Last update: 19/11/2021

Strong customer authentication is a way to make electronic payments more secure. It implements multi-factor authentication, which proves that the account used in financial transactions is ours to reduce the risk of fraud. It is required under the European Union’s “Payment Services Directive 2” (or “PSD2”), which took effect on 14 September 2019.

Everyone wants to make sure their finances are secure and their bank accounts untouchable. It’s important to understand what protections consumers have to prevent electronic payment fraud. 

What is strong customer authentication?

Strong customer authentication (SCA) is a recent requirement in Europe (you can read more about it in this article (in Spanish) in Finanzas para Mortales (Finance for Mortals). Though it came into effect on 14 September 2019, European Economic Area (EEA) member states were gradually implementing it until its deadline on 20 December 2020.

SCA came about to provide more protections for consumers making electronic payments at stores or online, which have required it since 1 January 2021.

When we’re about to pay for something, our bank will ask us to give information that confirms we own the payment account, which helps reduce the risk of fraud. Such information could involve:

• knowledge: a PIN, a password, a key code or other details that only an account holder knows.
• possession: things we have, like a credit card or even a smartphone to which our bank can send a confirmation SMS, notification or email. 
• inherence: what we are, e.g., identification via fingerprinting, facial recognition or iris recognition. If you want to learn more about biometric identifiers, check out this article by Openbank.

When the bank can confirm any two of these things, it will approve the payment you want to make.

What kind of payments is it for?

The purpose of strong customer authentication is to protect consumers making payments with a credit card in person at a store or online from their computer, mobile phone or tablet. Banks set their own customer identification requirements.

Many types of payments require customers to prove their identity:

• mobile payments, like with Bizum (in Spain), to split the dinner bill. 
• new online subscriptions (e.g, the “premium” version of a newspaper).
• purchases on an online store or other remote channels that bear risk of payment fraud and other transgressions. 

We will have to prove who we are for bank transfers and most credit card transactions in the European Economic Area.

Strong customer authentication exceptions

According to EU law, transactions deemed low risk do not require strong customer authentication:

• Contactless POS payments for less than 50 euros, except when the total of three consecutive purchases exceeds 150 euros. Such payments will require new authentication after five payments since the last SCA.
• Online purchases under 30 euros: such transactions cannot total more than 100 euros in 24 hours. Like contactless payments, they require new authentication after five payments without SCA.
• Toll road and car park payments: these charges are SCA-exempt because they happen at unattended terminals and are for a very small amount.
• Regular subscriptions: usual payments of the same amount, like with streaming platforms or gym memberships.
• Commercial whitelists: the user can “whitelist” trusted businesses that won’t require SCA by notifying their bank or payment services providers (PSP).
• Mail order and telephone order (MOTO) payments: payments carried out via telephone or email.

Want to more details about strong customer authentication? Don’t miss this article by Openbank.