How to enforce strong passwords
How to Create Strong Passwords – Best Practices in 2020
18th October 2019
What licence model to choose?
Looking for a Licence Model? Quick Guide
18th November 2019
Show all

What is SCA? (Strong Customer Authentication) – Quick Guide

Strong Customer Authentication explained

The new standard for safe authentication of online payments, Strong Customer Authentication (or SCA) is a newly enacted tool to help counteract fraud on certain types of payments.

SCA first came into being in September 2019* as a response to the European Second Payment Services Directive (PSD2). These plans detail a list of requirements that banks and building societies and certain firms must abide by – chief of these being that providers must respond to certain kinds of complaints within a fifteen day window, helping to improve issue resolution problems that have plagued the industry to close to a decade.

* You’ll find a full explanation of the timeline of SCA later in this article.

The other part of this process involves the deployment of SCA – forcing businesses that sell goods and services online to build additional validation steps into their ecommerce checkout pipeline. In simple terms, this means adding three key elements:

An element the customer ‘knows’: This can be a unique password, pin, or phrase.
An element the customer ‘has’: This can be a smartphone, registered and trusted device, or a unique token.
Something that the customer ‘is’: This can be a unique physical identifier such as a fingerprint, or eye or face recognition.

When the changes required by PSD2 are formally enforced by the deadline of December 2020, banks will be required to decline any* payments that don’t involve these three elements as formal validation.

* There are some exemptions to this, more on that in a moment.

Who needs to worry about SCA?


As it currently stands, SCA will only apply to any payments that are delivered online in the Eurozone. Broadly speaking, this means it will affect any individual making an online payment from an EU country to another EU country.

As it stands, some companies have already gotten ahead of the curve and used secure payments such as Visa’s ‘Verified by’ initiative or Mastercard’s long-running ‘Identity Check’ program.

This does offload a little bit of extra responsibility to customers who will now be increasingly required to deploy biometrics when making payments or deploy recognised tokens. This will commonly involve validating your personal phone number with your bank or agreeing to use your fingerprint data as a passkey – something that more data savvy citizens could be apprehensive about.

However, when it comes to ‘worrying’, what customers face is a mild inconvenience compared to the comprehensive work some businesses will be required to undertake. This will involve fundamentally changing their checkout processes, embedding an extra layer of security, and sufficiently road-testing it before they fully implement SCA.

If not tested correctly, this can derail a customer’s user journey and result in comprehensive revenue loss – placing your bottom line at risk and losing any goodwill you may have built with your user base.

However, SCA also offers a fantastic way to provide peace of mind to customers, ensuring that their online interaction with the vendor is secure. And, given the importance of keeping the customer journey as seamless as possible, it’s likely that the best providers will make the process near invisible to avoid disruption.

With mobile banking and the continued rise of ecommerce across many industries making online transactions increasingly commonplace, getting ahead of the curve is arguable more important than ever before.

When does SCA go into effect?


SCA will be fully enforced in December 2020. However, it has been a requirement of the PSD2 since September 2019.

You might ask, what does this mean?

There has been some confusion about the timeline and for good reason.

Originally, the plan was to have SCA fully in place in September 2019. However, in June 2019 the European Banking Authority (RBA) accepted that on exceptional basis and to avoid unintended negative consequences, there would be a temporary delay in the implementation of SCA.

In October 2019, the RBA announced that SCA will be fully enforced on December 31st 2020, following concerns of the preparedness and compliance of some actors in the payments chain.

In practice, this means that at the time of the writing of this article (October 2019), not many banks have started declining non-authenticated payments, but they will start doing so on December 31st 2020 at the latest.

To put it in another way, SCA has been required by the PSD2 since September 2019, but it will not be fully enforced until the end of 2020.

In addition to the RBA’s announcements, the local regulators in Denmark, France and the United Kingdom have granted longer 18-month delays to the enforcement of SCA, and it is unclear whether there will be further delays in those countries.

Exemptions to SCA (Strong Customer Authentication)


When it comes to who is affected by SCA, it is important to be aware of what payments are exempt from additional validation.

These are generally classed as ‘low risk’ payments and certain providers will be able to process these without having to look for additional validation – leaving it to the discretion of the bank to decide whether SCA authentication is required.

Types of transactions that are exempt include:

Corporate Transactions

These are generally made with a pre-approved or ‘lodged’ card. These are most commonly used for travel expenses for a range of users and, resultingly, will not require validation.

Low Risk Transactions

Arguably the most common exemption, this is defined as a transaction that falls below a bank or carrier’s thresholds for fraud. This does create a situation where a payment provider’s rate is beneath the required threshold, but it is above the cardholder’s bank – resulting in a cancelled payment.

‘Merchant Initiated’ Transactions

Used for businesses that traffic in ‘delayed payments’, these are outside of the remit of SCA as the card is authenticated when the first payment is made. Once a mandate is provided by the cardholder, the merchant can continue to charge subscriptions or pre-agreed billing.

Small Payments

Any payment or transaction below 30€ will generally be exempt from SCA. This will be limited if the card is used a number of times since the last on-record authentication or if the payment total within the previous window totals more than 100€.

Standing Subscriptions

Ongoing subscription payments will bypass SCA provided that the first payment is fully authenticated and that the subscription payments do not increase or change. If subscriptions do change, the customer will be required to validate the change or provide consent.

Telephone Sales

Some providers will allow for the creation of trusted entities or – as with platforms such as PayPal – designate a small payment to a ‘trusted’ individual. Once added to the system, the user will be placed on a list of trusted bodies and not run into issues when making future payments.

How can 10Duke help?

SCA compliance is a necessity for any modern business that is transacting online.

Regardless of who you choose to use to accept online payments, if you’re using the 10Duke Identity Provider as your customer identity management solution, it can help to ensure you comply with your obligations under SCA.

10Duke Identity Provider works no matter who your provider is, Stripe, Adyen, Braintree, or PayPal.

Supporting a variety of incremental authentication triggers that can help to confirm a users decision to initiate an online payment or further protect access to sensitive data or features within an application, the 10Duke Identity Provider allows you to tailor those aspects of your customer journey that require enhanced authentication, such as that mandated by PSD2. 

If you want to take the pain out of your SCA compliance, read more about 10Duke Identity Provider here. Alternatively, if you want to get in touch and discuss a light-touch bespoke solution for your business, please do not hesitate to contact us and let us know how we can help.

You might also be interested in:

20th August 2021
10Duke 101 - Understanding 10Duke Licensing

10Duke 101 – Understanding the Basics of 10Duke Licensing

A brief introduction to 10Duke’s Licensing Solution. We will go through its main concepts and how to integrate with 10Duke, including delegation of authentication, product configuration […]
29th March 2021
Password sharing - don't do it!

Is Sharing Really Caring? Not If It’s Your Password

Password sharing may seem harmless, but it actually puts your business, employees and customers at risk. Find out why what you can do to prevent it.
18th February 2021
How to Protect Software IP?

Software IP Protection – How to Protect Software Intellectual Property?

Software IP protection strategy is not just about limiting access. Best IP protection also aims to enhance customer experience.

SCA has been required by the PSD2 since September 2019, but it will not be fully enforced until the end of 2020. Learn all about it on this quick guide.

Schedule a Demo