Article
Understanding strong customer authentication and how it works
From the Morris Worm to PSD2 — here's everything you need to know about strong customer authentication (SCA).
In November 1988, a graduate named Robert Morris released a computer worm into the internet.
The result? The worm went rogue, it broke the internet, and Morris was arrested. He did however become a tenured professor at the Massachusetts Institute of Technology (MIT).
This is one of the earliest forms of internet fraud as it exploited weak passwords and highlighted a critical vulnerability on the web.
Since then, legislators have sought to strengthen the internet against fraud attacks — which have become increasingly sophisticated over the years.
To support its efforts, the EU introduced a Payments Service Directive (PSD) and later, PSD2. A central part of PSD2 is strong customer authentication (SCA).
We're sharing everything you need to know about SCA — from how it works to how you can implement it correctly.
Note: PSD3 is an updated version of PSD2 that could take effect in 2026. Learn more about it: A guide to understanding PSD3.
What is strong customer authentication (SCA)?
SCA is a more robust means of authentication.
Rather than solely relying on a single password, SCA requires two forms of authentication.
This can be two of three things:
Something you know (e.g. a password, passphrase, pin, sequence, secret fact)
Something you own (e.g. a smartphone, wearable device, token)
Something you are (e.g. biometrics)
When is strong customer authentication required?
The roll out of PSD2 legislation was easier in theory than practice.
While the requirements were introduced on September 14, 2019, the European Banking Authority extended the deadline to December 31, 2020 to give banks more time to get ready.
As of now, all EEA countries are enforcing PSD2 SCA requirements, although final implementation in the UK has been delayed to March 14, 2022.
If you only sell to customers based in the UK, you have until next March. If you accept payments from customers based in the EEA, you need to be ready now.
How does strong customer authentication work?
We know that SCA requires two separate forms of identification. For example, a combination of a fingerprint and a code sent to your smartphone.
But implementing SCA will also depend on payment methods:
Credit and debit cards: 3D Secure is the authentication method used
Major card schemes: Have their own version of 3D Secure, although the most widely known are Mastercard SecureCode and Verified-by-Visa. Its latest iteration (3D Secure 2) provides a much better user experience.
Learn more about the differences between 3D Secure and 3D Secure 2 in our guide.
Local payment methods and e-wallets
Local payment methods and e-wallets will also need to be subjected to strong authentication.
And it’s worth getting these right, especially if you want to sell to customers in the EEA. For example, we see the following local payment methods converting well:
Bancontact Mobile in Belgium
iDEAL in The Netherlands
MobilePay, Vipps and Swish in Norway, Sweden, Denmark, and Finland
EPS in Austria
Blik in Poland
MBWay in Portugal
International e-wallets like Apple Pay and Google Pay™ also provide checkout flows that meet the new SCA requirements. For more details, read our SCA documentation page.
How does strong customer authentication affect my business?
The PSD2 SCA regulations are for banks. Issuing banks that approve non-compliant transactions are violating the law in their home country.
That said, if your business doesn’t support the right authentication methods, banks will decline your payment approval requests — plummeting your authorisation rates.
PSD2 SCA exemptions
With PSD2, there’s a long story and a short story.
The short story is that SCA is mandated for all online transactions across the EEA.
The long story is that it's not so simple. There are many exemptions, and other transactions are out of scope.
Low risk transactions: Transactions through acquirer or issuer whose fraud level is below a certain threshold.
Low value transactions: Transactions under €30 and cumulative payments higher than €100 on the same card.
Trusted beneficiaries: Certain trusted businesses as chosen by the cardholder.
Recurring transactions: Recurring, fixed-amount transactions after first payment.
B2B transactions: Payments between corporations.
Note: If you or your acquirer requests an exemption and the request is accepted by the issuer, the liability stays with you. If the exemption is applied by the issuer, the liability shifts to the issuer.
Out of scope examples
MOTO transactions: Payments via phone or mail.
Merchant initiated transactions (MITs): Transactions without direct customer involvement.
Inter-regional transactions: Payments involving non-European businesses or customers.
Full list of exempt and out of scope transactions
Many exemptions and out of scope scenarios depend on the bank, scheme, and regulatory interpretation. You can find a list of all the exemptions in the official Regulatory technical standards on strong customer authentication and secure communication under PSD2.
How can Adyen help with strong customer authentication?
With Adyen, you can either choose our Authentication Engine to handle PSD2 SCA compliance for you, or you can manage it yourself.
With the Adyen Authentication Engine, we won’t trigger 3D Secure for out of scope transactions or exemptions. We'll also skip 3D Secure if the issuing bank doesn’t enforce 3D Secure.
If you want to manage PSD2 SCA compliance yourself, Adyen offers two options. You can either:
Configure rules with Adyen Dynamic 3D Secure
Specify preferences in your API request
For more information on how to implement these options, read our SCA compliance page.