SCA requirements. For more details, visit our SCA documentation page

How does SCA affect my business?

The PSD2 SCA regulations are for banks. Issuing banks that approve non-compliant transactions are violating the law in their home country. But, if you don’t support the right authentication methods on your side, these banks will start declining your payment approval requests and your authorisation rates will plummet.

PSD2 SCA exemptions

With PSD2, there’s both a long story and a short story. The short story is that SCA is mandated for all online transactions across the EEA. Easy. But of course it’s not as simple as that and there are in fact, many exemptions and other transactions are simply out of scope.

  • Low risk transactions: Transactions through acquirer or issuer whose fraud level is below a certain threshold.
  • Low value transactions: Transactions under €30 and cumulative payments higher than €100 on the same card.
  • Trusted Beneficiaries: Certain trusted businesses as chosen by the cardholder.
  • Recurring transactions: Recurring, fixed-amount transactions after first payment.
  • B2B transactions: Payments between corporations.

Note if you or your acquirer requests an exemption and the request is accepted by the issuer, the liability stays with you. If the exemption is applied by the issuer, the liability shifts to the issuer.

Learn about the tools Adyen offers to make Strong Customer Authentication easy

Read more

Out of scope examples:

  • MOTO transactions: Payments via phone or mail.
  • Merchant Initiated Transactions (MITs): Transactions without direct customer involvement.
  • Inter-regional transactions: Payments involving non-European businesses or customers.

Full list of exempt and out of scope transactions

Many exemptions and out of scope scenarios depend on the bank, scheme, and regulatory interpretation. You can find a list of all the exemptions in the official Regulatory technical standards on strong customer authentication and secure communication under PSD2.

strong customer authentication compliance

How can Adyen help?

With Adyen, you can either choose for our Authentication Engine to handle PSD2 SCA compliance for you, or you can manage it yourself.

With the Adyen Authentication Engine, we won’t trigger 3D Secure for out of scope transactions or exemptions. We'll also skip 3D Secure if the issuing bank doesn’t enforce 3D Secure.

If you want to manage PSD2 SCA compliance yourself, Adyen offers two options. You can either:

  • configure rules with Adyen Dynamic 3D Secure
  • specify preferences in your API request.

For more information on how to implement any of these options, check out our SCA compliance docs page.

Still want to learn more?

Find out how Adyen can help your business with SCA compliance.

Get in touch with our sales team


Are you looking for test card numbers?

Would you like to contact support?