Strong Customer Authentication (SCA) – strengthening digital payment security under PSD2 and PSD3

Introduced under PSD2 and set to be reinforced under PSD3, SCA requires multi-factor authentication for most digital transactions, ensuring that access is granted only when at least two independent verification elements are confirmed.

The goal is straightforward: stop unauthorized access, reduce fraud, and build consumer trust — without disrupting legitimate transactions.

The foundation of SCA compliance

SCA rests on a simple but powerful concept: authentication must be based on at least two out of three independent elements.

These are:

• Knowledge – something the user knows (e.g. password or PIN).
• Possession – something the user has (e.g. phone, card, hardware token).
• Inherence – something the user is (e.g. fingerprint, facial recognition, voice).
  
  

Each element must be independent, meaning that if one is compromised, the others remain secure.

Under the EBA’s Regulatory Technical Standards (RTS), SCA applies to most digital payments, unless the transaction qualifies for an exemption under Transaction Risk Analysis (TRA) or specific low-risk categories.

Related: See [Transaction Risk Analysis (TRA)] for how real-time fraud scoring determines SCA exemptions.

How SCA supports fraud prevention

SCA provides a systematic defense against the most common fraud vectors: phishing, account takeover, and credential theft.
It ensures that even if one factor is stolen, a fraudster cannot complete a transaction without another independent verification method.

In practice, SCA strengthens fraud prevention by:

• Blocking unauthorized payments through multi-factor checks.
• Reducing reliance on passwords, which are often reused or compromised.
• Aligning authentication with behavioral analytics, creating context-aware verification.
• Complying with EBA RTS standards to avoid supervisory sanctions.
  
  

The European Central Bank’s 2024 Payments Fraud Report found that institutions using adaptive SCA frameworks achieved a 35% reduction in unauthorized transactions compared to static implementations.

Balancing compliance and customer experience

While SCA improves security, it can also introduce friction for legitimate users. Overly rigid authentication increases transaction abandonment and undermines customer satisfaction.
The challenge is achieving the right balance — maximizing security while keeping transactions smooth.

Financial institutions are addressing this by:

• Using TRA-based exemptions for low-risk payments.
• Applying adaptive authentication, which increases verification only when anomalies are detected.
• Integrating biometric verification to simplify user input.
• Monitoring performance under DORA, ensuring authentication systems remain reliable and scalable.
  
  

This balance defines the next generation of digital compliance — one where security supports, rather than hinders, user experience.

The link between SCA, PSD2, and PSD3

SCA first became mandatory under PSD2, but PSD3 aims to refine and simplify its application.
PSD3 expands SCA requirements to new types of payment providers and adds stronger oversight of authentication providers and data handlers.

Key PSD3 updates include:

• Broader scope of authentication: applies to open banking and non-bank PSPs.
• Greater emphasis on interoperability: uniform authentication APIs and data formats.
• Enhanced fraud reporting: linking SCA failures to TRA outcomes.
• Stronger resilience standards: consistent with DORA for digital continuity.
  
  

Together, PSD2, PSD3, and DORA form a single regulatory ecosystem — one where authentication, risk analysis, and resilience are inseparable.

Challenges in SCA implementation

Despite clear rules, SCA remains difficult to operationalize at scale. Institutions face both technical and user-related challenges.

Common issues include:

• Legacy systems unable to support new authentication methods.
• Merchant compliance gaps, especially in e-commerce ecosystems.
• Inconsistent application of exemptions, leading to regulatory disputes.
• Cross-border authentication barriers, complicating regional standardization.
  
  

The EBA’s 2025 Compliance Review is expected to increase scrutiny of how PSPs document and justify SCA exemptions, particularly under TRA-based models.

“Strong Customer Authentication is not just a regulatory box to tick. It’s the new baseline for digital trust. The firms that master adaptive authentication will own the future of secure payments.”
– William Morris, Lead Enterprise Account Executive - UK

This reflects the emerging consensus among regulators and financial leaders — that authentication must evolve as fast as fraud itself.

Partisia’s perspective

Authentication systems rely on sensitive identity and behavioral data — data that must remain confidential while still being analyzed for risk. Partisia’s privacy-preserving computation platform allows institutions to strengthen authentication with collaborative intelligence, without sharing personal details.

With Partisia solutions, institutions can:

• Validate authentication data across entities without revealing user identities.
• Integrate behavioral analytics securely into TRA and fraud systems.
• Meet PSD3 and DORA requirements for privacy, resilience, and interoperability.
  
  

This privacy-first authentication model turns SCA into both a compliance advantage and a competitive differentiator.