password white bg
What Is A Strong Password – Guide 2023
18th October 2019
How To Protect Against Brute Force Attacks?
28th November 2019
Show all

What is SCA (Strong Customer Authentication) and PSD2?


What Is SCA?

SCA first came into being in September 2019* as a response to the European Second Payment Services Directive (PSD2). These plans detail a list of requirements that banks and building societies and certain firms must abide by – chief of these being that providers must respond to certain kinds of complaints within a fifteen day window, helping to improve issue resolution problems that have plagued the industry to close to a decade.

* You’ll find a full explanation of the timeline of SCA later in this article.

The other part of this process involves the deployment of SCA – forcing businesses that sell goods and services online to build additional validation steps into their ecommerce checkout pipeline. In simple terms, this means adding three key elements:

An element the customer ‘knows’: This can be a unique password, pin, or phrase.
An element the customer ‘has’: This can be a smartphone, registered and trusted device, or a unique token.
Something that the customer ‘is’: This can be a unique physical identifier such as a fingerprint, or eye or face recognition.

When the changes required by PSD2 are formally enforced by the deadline of December 2020, banks will be required to decline any* payments that don’t involve these three elements as formal validation.


* There are some exemptions to this, more on that in a moment.


As it currently stands, SCA will only apply to any payments that are delivered online in the Eurozone. Broadly speaking, this means it will affect any individual making an online payment from an EU country to another EU country.

As it stands, some companies have already gotten ahead of the curve and used secure payments such as Visa’s ‘Verified by’ initiative or Mastercard’s long-running ‘Identity Check’ program.

This does offload a little bit of extra responsibility to customers who will now be increasingly required to deploy biometrics when making payments or deploy recognised tokens. This will commonly involve validating your personal phone number with your bank or agreeing to use your fingerprint data as a passkey – something that more data savvy citizens could be apprehensive about.

However, when it comes to ‘worrying’, what customers face is a mild inconvenience compared to the comprehensive work some businesses will be required to undertake. This will involve fundamentally changing their checkout processes, embedding an extra layer of security, and sufficiently road-testing it before they fully implement SCA.

If not tested correctly, this can derail a customer’s user journey and result in comprehensive revenue loss – placing your bottom line at risk and losing any goodwill you may have built with your user base.

However, SCA also offers a fantastic way to provide peace of mind to customers, ensuring that their online interaction with the vendor is secure. And, given the importance of keeping the customer journey as seamless as possible, it’s likely that the best providers will make the process near invisible to avoid disruption.

With mobile banking and the continued rise of ecommerce across many industries making online transactions increasingly commonplace, getting ahead of the curve is arguable more important than ever before.

Our guide on Customer Identity Access Management (CIAM) can be incredibly useful to you, as it discusses the means to create and manage online identities securely.


When does SCA go into effect?


SCA will be fully enforced in December 2020. However, it has been a requirement of the PSD2 since September 2019.

You might ask, what does this mean?

There has been some confusion about the timeline and for good reason.

Originally, the plan was to have SCA fully in place in September 2019. However, in June 2019 the European Banking Authority (RBA) accepted that on exceptional basis and to avoid unintended negative consequences, there would be a temporary delay in the implementation of SCA.

In October 2019, the RBA announced that SCA will be fully enforced on December 31st 2020, following concerns of the preparedness and compliance of some actors in the payments chain.

In practice, this means that at the time of the writing of this article (October 2019), not many banks have started declining non-authenticated payments, but they will start doing so on December 31st 2020 at the latest.

To put it in another way, SCA has been required by the PSD2 since September 2019, but it will not be fully enforced until the end of 2020.

In addition to the RBA’s announcements, the local regulators in Denmark, France and the United Kingdom have granted longer 18-month delays to the enforcement of SCA, and it is unclear whether there will be further delays in those countries.

Exemptions to SCA (Strong Customer Authentication)


When it comes to who is affected by SCA, it is important to be aware of what payments are exempt from additional validation.

These are generally classed as ‘low risk’ payments and certain providers will be able to process these without having to look for additional validation – leaving it to the discretion of the bank to decide whether SCA authentication is required.

Types of transactions that are exempt include:

Corporate Transactions

These are generally made with a pre-approved or ‘lodged’ card. These are most commonly used for travel expenses for a range of users and, resultingly, will not require validation.


Low Risk Transactions

Arguably the most common exemption, this is defined as a transaction that falls below a bank or carrier’s thresholds for fraud. This does create a situation where a payment provider’s rate is beneath the required threshold, but it is above the cardholder’s bank – resulting in a cancelled payment.


‘Merchant Initiated’ Transactions

Used for businesses that traffic in ‘delayed payments’, these are outside of the remit of SCA as the card is authenticated when the first payment is made. Once a mandate is provided by the cardholder, the merchant can continue to charge subscriptions or pre-agreed billing.


Small Payments

Any payment or transaction below 30€ will generally be exempt from SCA. This will be limited if the card is used a number of times since the last on-record authentication or if the payment total within the previous window totals more than 100€.


Standing Subscriptions

Ongoing subscription payments will bypass SCA provided that the first payment is fully authenticated and that the subscription payments do not increase or change. If subscriptions do change, the customer will be required to validate the change or provide consent.


Telephone Sales

Some providers will allow for the creation of trusted entities or – as with platforms such as PayPal – designate a small payment to a ‘trusted’ individual. Once added to the system, the user will be placed on a list of trusted bodies and not run into issues when making future payments.


How Can 10Duke Help?

SCA compliance is a necessity for any modern business that is transacting online.

Regardless of who you choose to use to accept online payments, if you’re using the 10Duke Identity Provider as your customer identity management solution, it can help to ensure you comply with your obligations under SCA.

10Duke Identity Provider works no matter who your provider is, StripeAdyenBraintree, or PayPal.

Supporting a variety of incremental authentication triggers that can help to confirm a users decision to initiate an online payment or further protect access to sensitive data or features within an application, the 10Duke Identity Provider allows you to tailor those aspects of your customer journey that require enhanced authentication, such as that mandated by PSD2.

If you want to take the pain out of your SCA compliance, read about 10Duke Enterprise. Additionally, If you want to get in touch and discuss a light-touch bespoke solution for your business, please do not hesitate to contact us and let us know how we can help.

20th August 2021

10Duke 101 – Understanding the Basics of 10Duke Licensing

A brief introduction to 10Duke’s Licensing Solution. We will go through its main concepts and how to integrate with 10Duke, including delegation of authentication, product configuration […]
29th March 2021

Is Sharing Really Caring? Not If It’s Your Password

Password sharing may seem harmless, but it actually puts your business, employees and customers at risk. Find out why what you can do to prevent it.
18th February 2021

Software IP Protection – How to Protect Software Intellectual Property?

Software IP protection strategy is not just about limiting access. The best IP protection software also aims to enhance customer experience.
18th November 2020

Working with 10Duke

Working with 10Duke normally follows a 4 stage process, which we will go through in this blog post.
28th November 2019

How To Protect Against Brute Force Attacks?

Brute Force Attack involves multiple attempts to guess a password. But how do you protect against them? Learn all about it on this blog.
18th October 2019

What Is A Strong Password – Guide 2023

Ideally, most sites you use should enforce the creation of a strong password on their system. Ideally this should involve the following steps.
9th January 2019

One-time Passwords (OTP): A Beginner’s Guide 2023

One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, and cost.
9th January 2019

Beginner’s Guide to REST API and GRAPH API

The unsung hero of our connected world is the Application Programming Interface (API). APIs make it possible for interactions between applications, data and devices to take […]
8th January 2019

Mapping the Cybersecurity Landscape

“An ounce of prevention is worth a pound of cure.” Cybersecurity is about gaining peace of mind from knowing that your business is prepared.

SCA first came into being in September 2019* as a response to the European Second Payment Services Directive (PSD2). These plans detail a list of requirements that banks and building societies and certain firms must abide by – chief of these being that providers must respond to certain kinds of complaints within a fifteen day window, helping to improve issue resolution problems that have plagued the industry to close to a decade.