Strong Customer Authentication (SCA)
SCA is the PSD2-mandated two-factor authentication for electronic payments in the EU, based on at least two of three factors: knowledge, possession and inherence.
SCA (mandatory from September 2019, phased in) requires two independent factors: something you know (password, PIN), something you have (phone, token), or something you are (fingerprint, face). Consequences: 3D Secure 2 became de facto standard; payment UX changed (extra auth steps); merchants saw initial conversion drops. Exceptions: low-value (under 30 EUR conditional), MIT, whitelisted, TRA (Transaction Risk Analysis).
Example
A webshop customer pays 45 euro by card. Issuer evaluates: cumulative risk low, whitelist status present, merchant history good. TRA exception triggered — no challenge, straight through. Compliance without friction.
Frequently asked questions
How do I avoid SCA friction?
TRA exception, customer whitelisting (trusted merchants), MIT for recurring, low-value exemption. But: overuse of exemptions = issuer pushback. Balance is critical.
SCA and conversion — how much impact?
Early 2021 e-commerce saw a 10–20% conversion dip due to 3DS friction. Normalised via better 3DS2 flows, but remains a KPI: optimise exemption strategy via PSP.
Related terms
Further reading
- → Our service: Bitcoin & Fintech