Strong Customer Authentication (SCA) is a security requirement introduced under the European Union's revised Payment Services Directive (PSD2). It requires payment service providers to verify a customer's identity using at least two independent authentication factors before certain electronic payments or account actions can be completed.
The goal of SCA is to reduce payment fraud and improve the security of online payments and account access.
The authentication factors must come from at least two of the following categories:
Because the factors are independent, compromising one factor should not compromise the others.
When SCA is required, the customer must complete an authentication process using two separate factors. For example, a customer making an online card payment may enter a password through their banking app and then confirm the transaction using biometric authentication on their mobile device. Many SCA-compliant card payments are processed using 3D Secure (3DS), which allows issuers to authenticate cardholders during checkout.
SCA generally applies to:
However, not every transaction requires it. Regulations allow specific exemptions for low-value transactions, recurring payments, trusted beneficiaries, and certain low-risk transactions where the provider can demonstrate appropriate fraud controls. The availability of exemptions depends on regulatory requirements, transaction risk, payment type, and provider capabilities.
SCA has changed how online payments are authenticated across Europe and other markets that have adopted similar approaches. For consumers, it adds an extra layer of protection against fraud and unauthorised access to accounts. For merchants and payment providers, SCA helps improve payment security and regulatory compliance. At the same time, authentication requirements can affect checkout performance, making it important to balance security, customer experience, and payment conversion.
Authentication is one of the factors that can influence payment outcomes. If authentication fails or the customer abandons the process, a payment may not be completed even if the issuer would otherwise approve it. For this reason, payment teams often monitor authentication performance alongside metrics such as authorisation rate, acceptance rate, and payment conversion rate.
Modern payment infrastructures typically support SCA-compliant authentication flows while helping businesses manage routing, reporting, and payment operations across multiple providers and payment methods.
