DEFINITION
Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a regulatory requirement under the European Union’s Revised Payment Services Directive (PSD2) regarding added security during electronic payments. It stipulates that financial institutions must utilize at least two of the three authentication factors. These factors can be categorized as: something you know (knowledge), something you have (possession) and something you are (inherence).
This is done to prevent risk in cases where one authentication factor may be compromised. For example, your phone got stolen or someone knows the answer to your security question.
Synonyms
Multi-factor authentication
Acronyms
SCA
Share
Synonyms
Multi-factor authentication
Acronyms
SCA
Examples
Common forms of authentication across the three categories are:
• Security questions regarding your first pet, teacher’s name, or other hard-to-guess information for knowledge. Knowledge also covers typing in your password or PIN.
• Authenticating via your phone or other connected device for possession.
• Biometric authentication such as your fingerprint or face ID for inherence.
In practice, this can mean that before processing an online payment, you might be asked to, for example, type in a one-time password (OTP) sent to your phone and the name of your first pet. When SCA will be used will typically vary depending on the account and the transaction in question.
FAQ
What are the three factors used in SCA?
The three SCA factors can be categorized as: knowledge (passwords, pins, security questions), possession (a different connected device), and inherence (biometric authentication).
When is SCA required?
Within the EU, SCA is required for most electronic payments. Exemptions can be made for recurring payments or low-value transactions.
How does SCA improve payment security?
By requiring two different forms of authentication, SCA makes it harder for threat actors to gain unauthorized access, reducing fraud risk. In other words, even if one form of authentication is compromised (such as a stolen phone or leaked personal information), threat actors still can’t make payments in your name.
Book your demo today and see why leading financial institutions
worldwide trust Atfinity to drive their digital transformation.
Book your demo today and see why leading financial institutions worldwide trust Atfinity to drive their digital transformation.