SCA: Better Safe Than Sorry or Too Much of a Good Thing?

PSD2 introduced Strong Customer Authentication. But why is SCA often at odds with a smooth customer journey?

Aug 18, 2022 - 3 min.

The introduction of the second payment services directive (PSD2) was accompanied by the roll-out of strong customer authentication (SCA). The goal of SCA is to enhance the security of electronic payment transactions. For instance, banks were obligated to carry out an additional check during online payments to verify the identity of the consumer. Read our latest blog post to learn what the term SCA means and why a tense relationship exists between security measures and the provision of a seamless customer journey: 

What’s behind SCA?

In conjunction with the introduction of PSD2, the security requirements for strong customer authentication on the ‘access devices’ and ‘access software’ that make it possible to access online accounts and carry out transactions became binding throughout Europe. When a customer wants to access their bank account online, SCA is required to initiate an electronic payment operation or complete actions on a remote channel that could involve a risk of payment fraud or another misuse. 

Strong customer authentication offers an additional security layer when customers perform actions such as completing money transfers using their online banking services. The protective measures were extended to include two-factor authentication so that the customer’s identity can be verified. This means that two types of verification are required from a total of three available categories. 

The three categories relate to: 

  • Knowledge, i.e. something known only to the customer; examples include the PIN, a password or the response to a security question
  • Possession, i.e. something that only the customer possesses; examples of this include a smartphone, a PC or a tablet
  • Inherence, i.e. something that defines the customer; examples are biometric features such as the face or a fingerprint 

Payment can only be completed if two of the three forms of customer authentication are fulfilled. 

The exceptions to the rule: when SCA isn’t used 

Strong customer authentication is not used in all cases, and there are exceptions. Retailers can make things easier for their customers to reduce the number of abandoned transactions. SCA is not generally required for online payments of less than EUR 30. In some cases, there is also a ‘but’: if the customer makes five or more payments of less than EUR 30 each in succession or if the total of multiple smaller transactions exceeds EUR 100, authentication is required. 

For recurring payments such as standing orders, the customer must only complete SCA for the first payment that they initiate. However, if the amount of the recurring payment changes, the strong customer authentication process must be completed again. 

Then there is the option of ‘whitelisting’. As the name implies, this is the opposite of blacklisting, and it allows payment processes to be streamlined. In this scenario, a customer adds a company to a list of ‘trustworthy beneficiaries’. With this system, end users can tick a box during checkout to add a specific retailer or company to the whitelist. This eliminates the need for strong customer authentication for payment transactions, irrespective of the sums and frequency. 

There are also other cases in which SCA is not required. However, this begs the question: don’t all these exceptions open up new vulnerabilities? 

Wherever there is light, there are also shadows

The introduction of PSD2, along with strong customer authentication, is designed to prevent purchasers from becoming victims of fraud. On the other hand, there are reports of increasing numbers of purchases being abandoned precisely because of strong customer authentication. This clearly shows the delicate balance between providing security for customers while ensuring a seamless customer journey. 

Cybercriminals have worked hard to uncover vulnerabilities and find ways to bypass the security precautions covering all aspects of the second payment services directive. In forums on the dark web, tips are exchanged, and presentations are offered that explain how SCA can be bypassed. The types of attacks employed are varied. In one frequently used method, fraudsters access software or firmware illegally and use malware to bypass authentication systems. The necessary information about vulnerabilities can be purchased on the dark web. 

Other types of attack are social engineering attacks, which exploit humans as the weakest link in the security chain. Emails, SMS messages, messages on social media or personal phone calls are used to persuade victims to disclose their personal data. In the case of authorised push payment (APP) scams, the manipulated person even carries out the transaction themselves under the instruction of the criminals. This type of fraud is often successful because the method targets a person rather than the security protocol itself. 

This tense relationship demonstrates that cybercriminals will always find ways of getting around existing security procedures. Nevertheless, customer convenience should not be forgotten when it comes to issues of security. Biometric processes such as fingerprints are proven to guarantee security and a seamless customer journey.


The Digital Customer Experience as a Success Factor