The PSD2 has passed - so what’s happening with SCA (strong customer authentication)?

What is strong customer authentication, and how does it work?

The PSD2 (Payment Services Directive 2) has been in effect in the Netherlands since January. Although the banks have requested an 18-month postponement, SCA (strong customer authentication) is also set to be introduced on 14 September 2019.

SCA is part of the PSD2, which is European legislation primarily aimed at preventing online fraud as effectively as possible.


Why SCA?

Online fraud is currently responsible for damage worth 1.3 billion euros. The introduction of SCA will require online consumers to verify their identity using two-factor authentication. This new European verification standard is not only intended to combat fraud, but also to strengthen the general security of online payments.

Two-factor authentication

SCA requires an additional authentication step for online credit card payments. While until recently the credit card number and CVC (card verification code) were sufficient, customers are now required to use at least two of the three extra authentication methods available if they wish to pay for something online. These methods involve something you have (smartphone), something you know (password/PIN), or something you are (fingerprint/facial recognition).

To what extent do you already comply with SCA if your payments are going through PAY.?

Many of the existing payment methods in PAY. already make use of two-factor authentication. Examples include MasterCard and Visa, which use a 3-D Secure verification step. During a payment process involving a MasterCard or Visa credit payment, your customer is redirected to a payment environment in which they will need to enter an extra PIN or password. However, this can lead to unnecessary conversion loss.

For this reason, 3-D Secure 2.0 is being introduced as part of PSD2. Your customers will be able to complete their payment using a fingerprint or face recognition on their smartphone, for example. The payment is handled entirely in the app or on the relevant web page; redirection is no longer necessary. The authentication check will be both faster and simpler for your customers, and this is an advantage for the conversion. On top of that, SCA will not be necessary for all types of payment. For purchases below €30, low-risk payments or periodic payments, the two-factor authentication obligation does not apply.

If your customer chooses the ‘pay by credit card’ option, then we run a check to see whether or not two-factor authentication should be applied. This depends on the type of credit card and the exceptions. However, it’s always up to the issuing bank to determine whether or not the exception is accepted.

Diagram of the payment process with/without strong customer authentication

The way the payment process works (with or without SCA) is illustrated in the diagram below.


PAY. gives you peace of mind!

As a PAY. customer, you don’t need to change anything to comply with these new regulations. PAY. will ensure that all the changes necessary for complying with SCA are implemented in the check-out process, so that all payments proceed efficiently.

If you’re not yet a PAY. customer, but you’re looking for a strategic partner in payments who will take care of SCA compliance matters for you, please contact one of our specialists by email at or by telephone on +31 (0)88 88 666 66.

PAY. uses cookies for a correct user experience, statistical insight, monitoring of our technique and for playing videos on our website.