As the popularity of mobile banking and digital wallets↗ grows, so do opportunities for fraud. Businesses and consumers face risks, from phishing attacks to stolen card details, making secure verification increasingly important.
That’s where Strong Customer Authentication (SCA) comes in. Part of the European Union (EU) PSD2 rules, SCA adds a critical layer of protection↗ to digital payments. It helps businesses prevent unathorised activity and gives consumers confidence in their online payments.
In this guide, we’ll explain how SCA works, its benefits, and the rules and exemptions required for compliance.
What’s SCA?
Simply put, SCA is a multi-factor verification method. It’s designed to secure electronic payments, including credit cards, debit cards↗, and digital wallets like Google Pay↗.
PSD2, together with the Regulatory Technical Standards (RTS) and guidance from the European Banking Authority (EBA), sets requirements for financial institutions. They must implement SCA regulations as follows:
- Authenticate the payer using multi-factor authentication (MFA) before approving a payment.
- Use at least two factors from knowledge, possession, or inherence to verify identity.
- Obtain the payer’s clear consent for the payment amount and recipient.
- Cryptographically link the transaction to the specified amount and recipient through Dynamic Linking, which sets SCA apart from standard step-up MFA.
By enforcing these measures, businesses reduce fraud, protect consumers, and build confidence in digital payments.
Why was SCA introduced?
As e-commerce and electronic transactions expanded across the EU and European Economic Area (EEA), fraudsters increasingly exploited weak authentication systems. To reduce online payment fraud, the European Commission (EC) introduced SCA under PSD2 in 2019.
The SCA requirements officially went into effect on 14 September 2019, but the EBA later extended the deadline to 31 December 2020 to give the industry more time to prepare.
Today, all EEA countries enforce SCA. In the United Kingdom (U.K.), authorities delayed the final implementation date until 14 March 2022 due to national regulatory considerations. Since full enforcement, all merchants operating within the EEA must be SCA-ready.
SCA requirements and core authentication rules
SCA sets out clear rules for securing online payments. At its core, it asks users to prove who they are using at least two different authentication factors. This ensures that even if a fraudster gets hold of one piece of information, they cannot complete a transaction.
To comply with SCA, payment service providers and businesses must base authentication on three categories of factors:
- Something you know: A password, PIN, or passcode.
- Something you have: A mobile phone, a payment card, or a one-time password (OTP).
- Something you are: Biometric identifiers, like a fingerprint or facial recognition.
Examples of valid two-factor authentication (2FA) combinations include:
- Password + fingerprint
- SMS code + app approval
- PIN + payment card
5 SCA exemptions and when they apply
While businesses and payment service providers must apply SCA rules to most electronic payments, some exemptions exist to make transactions smoother without sacrificing security. Here are five common examples.
1. Transaction risk analysis (TRA)
Payment service providers can skip full SCA authentication for low-risk transactions based on real-time fraud monitoring. Providers and banks set different thresholds, but the typical framework is:
- 0.13% for transactions under €100
- 0.06% for transactions under €250
- 0.01% for transactions under €500
Notably, these percentages reflect the provider’s overall fraud rate. Even if thresholds are met, the bank or card issuer may still require SCA.
2. Recurring payments
After the first payment, businesses don’t need to apply SCA for subscriptions and regular billing, such as a monthly streaming service or gym membership. Notably, any change in the payment amount triggers SCA again.
3. Contactless payments (U.K. only)
Contactless cards are exempt if they meet either of the following conditions:
- A single payment under £100
- Cumulative payments up to £300 without authentication since the last PIN entry
Each card on a joint account can use these thresholds separately. These limits let customers make everyday purchases, like coffee and groceries, quickly and conveniently, without compromising security.
4. Trusted beneficiaries
Customers can mark certain merchants as trusted, which means future payments to those companies won’t require extra verification. For example, if you regularly buy from the same online grocery store, SCA won’t ask for a password, fingerprint, or OTP every time. This makes repeat purchases faster while keeping security in place.
5. Corporate payments
You’re exempt from SCA when you use corporate cards↗ for expenses like booking travel and buying office supplies. This exemption recognises that corporate spending is usually controlled and monitored↗ by company policies, so additional authentication would create unnecessary friction.
SCA vs. 2FA: What’s the difference?
It’s easy to mix up SCA and 2FA, but they serve different purposes. 2FA verifies a user’s identity using two separate authentication factors, such as a password and a fingerprint.
SCA, on the other hand, is a legal framework under PSD2 that sets the rules for when and how businesses must apply MFA in electronic payments. In short, 2FA is a tool, while SCA is the law governing its use for online transactions. The table below highlights the main distinctions.
Feature | 2FA | SCA |
Type | Authentication method | Legal requirement under PSD2 |
Purpose | Verify identity | Protect electronic payments and meet regulatory requirements |
Factors | Two factors | At least two factors from “something you know, have, or are” |
Scope | Any app or service | Most EU and EEA online payments |
Enforcement | Optional | Mandatory for applicable transactions, with some exemptions |
5 ways businesses can ensure SCA compliance
Even after implementing SCA, businesses can take a few extra steps to secure payments, reduce friction, and stay compliant. Here are five methods to consider.
- Audit your payment systems: Start by identifying which payments need SCA authentication and reviewing your current setup for MFA gaps. This includes 3D Secure, OTPs, and biometric verification. Knowing where your system is vulnerable helps you focus on the areas that need improvement.
- Update payment workflows: Once you know the gaps, integrate SCA checks into every relevant transaction. Apply passwords, OTPs, and PINs where needed. Then, handle recurring payments and low-value transactions according to exemptions so security doesn’t slow down your customers.
- Test authentication methods: After updating workflows, run real-world scenarios to confirm that customers and employees can complete online payments without friction. Try different combinations of authentication factors to find the most reliable approach for your business.
- Monitor transactions and fraud rates: Keep track of unusual activity, and see how exemptions like TRA affect both security and the user experience. Use these insights to adjust your workflows and reduce the risk of fraudulent payments.
- Train your team: Finally, make sure finance and support staff understand SCA rules and can guide customers when authentication challenges arise. Straightforward internal processes prevent errors and delays.
How SCA impacts the customer payment experience
Strong customer authentication adds a few extra steps to online payments, but it’s a small trade-off for greater security and customer trust. Adaptive authentication helps businesses balance safety with convenience:
- Low-risk payments: Small purchases and subscriptions proceed with minimal checks.
- High-risk transactions: Larger or unusual payments trigger stronger verification, such as biometrics and push notifications.
- Real-time monitoring: Unusual activity is detected early, stopping fraud before it reaches customers.
How to protect customers and your business from fraud
Implementing SCA safeguards your payments and reassures customers. Here’s how to put it into practice:
- Use MFA: Combine passwords, PINs, and biometric verification to block unauthorised access.
- Monitor transactions: Track activity in real time to prevent fraudulent payments.
- Apply adaptive authentication: Adjust verification based on each transaction’s risk level to balance security with convenience.
- Educate staff and customers: Clear guidance reduces mistakes and supports secure payments.
- Use SCA-compliant tools: Payment gateways and platforms that enforce strong customer authentication simplify compliance and protect your business.
Following these practices protects your revenue and builds trust with customers. And with a solution like Moss, you can stay SCA-compliant while keeping checkouts smooth and hassle-free.
Simplify SCA compliance with Moss’ virtual cards
Strong customer authentication doesn’t have to slow your business down. Moss’ virtual cards↗ ensure every payment meets SCA requirements without adding unnecessary friction. Each card includes multi-layered verification to stop fraud before it happens. Plus, you also get full visibility into company spending — track expenses in real time and catch potential issues before they become risks.
With Moss, you’re creating a safer, more transparent payment process that builds trust with every transaction.
Take the stress out of compliance. Get started with Moss virtual cards↗ today, and make every payment secure by design.
