An Intro to PSD2 SCA Requirements


It’s estimated that by 2024, 74% of fraudulent card transactions worldwide will involve card-not-present (CNP) transactions. The PSD2 regulatory framework is designed to protect customers and financial institutions operating in the digital payment ecosystem from fraud, especially CNP fraud.

What is PSD2 SCA?

The revised Payment Services Directive, more generally known as  PSD2, is a regulation that has been implemented in Europe, covering countries in the EEA, Monaco and the UK. Its main goals are to improve customer choice among payment providers, protect customer safety, and combat payment fraud. One key aspect of PSD2 is its obligation for all companies that provide payment services, including banks, financial institutions or other payment service providers (PSPs), to use Strong Customer Authentication (SCA). 

The PSD2 SCA requirements oblige relevant companies to enhance customer security around payments by deploying multi-factor authentication (MFA) for relevant transactions. MFA means that the customer must verify their identity by providing two or more factors of authentication. The guidelines on PSD2 SCA also note that authentication must be performed in a manner that protects customer data. 

Who Needs to Comply with PSD2 SCA? 

Who falls under the umbrella of PSD2 SCA compliance? Well, it's not just the traditional players in the banking industry. Thanks to PSD2, new players like Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) have entered the scene. PISPs act as intermediaries between customers' banks (or where their money is) and sellers of goods or services. AISPs, upon user permission, consolidate all user financial information (such as deposits, loans, and direct debits) in one place. 

If your company falls into these categories, you need to adhere to the PSD2 SCA requirements when providing the following services:

  • Payment initiation services (these inform a seller that the customer has proceeded through an online purchase)
  • Account access (when a user, or a third-party service provider, asks their bank to inform them of their financial situation)
  • Card-based instructions (when a customer asks their bank or PSP to pay someone from their account)

If the payment or information instruction is initiated and processed in the regulation’s area, it must follow PSD2 SCA guidelines. For US companies, this could apply, for example, if they have a European-based entity or are looking to provide the specific services mentioned to EU citizens.

Organizations are required to decline transactions that do not meet SCA requirements. There are exemptions for small transactions (less than €30), where the financial institution can prove it is a low-risk transaction or where the customer has whitelisted the service provider, such as for a direct debit of a phone or electricity bill.

How to Implement PSD2 SCA

To comply with the PSD2 SCA requirements, organizations must ensure that their customer authentication meets the regulatory technical standards (RTS) set out for PSD2 SCA. This involves implementing MFA for relevant transactions and adhering to  other specifications detailed in the RTS. These include:

  • Dynamic linking of remote payments (creating a unique code specifying payee and amount to reduce fraud) should be based on technologies such as digital signatures or cryptographically underpinned validity assertions using keys. 
  • Special advice should be given about the length or complexity of knowledge factors and the algorithms underpinning possession and inherence factors. 
  • The application of PSD2 SCA should strike a balance between enhanced security for relevant payments and user-friendliness and accessibility. 
  • Payments and PSD2 SCA elements must have separation. For example, if a smart device is used to make a payment and also counts as a factor of authentication, there must be a clear process to differentiate them. 

Benefits of PSD2 SCA

Beyond regulatory compliance, PSD2 SCA brings other significant benefits to financial institutions and their customers, including improved customer security, fraud reduction, and a better user experience. 

Improved Customer Security

First and foremost, PSD2 SCA enhances customer security by raising the bar for authentication. With MFA in place, it becomes much harder for attackers to impersonate users and carry out fraudulent activities. While there are still issues around allowing knowledge factors (namely passwords) in MFA as they can be easily phished or brute forced, mandating MFA is a major step towards a more secure online world for consumers.

Reduced Fraud

Fraud committed through account takeover, which uses a victim’s card or bank details to purchase items, can create significant distrust between the customer and the firm involved, even if neither party was at fault. Reducing payment fraud fosters greater trust in online transactions, making customers more comfortable with making purchases and boosting revenue opportunities for service providers.

Better User Experience

The PSD2 SCA regulation recognizes the importance of maintaining a user-friendly process. Nobody wants frustrated customers abandoning their shopping carts due to cumbersome authentication requirements or forgotten passwords. The specification for being accessible and user-friendly means companies complying with PSD2 SCA should consider how their authentication stream impacts the user and how it can be as frictionless as possible.

What’s Next?

Earlier this year, the European Commission presented a study on the application and impact of PSD2. The study follows a period of open consultations into revisions of PSD2 legislation. It is widely expected that a PSD3 framework will be announced, but its timing and the extent of the revisions have not yet been made public.

Comply With PSD2 SCA and Improve Customer Experience With HYPR

The PSD2 regulates financial transactions in the EU and other countries such as the UK and Norway. Its strong customer authentication (SCA) requirement obliges financial institutions, banks and payment service providers to maintain strict MFA authentication procedures for operations such as payments over €30 or requests for account information. The PSD2 SCA requirements aim to improve online consumer trust by reducing fraud and account takeover attacks, yet without a significant trade-off of user experience.

HYPR’s True Passwordless solution for customer authentication allows firms to fully comply with the PSD2 SCA and transaction signing directives, including cryptographic signing of every transaction and unique dynamic linking. With HYPR, you can ensure SCA regulatory compliance while removing friction from your CIAM security process. To learn more, read our PSD2 SCA guide or contact our team.

New call-to-action

Related Content