Strong Customer Authentication, commonly called SCA, is a security requirement that forces banks and payment providers to verify your identity using at least two independent checks before processing an electronic payment. It applies across the European Economic Area under the revised Payment Services Directive (PSD2) and is designed to reduce fraud in online and in-person card transactions. If you’ve ever been asked to confirm a purchase with a fingerprint after entering a password, or to type in a one-time code sent to your phone, you’ve already experienced SCA in action.
How the Two-Factor Check Works
SCA requires that at least two of three categories are used to verify your identity during a transaction. Those categories are:
- Knowledge: something only you know, like a password or PIN.
- Possession: something only you have, like a phone that receives a one-time code.
- Inherence: something you are, like a fingerprint or facial recognition scan.
A transaction that asks for your PIN (knowledge) and a one-time code texted to your phone (possession) satisfies SCA because it draws from two separate categories. A transaction that only asks for a password does not, because it uses just one category. The idea is straightforward: even if a fraudster steals your password, they still can’t complete the payment without also having your phone or your fingerprint.
Which Payments Require SCA
As a general rule, all electronic payment transactions fall under SCA. That includes online card purchases, bank transfers you initiate through your bank’s app or website, and payments at a point-of-sale terminal. The requirement applies whenever a payer initiates a transaction from a payment account, meaning any account where the holder can deposit and withdraw funds without needing additional approval from the bank, such as a standard current account or debit account.
SCA is a European regulation, so it directly covers transactions where both the payer’s and the payee’s payment providers are based in the European Economic Area. However, the regulation has had a ripple effect globally. Many international merchants serving European customers have adopted SCA-compliant checkout flows, and similar multi-factor authentication standards are spreading in other markets.
Transactions That Are Exempt
Not every payment triggers the full two-factor check. The regulation builds in exemptions for situations where the fraud risk is low or where adding friction would be impractical. The most common ones include:
- Low-value remote payments: Online transactions below €30 can skip SCA, but only up to a point. Once you’ve made five consecutive low-value transactions without authenticating, or your cumulative spending since your last SCA check reaches a set threshold (€85 to €150 depending on the jurisdiction), authentication kicks back in.
- Contactless payments at a terminal: Tap-to-pay transactions under €50 are generally exempt, with the same kind of cumulative cap. After a certain number of contactless taps or a cumulative spend limit, your card will ask for a PIN.
- Trusted beneficiaries: If you add a payee to a “trusted” list through your bank, future payments to that payee can skip SCA. You authenticate once when you set up the list.
- Recurring payments: A subscription or standing order where the amount and payee stay the same only requires SCA for the first payment. Subsequent charges in the series are exempt.
- Transfers to yourself: Moving money between two accounts you own at the same bank does not require SCA.
- Unattended terminals for transport or parking: Paying a bus fare or a parking meter is exempt, since requiring multi-factor authentication at these terminals would be impractical.
- Corporate payments: Businesses using dedicated payment systems or machine-to-machine communication channels can qualify for an exemption if their national regulator approves the security mechanisms already in place.
How Merchants Meet the Requirement
For online purchases, the most common way merchants comply is through 3D Secure 2 (often abbreviated 3DS2). This is the protocol behind the pop-up or redirect you see during checkout that asks you to verify your identity through your bank’s app, a text message code, or biometrics on your phone. It replaced the original 3D Secure, which was notorious for clunky password screens that drove customers to abandon their carts.
3DS2 is designed to work smoothly across devices, including mobile. In many cases the authentication happens in the background through your banking app. Your bank sends a push notification, you confirm with a fingerprint, and the purchase goes through. When the transaction qualifies for an exemption, the merchant or payment provider can request to skip the 3DS2 step entirely, keeping the checkout fast. If the bank agrees the risk is low enough, it approves the transaction without the extra step.
For in-person purchases, the chip-and-PIN system already satisfies SCA by combining possession (the physical card) with knowledge (your PIN). Contactless payments rely on the exemption framework described above, with periodic PIN prompts to bring the transaction back into compliance.
What May Change Under PSD3
European regulators are working on a successor to PSD2, commonly referred to as PSD3, alongside a new Payment Services Regulation (PSR). The European Commission published draft proposals in June 2023, and the European Parliament adopted its first-reading text in April 2024. Final rules are still being negotiated.
One notable proposed change involves the “two different categories” rule. Under the current framework, your two authentication factors must come from separate categories (for example, knowledge plus possession). The draft PSD3 proposal would allow two factors from the same category, as long as they are genuinely independent of each other. In theory, this could mean authenticating with two different biometric checks (inherence plus inherence) rather than a biometric plus a PIN. However, the European Banking Authority has pushed back, arguing that same-category authentication could be easier to exploit and recommending the original two-category rule be kept. The final text has not been decided.
PSD3 also introduces obligations for payment providers to educate customers about fraud, including guidance on spotting phishing attempts and reporting suspicious activity. It proposes an IBAN-and-name matching service so your bank can verify that the account name matches the account number before a transfer goes through, reducing the risk of misdirected or fraudulent payments.
Why SCA Matters for Everyday Spending
Before SCA, online card fraud was growing rapidly. A stolen card number and expiration date were often enough to complete a purchase. SCA changed the equation by requiring proof that the person making the payment actually holds the card or account. For you as a consumer, this means an extra step at checkout, but it also means a fraudster who obtains your card details online still can’t use them without access to your phone or biometric data.
If you notice that some purchases sail through without any extra verification while others trigger a code or fingerprint prompt, that’s the exemption framework at work. Your bank and the merchant’s payment provider are evaluating each transaction’s risk level in real time, applying SCA only when required or when the risk score warrants it. The goal is to keep low-risk payments fast while catching the transactions most likely to be fraudulent.