The global context of Strong Customer Authentication (SCA)

Patrick Drexler explains the global context of Strong Customer Authentication (SCA) and how the world succeeds and fails in authenticating online payments.

Patrick Drexler

VP of DACH and Friendly Fraud

3 October 2022


8 min read

Strong customer authentication, or SCA for short, has been a buzzword in the world of European online payments for the last few years. It forms the core of the revised payments services directive (PSD2) to ensure advanced authentication during the final stages of eCommerce payments and transactions. Its core aim has always been to fight fraud, which seems to be working - something we have extensively documented in the progress of PSD2 and SCA measures, from consultation to implementation. We have likewise followed reviews, discussions and merchant feedback over continuing concerns over SCA leading to checkout friction and cart abandonment, resulting in lost conversions. But what is the global context of strong customer authentication? How do online payment identity authentication measures look across the world?

First things first - what is strong customer authentication?

Strong customer authentication is a requirement of PSD2 on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. A certain set of criteria must be met in order to authenticate a payment or transaction.

The key requirements for strong customer authentication are as follows:

  • Knowledge – something the user knows (a password)
  • Possession – something the user has (a mobile device)
  • Inherence – something the user is (biometric authenticator such as a digital fingerprint)

It all seems fairly simple, but no so, many eCommerce merchants have struggled with effective implementation without checkout friction over the years. The perfect solution is not elusive.

Europe is the testing ground and the world is watching

PSD2 has now been fully implemented across Europe - but we didn’t get to this stage without some hiccups along the way. Fears over SCA causing unnecessary customer friction played heavy on the minds of eCommerce merchants. It was feared it would lead to negative financial impacts by denting conversion rates. Although there are effective solutions to juggling security and anti-fraud concerns with frictionless experiences, a 2022 review and consultation of PSD2 shows that technical aspects of SCA implementation and friction concerns remain.

All this has panned out under the watchful eye of international businesses, eagerly observing the successes and failures of PSD2 SCA and the impact it has on reducing fraud rates, but also on how it influences customer behaviours. A positive customer UX is always at the forefront of any revenue growth - damaging this can be detrimental to a company’s profitability and online reputation.

With delays in implementation (the UK deadline was moved back to March 2022), parts of Europe have had varying degrees of success. The Nordic region, for example, had few problems in meeting compliance requirements due to having a developed digital infrastructure that could accommodate the changes. Contrast this with Spain where merchants still struggle with 3DS authentication measures, unaware that some friction can lead to overall effectiveness in reducing fraud rates and keeping customers safe. But conversion matter most, no? Perfect equilibrium is an optimal option.



Strong Customer Authentication - how has the world reacted?

Any international company that has ‘1 leg out transactions’, meaning they are physically based outwith the European economic zone but deal with customers within this region, are required under PSD2 to apply authentication measures to payments and transactions. Due to this, despite perhaps not being required by regulations in their country of origin, they have started looking into implementing authentication measures for all transactions (not just those dealing with European customers to meet PSD2 compliance). The benefit is, of course, a reduction in fraud rates.

Many countries are following suit with regulations to introduce their own version of SCA for online payments. Brazil, for example, already has two-factor authentication for domestically issued cards. Similar initiatives exist in India, Australia and South Africa (each having its own exemptions based on what they deem to be acceptable levels of risk - i.e. authentication is only required for transactions above a certain threshold). Japan is also planning to introduce their own version of SCA.

Africa is a unique example, showing the contrasts of how SCA can succeed, or be a perceived hindrance, due to the very nature of payments in the country. Although countries like Kenya are showing innovation in fintech companies introducing SCA measures, in Nigeria, mobile payments are immensely popular. Such payments are often performed through 2G phone networks, without the need for an internet connection - making the task of effective authentication of users more difficult. The major concern for African merchants is that any SCA measures are causing friction for customers and impacting conversions. Despite a rise in e-payments, it must be remembered that cash still holds the top spot for daily payments and transactions across Africa. eCommerce will grow here over the next 5 years, so effective authentication measures must meet the challenges of ensuring frictionless experiences while keeping fraud rates to a minimum.

Other forms of authentication

The world of online payments has never been as diverse as it is today. Many of the changes we’ve witnessed have occurred in the last decade or so, and what is clear is that the payment infrastructure and experiences offered to customers have changed immensely. The technology behind it all has been a significant driver of change. Some of these innovations have resulted in an improvement in authentication measures for online transactions - moving away from simple address, geolocation and basic account details to authenticate users.

One of the standard forms of authentication has been 3DS authentication, a global standard for global online payments provided by major card schemes (VISA and Mastercard). 3DS2 is a key component of PSD2’s SCA. 3DS1 is being phased out in favour of the updated 3DS2 - security infrastructure is better suited to deal with frictionless experiences for payments and transactions, incorporating multi-factor authentication. It also solves security vulnerabilities experienced with 3DS1 (leaving it prone to cyberattacks). With VISA and Mastercard setting an October 2022 date for 3DS1 to no longer be supported or payments processed, it is essential for merchants and financial institutions to stay ahead of changes. Of course, leaving it late can lead to some major hiccups in online payments.

Innovation has been the foundation of open banking principles, and it is fintech companies that are leading with more advanced forms of authentication - by taking a holistic approach to fraud prevention, and using behavioural biometrics to authenticate payments and transactions. The growth of open banking in South America and Asia, for example, is pushing for improved authentication measures. Improved services require better overall security.

Behavioural biometric authentication - the best way forward

Wherever you are in the world, the best course of action for any business is to act before any new form of SCA legislation kicks in. By choosing an advanced fraud solution that uses behavioural biometrics and digital fingerprinting to fully understand every single service user, you not only gain the best possible fraud prevention but stay ahead of the curve when it comes to strict and advanced authentication measures. It is already possible to limit the negative impact of the requirements to authenticate every payment and transaction.

Advanced fraud solution providers use machine learning models to power their analyses of every single service user - from registration, use and payment processing - by understanding actions, motives and device setups. Using behavioural biometric authentication, coupled with an understanding of network and device setups, it is possible to block fraud attempts. Crucially, authorising users by meeting strict multi-factor authentication requirements set out by PSD2 SCA (and 3DS2) measures is done in a frictionless manner.

With this approach, there is no need for invasive and ineffective authentication measures that may cause friction for customers. Every process and analysis takes place automatically, in real-time and completely unseen by regular service users. The result is a truly frictionless experience, with security as the core element to protect users and merchants from fraudsters. Such solutions are already available, you just need to find the perfect SaaS company to help you bypass the pains of friction, no matter where you are in the world.

If you want to make the most of Strong Customer Authentication (SCA) in your payment flow, without causing your customers unnecessary friction, let us show you how our solution can work for you. Just click 'book a call' at the top of this page or contact Patrick directly via email at or via LinkedIn.

Ready to try out effective customer ID authentication?

Ready to try out effective customer ID authentication?

If you wish to learn more about how to effectively introduce strong customer authentication measures into your online payment flow with a frictionless setup, arrange a call with us.

Go to pricing