Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

Back to glossary

Strong Customer Authentication

Strong Customer Authentication (SCA) is a European regulatory requirement mandating at least two-factor verification for electronic payments and online account access. It combines at least two elements from knowledge, possession, and inherence.

Introduced by the PSD2 directive and detailed in the European Banking Authority's (EBA) Regulatory Technical Standards (RTS), SCA requires that every electronic payment transaction or sensitive account access be authenticated using at least two of three factors: a knowledge element (password, PIN), a possession element (phone, smart card), and an inherence element (fingerprint, facial recognition). These factors must be mutually independent.

SCA applies to payer-initiated payments, online payment account access, and remote transactions presenting a fraud risk. Several exemptions exist to smooth the user experience: recurring transactions of the same amount, low-value operations (under โ‚ฌ30, with a cumulative cap), trusted beneficiaries, and low-risk transactions based on real-time Transaction Risk Analysis (TRA).

For KYC and identity verification stakeholders, SCA represents both a complementary security standard and a technical integration point. Biometric verification used in KYC (facial recognition, liveness detection) can serve as the inherence factor for SCA, creating synergy between client onboarding and ongoing transaction security.

Regulations

PSD2/DSP2EBA RTS on SCA

Real-world examples

  • 1A customer initiates a โ‚ฌ500 bank transfer via their mobile app: the bank asks them to confirm with their fingerprint (inherence) after entering their password (knowledge), satisfying the SCA requirement.
  • 2An e-commerce merchant integrates the 3D Secure 2.0 protocol for online card payments: the customer receives a push notification on their smartphone (possession) and validates via facial recognition (inherence) for transactions over โ‚ฌ30.
  • 3A leasing platform applies the TRA exemption for recurring monthly payments after an initial strong authentication, reducing friction while maintaining PSD2 compliance.

Automate your compliance

Discover how CheckFile simplifies document verification for your organisation.