Fact-checked by Grok 2 weeks ago

Strong customer authentication

Strong customer authentication () is an mandated by the European Union's Revised (PSD2), defined as a process using two or more independent elements categorized as (something only the user knows, such as a ), possession (something only the user has, such as a ), and inherence (something the user is, such as ), designed to ensure the breach of one element does not compromise the others while protecting authentication data . SCA requires payment service providers to apply this multi-factor verification whenever a payer accesses their payment account online, initiates an payment , or performs remote actions posing risks, with elements dynamically linked to the specific amount and payee to prevent unauthorized use. Enforced initially in September 2019 following PSD2's 2015 , full implementation encountered delays across member states and the due to technical readiness issues among providers, extending compliance deadlines into 2021 and 2022 in some jurisdictions. The protocol's primary aim is to curb payment , particularly in and , by shifting liability for unauthorized to providers failing adequate , though exemptions exist for low-value payments, secure corporate processes, and below thresholds to mitigate usability disruptions. While SCA has demonstrably strengthened defenses against account takeovers and card-not-present through heightened verification rigor, its rollout sparked debate over balancing security gains against friction, as mandatory prompts often interrupt seamless transactions, prompting regulatory adjustments like expanded exemptions and ongoing refinements under PSD3 proposals. Implementation challenges, including hurdles for third-party providers and variable adoption rates, underscored tensions between reduction imperatives and practical deployment, with some analyses highlighting persistent vulnerabilities in exempted scenarios despite overall liability shifts favoring consumers.

Definition and Requirements

Core Principles

Strong customer authentication (SCA) constitutes an authentication process based on the use of two or more elements categorized as (something only the knows, such as a or PIN), (something only the possesses, such as a or ), and (something the user is, such as biometric characteristics). These elements must be drawn from distinct categories to verify the payer's identity during electronic payment transactions and account access, with application mandated for remote channels to mitigate fraud risks. The elements employed in SCA are required to be independent, such that the breach or compromise of one does not undermine the reliability of the others, thereby preventing scenarios where a single propagates to full failure. This independence is further reinforced by design features that safeguard the confidentiality of data, ensuring no shared secrets or correlated weaknesses across factors. A critical component of involves dynamic linking, where mechanisms incorporate elements that uniquely bind the challenge to the transaction's specific amount and payee, rendering intercepted codes unusable for altered or replayed transactions. This measure counters man-in-the-middle and replay attacks by enforcing transaction-specific validation, distinct from static codes. At its foundation, SCA operates on the principle that layering independent verification factors distributes risk across multiple causal barriers, such that unauthorized actors must overcome disparate hurdles simultaneously—a configuration empirically justified by pre-regulatory patterns of payment fraud, where single-factor compromises like credential theft enabled widespread unauthorized access and losses exceeding €1 billion annually in SEPA card fraud by the mid-2010s.

Authentication Elements

Strong customer authentication under the Revised (PSD2) mandates the use of two or more distinct elements from three categories: , , and . These elements ensure that relies on factors not easily transferable or replicable, thereby reducing unauthorized access risks through empirical validation of user identity. The element consists of information only the user knows, such as a (PIN) or static . However, static passwords exhibit significant vulnerabilities, as evidenced by their role in major data breaches; for instance, weak or compromised passwords contributed to 30% of global data breaches, with over 16 billion unique passwords exposed across incidents reported up to 2025. Stolen credentials were factors in 88% of breaches analyzed in patterns involving initial access, underscoring how reusable knowledge factors enable credential-stuffing attacks when databases are compromised. The possession element involves an object or device exclusively under the user's control, such as a hardware token, , or software generating one-time codes via an . Common implementations include dynamic linking through short-lived codes sent to a registered device, but short message service ()-based variants face exploitation via SIM-swapping attacks, where fraudsters hijack phone numbers to intercept codes. In the United States, SIM swap scams resulted in $26 million in losses in 2025, while reports surged 1,055% from 289 incidents in prior years to nearly 3,000 in 2024, driven by social engineering of carriers. The element relies on inherent user characteristics, including physiological traits like or behavioral patterns like . methods, such as facial recognition and scanning, have seen rapid due to their balance of usability and resistance to remote , with the global biometrics market valued at $41.58 billion in 2023 and projected to exceed $267 billion by 2033. Surveys indicate 72% of global consumers preferred facial verification for secure transactions in 2022, reflecting empirical preferences for frictionless over knowledge or possession factors prone to . This growth stems from biometrics' causal advantage in verifying without shared secrets, though implementation must address false positives from environmental variables.

Regulatory Mandates

The Revised (PSD2), formally Directive () 2015/2366, imposes a legal obligation on payment service providers (PSPs), including account servicing PSPs (ASPSPs) such as banks, to implement () for electronic payment transactions as specified in Article 97. This mandate requires —combining at least two independent factors of , , and —for payer-initiated transactions, effective from 14 September 2019, following the directive's transposition into national laws by 13 January 2018. Phased enforcement was permitted by the (), with many member states granting temporary extensions beyond the initial deadline to facilitate compliance, though the core requirement remained binding. The scope encompasses all electronic payments within the (EEA), excluding certain low-value or exempted transactions, but mandates as the default for online and remote payments to mitigate risks. Non-application of triggers a liability shift under PSD2 rules: the or merchant not enforcing it assumes responsibility for resulting unauthorized or fraudulent transactions, reversing the prior default where issuers often bore such costs. This mechanism applies specifically to EEA-denominated or EEA-originated transactions, even if involving non-EEA entities, thereby extending indirect pressure for compliance beyond EU borders. Non-compliance enforcement falls to national competent authorities, as per Article 103 of PSD2, which mandates member states to impose "effective, proportionate and dissuasive" penalties, including administrative fines scaled to the severity of breaches and the entity's size. While fine caps vary—e.g., unlimited in some jurisdictions or tied to multiples—the prospect of such sanctions, coupled with liability exposure, has demonstrably accelerated adoption rates among PSPs, with regulatory scrutiny focusing on persistent non-adherence post-2019 rollout. Member states retain discretion in penalty design, but PSD2 emphasizes deterrence to ensure uniform application across the .

Implementation

Technical Mechanisms

Strong customer authentication under the Regulatory Technical Standards (RTS) mandates the use of at least two factors from three categories: (e.g., a or PIN), (e.g., a or ), and (e.g., biometric data such as fingerprints or facial recognition). These factors must be designed to remain , such that compromise of one does not automatically enable breach of the others, as a single endpoint—such as a user's —can be fully controlled by or physical theft, allowing capture of isolated credentials without additional barriers. Authentication codes generated for transactions incorporate cryptographic methods like one-time passwords or digital signatures, resistant to forgery, replay attacks, and through dynamic linking to specific transaction details including amount, payee, and account numbers. For card-not-present payments, the 2.0 protocol implements by facilitating data exchange between merchants, acquirers, and s, enabling frictionless authentication for low-risk transactions without user intervention. This involves sharing up to 150 data elements per transaction—such as device attributes, transaction history, and behavioral signals—for , allowing approval if fraud probability falls below predefined thresholds, while escalating to challenge flows (e.g., or OTP) for higher risks to satisfy the two-factor requirement. Secure communication protocols underpin SCA deployment, requiring (TLS) version 1.2 or equivalent to encrypt , ensuring and against interception or tampering. Tokenization replaces sensitive elements like primary account numbers with non-sensitive equivalents during transmission, minimizing exposure even if channels are partially compromised, as full card data reconstruction demands separate vault access. Multi-factor enforcement addresses endpoint vulnerabilities causally: a single possession factor, for instance, fails against SIM-swapping or device that proxies inputs, but pairing with or forces attackers to exploit uncorrelated vectors simultaneously, exponentially raising the required resources and detection likelihood. In contexts under PSD2, SCA integrates with application programming interfaces (APIs) via dedicated secure interfaces that third-party providers (TPPs) use for payment initiation or account information services, embedding multi-factor checks at consent and transaction stages. These APIs adhere to standardized protocols like OAuth 2.0 for authorization flows, combined with SCA elements to verify user intent, preventing unauthorized access while enabling TPPs to initiate dynamically linked payments without storing credentials. Compliance requires APIs to support real-time risk monitoring and fallback to challenge-based authentication if automated assessments deem risks elevated, preserving integrity across distributed systems.

Compliance Strategies

Payment service providers (PSPs) and merchants implement risk-based authentication (RBA) to fulfill strong customer authentication () mandates under PSD2 by analyzing transaction-specific risks and enforcing SCA selectively for elevated threats, thereby minimizing user friction for low-risk interactions. This method incorporates algorithms trained on historical fraud datasets, incorporating factors like device attributes, geolocation inconsistencies, and behavioral to generate real-time risk scores. Delegated authentication frameworks shift the SCA responsibility to card issuers, enabling merchants to offload technical integration while ensuring regulatory adherence through issuer-managed verification. Visa's delegated model, introduced for tokenized transactions, leverages issuer decisions to authenticate without merchant-side prompts, as outlined in its PSD2 implementation guidance effective December 2020. Similarly, Mastercard's Delegated Authentication for Merchants, available via its developer platform, supplies cryptographic evidence of prior SCA to support seamless repeat payments and reduce abandonment rates. Testing and certification protocols, aligned with (EBA) guidelines on SCA elements, require PSPs to validate authentication systems through scheme-specific assessments from and , including protocol compliance and fallback mechanisms. By mid-2021, these efforts yielded compliance rates exceeding 90% across major European markets, with 94% of payment cards SCA-enabled and 99% of merchants equipped to process compliant transactions.

Exemptions and Risk-Based Approaches

Under the Revised (PSD2), exemptions from strong customer authentication (SCA) are stipulated in the Regulatory Technical Standards (RTS) to reconcile enhanced security with practical usability, permitting payment service providers (PSPs) to forgo SCA for specified low-risk scenarios provided confirms minimal . These include transaction (TRA), low-value payments, secure corporate processes, trusted beneficiaries, and recurring transactions, with PSPs required to maintain quarterly rate assessments to validate exemption eligibility. The TRA exemption, outlined in Article 18 of the RTS, allows PSPs to bypass for remote electronic payments deemed low-risk via analysis, applicable to transactions up to exemption values (ETVs) such as €100, €250, or €500 depending on the tier, where fraud rates must remain below reference levels—for instance, no more than 0.13% of transaction value for card-based payments ≤€100 or 0.06% for ≤€250—calculated over recent quarters without abnormal patterns or high-risk indicators. Low-value exemptions under Article 16 apply to remote transactions ≤€30, with cumulative amounts not exceeding €100 or five consecutive transactions since the last . Secure corporate processes (Article 17) exempt payments by legal entities using dedicated, authority-verified secure interfaces; trusted beneficiaries (Article 13) permit exemption for subsequent payments to pre-designated payees after initial ; and recurring payments (Article 14) waive for follow-on fixed-amount transactions post-setup . These mechanisms, especially TRA and recurring exemptions, mitigate user friction by enabling seamless processing for routine low-risk activities, thereby curbing cart abandonment; industry assessments indicate that unmitigated SCA enforcement could reduce transaction acceptance rates by around 20% in due to added steps. Exemptions avert excessive regulatory burdens that could stifle legitimate commerce, yet (EBA) data from 2022 monitoring—covering 32% of remote card transactions—reveals elevated in exempted categories like merchant-initiated transactions (MITs), exceeding 0.1% in value for MITs and / orders, surpassing rates in SCA-compliant flows and signaling potential dilution if detection lapses or exemptions are over-applied without rigorous controls. The attributes this to fraudster adaptation, recommending intensified monitoring to preserve exemptions' risk-based integrity without undermining SCA's core deterrent against unauthorized access.

Historical Development

Origins in Payment Security

The proliferation of in during the and drove a surge in card-not-present (CNP) transactions, which bypass physical inspection and rely primarily on static details like numbers and codes for verification. This shift exposed vulnerabilities in legacy authentication, as fraudsters exploited remote access without multi-layered checks, leading to CNP comprising nearly 80% of total volume by the late . In the SEPA area, transaction values reached €1.3 billion in 2012, reflecting a 15% year-over-year increase in cases to 9 million incidents, predominantly fueled by CNP schemes amid rising . Single-factor methods, such as magnetic stripe data for point-of-sale (POS) transactions, stored unchanging track information that could be easily skimmed or cloned using inexpensive devices, resulting in annual global losses exceeding $1 billion from skimming alone. For CNP payments, the printed CVV (CVV2) provided minimal additional security, as it remained constant and susceptible to compromise through phishing, keyloggers, or merchant data leaks, without dynamic validation against real-time risks like malware infection. These limitations ignored underlying causal pathways of fraud—such as network intrusions enabling bulk data theft—allowing attackers to replicate credentials en masse for unauthorized use. A stark illustration occurred in the 2013 , where hackers accessed systems via stolen vendor credentials, extracting magnetic stripe data from approximately 40 million credit and debit cards over three weeks during the holiday season. The static nature of stripe-encoded details, including CVV1, facilitated card cloning for both and CNP fraud, underscoring how reliance on knowledge-based factors alone failed to mitigate breaches originating from third-party access or unpatched vulnerabilities. Such incidents, coupled with persistent CNP escalation, demonstrated the inadequacy of pre-multi-factor protocols in addressing adaptive threats like and endpoint compromises.

PSD2 Introduction and Timeline

The Second Payment Services Directive (PSD2), formally Directive (EU) 2015/2366, was adopted by the European Parliament and the Council on 25 November 2015 to revise and expand the original PSD framework, aiming to enhance consumer protection, foster competition in payment services, and mandate secure authentication for electronic payments. It entered into force on 12 January 2016, with European Economic Area (EEA) member states required to transpose its provisions into national law by 13 January 2018. Article 97 of PSD2 specifically introduced requirements for strong customer authentication (SCA), stipulating that payment service providers must apply authentication based on at least two distinct factors—knowledge (something only the user knows), possession (something only the user has), and inherence (something the user is)—for initiating electronic payments and accessing payment accounts, unless exemptions applied. To operationalize SCA, the (EBA) was mandated under PSD2 to develop Regulatory Technical Standards (RTS). The EBA launched public consultations on draft RTS in 2016, incorporating feedback from stakeholders on technical feasibility and implementation burdens, before submitting the final draft to the in June 2017. The Commission endorsed the RTS in November 2017, which were published in the Official Journal and became applicable from 14 September 2019, aligning with the end of the two-year transposition period plus an 18-month for SCA enforcement. Initial application was set for January 2018 alongside transposition, but widespread industry concerns over readiness—cited in consultations as risks to payment infrastructure stability—prompted delays. The permitted national competent authorities to grant extensions of up to 18 months (to March 2021) or further for low-risk transactions, resulting in staggered enforcement across most EEA states by December 2020. This phased approach, informed by empirical assessments of sector preparedness, mitigated potential disruptions such as transaction failures during peak rollout. In the , PSD2 transposition occurred on 13 January 2018, enabling the launch of under the Competition and Markets Authority's oversight, but complicated SCA alignment with EU timelines. Post-transition period, UK regulators enforced full SCA compliance from October 2021, integrating it with domestic standards to address certification and divergences from the EEA.

Rollout Challenges and Delays

The implementation of (SCA) under PSD2 encountered significant technical hurdles, particularly in integrating two-factor authentication elements such as , hardware tokens, or dynamic linking with existing payment infrastructures. Payment service providers (PSPs) faced challenges in upgrading legacy systems to comply with the Regulatory Technical Standards (RTS) on SCA, including the adoption of 3D Secure 2.0 protocols and secure communication channels, which required extensive testing and coordination among banks, merchants, and third-party providers. These integration complexities contributed to widespread unreadiness, prompting the (EBA) to issue an opinion in October 2019 recommending a maximum enforcement delay until 31 December 2020 for full migration to SCA in e-commerce card-based payments, allowing PSPs additional time to address operational risks without immediate penalties. National interpretations and enforcement timelines varied, exacerbating rollout fragmentation. In the , the (FCA) initially delayed SCA enforcement to 14 March 2021 amid industry preparation gaps, and further extended it to 14 September 2021 citing disruptions that hindered testing and deployment. In contrast, Sweden's Finansinspektionen enforced SCA without a transitional period starting 14 September 2019, adhering strictly to PSD2 timelines and declining general exemptions that could prolong vulnerabilities in payment security. These divergent approaches, rooted in national competent authorities' discretion under EBA guidelines, resulted in uneven compliance by mid-2020, with some jurisdictions granting temporary derogations for low-value or low-risk transactions while others prioritized immediate application, thereby extending periods of inconsistent fraud mitigation across the . Cross-border inconsistencies further complicated rollout, as varying national transpositions of PSD2 led to mismatched exemption criteria and authentication protocols. By mid-, post-Brexit divergences between the and amplified these issues, with UK PSPs operating under extended FCA timelines clashing against stricter EBA-enforced deadlines in , creating barriers for multinational merchants and exposing transactions to regulatory arbitrage. Bureaucratic delays in harmonizing these interpretations, including prolonged consultations on exemptions like transaction risk analysis, causally sustained elevated exposure in non-compliant channels, as PSPs navigated fragmented supervisory expectations rather than uniform standards. The EBA's refusal of additional EU-wide extensions beyond December underscored the tension between regulatory ambition and practical feasibility, forcing accelerated adaptations that strained resources without resolving underlying coordination failures.

Effectiveness and Empirical Impact

Fraud Reduction Metrics

Transactions authenticated via strong customer authentication (SCA) under PSD2 exhibit markedly lower fraud rates compared to non-SCA transactions across payment instruments in the (EEA). According to the joint (EBA) and (ECB) report on payment , SCA-authenticated card payments recorded a fraud rate of 0.017% of transaction value in the first half of 2023, roughly half the 0.034% rate for non-SCA card payments. This disparity holds particularly for remote electronic payments, where card-not-present (CNP) fraud accounted for 82% of card fraud value in the same period, with SCA implementation credited for mitigating such losses through enforced multi-factor verification. Overall payment in the EEA totaled €4.3 billion in 2022, with fraud stable at €633 million in the first half of 2023 despite rising transaction volumes, attributable in part to SCA's causal effect in curbing unauthorized CNP initiations. Credit transfers, 77% SCA-authenticated by value in early 2023, showed fraud rates as low as 0.001%, underscoring SCA's role in maintaining unauthorized well below exemption thresholds outlined in PSD2 regulatory technical standards (typically 0.1-0.2% depending on transaction value). While has reduced authorization-stage , empirical data indicate a partial shift toward pre-authentication attacks, such as account takeovers via , which comprised a growing share of "other" fraud categories in 2022-2023 reporting. Over 92% of card involved fraudster-initiated transactions, but compliance exceeded 65% of card payment value by mid-2023, correlating with stabilized or declining CNP volumes post-rollout compared to pre-PSD2 baselines.

Economic Costs and Benefits

Implementation of strong customer authentication (SCA) under PSD2 has entailed substantial one-off costs across the , estimated at €5 billion for SCA rollout alone, encompassing upgrades to authentication systems, integration with protocols like 3DS 2.1, and testing for payment service providers. These expenses have disproportionately burdened small and medium-sized enterprises (SMEs), which face ongoing annual costs including maintenance and transaction monitoring, often exceeding €278 million EU-wide for banks and adding operational burdens like per-transaction fees for methods such as one-time passwords (approximately €0.05 each). In low-fraud sectors, remains questionable, as a of stakeholders report that PSD2 implementation costs have overshadowed perceived benefits, with limited scalability for smaller firms lacking resources for advanced risk-based exemptions. On the benefits side, SCA facilitates a liability shift under PSD2, whereby payment service providers applying SCA assume fraud responsibility, thereby reducing merchant losses from unauthorized transactions that previously fell under acquirer liability. Empirical data indicate annual fraud savings of €900 million EU-wide attributable to SCA, with reductions in remote payment fraud risks by 60% for card transactions and up to 80% for e-money, alongside observed drops of 40% in account attacks for major providers. These prevention gains have been modeled to yield net savings over time by curbing chargebacks and enhancing trust, though short-term analyses reveal trade-offs where SCA-induced transaction failures contributed to €33.5 billion in merchant business losses during initial rollout periods (2020-2021). Causal analysis underscores deadweight losses from SCA's friction, as evidenced by projected €57 billion in forgone economic activity from abandonment if exemptions are not optimized, diverting resources from toward regulatory adherence and slowing adaptation in markets with stringent mandates compared to those employing lighter authentication regimes. While PSD2's broader provisions spurred a 70% rise in new PayTech startups, SCA-specific compliance has imposed asymmetric costs that hinder agility for entities in high-friction environments, prioritizing enforcement over efficiency gains in low-risk scenarios. Overall, cost-benefit evaluations highlight that mitigation benefits accrue primarily to issuers and consumers, but merchants and SMEs endure disproportionate ongoing economic burdens, with net positive returns contingent on effective risk-based to minimize abandonment.

User Experience Data

Following the enforcement of (SCA) requirements under PSD2, online merchants experienced initial spikes in cart abandonment rates of roughly 10-20%, primarily due to the added friction from mandatory two-factor verification steps akin to earlier () protocols. Surveys of merchants indicate that 38% identified increased cart abandonment as a major consequence of SCA implementation, often linked to drop-off during prolonged checkout processes. These effects were particularly pronounced in high-volume environments, where even minor delays in prompted users to exit transactions. Risk-based exemptions and frictionless authentication flows, such as low-value or trusted exemptions, have subsequently reduced abandonment impacts, enabling merchants to maintain higher completion rates by applying selectively to higher-risk payments. Biometric methods, including and , have demonstrated superior outcomes over traditional (OTP) alternatives, with adoption yielding 2-3 percentage point increases in transaction success rates by minimizing manual input errors and delays. Despite these mitigations, SCA's authentication challenges have drawn criticism for exacerbating usability barriers for elderly consumers and individuals with limited , who report higher rates of failed attempts with app-based or SMS-delivered OTPs compared to integrated . The introduced friction also correlates with diminished impulse buying, as interrupted checkout flows reduce spontaneous completions, with up to 26% of users abandoning carts perceived as overly complex or time-consuming. Overall, while seamless SCA variants foster greater consumer tolerance, persistent step-up prompts contribute to a net usability trade-off, balancing enhanced against measurable declines in transaction fluidity.

Criticisms and Limitations

Friction and Conversion Impacts

SCA's mandatory authentication challenges introduce substantial into online payment flows, leading to documented reductions in conversion rates. Industry reports have recorded drops of up to 20% in conversion rates for marketplaces implementing SCA, as the additional verification steps disrupt the seamless checkout experience essential for completing transactions. This effect is particularly pronounced for high-velocity merchants in sectors like and , where rapid processing is standard and any interruption amplifies abandonment risks. The primary mechanisms driving this friction stem from required dynamic linking elements, such as one-time passwords (OTPs), which necessitate user input and verification pauses. SMS-based OTP delivery, a common fallback method, incurs average delays of 15 to 45 seconds for message receipt alone, compounded by entry time, resulting in heightened user frustration and mid-process exits. Authentication flows dependent on such SMS OTPs exhibit abandonment rates reaching 30%, as consumers perceive the added effort as disproportionate to the transaction's value. These usability barriers causally incentivize behavioral adaptations, including shifts to lower-friction alternatives where exemptions apply or complete withdrawal from the purchase, as empirical patterns in decision-making reveal a low tolerance for procedural delays in high-stakes digital interactions. Consequently, the friction not only erodes immediate sales but also fosters long-term evasion strategies among users, diminishing the practical reach of protocols in competitive markets.

Regulatory Overreach Concerns

Compliance with strong customer authentication () requirements under the 2 (PSD2) has placed a disproportionate burden on small and medium-sized enterprises (SMEs), exacerbating operational challenges and potentially reinforcing incumbents' market dominance. Implementation costs for SCA ecosystem-wide are estimated at approximately €5 billion in one-off expenditures, including development and integration, with smaller firms experiencing amplified impacts due to resource constraints and the absence of in regulatory demands. Legal uncertainties arising from divergent national implementations further elevate these costs, identified as the primary expense driver for SMEs, prompting some smaller payment service providers to exit the market altogether. This uneven cost distribution is contended to disadvantage agile newcomers, as larger banks leverage to comply more readily, thereby limiting competitive dynamics in payments services. PSD2's mandatory API standards and prescriptive SCA rules have drawn criticism for impeding innovation by imposing rigid technical and licensing hurdles that delay product development and market entry. Pre-implementation uncertainties, such as those surrounding the UK's of PSD2 in 2016, were highlighted by businesses as actively stifling through prolonged on compliance pathways. The directive's emphasis on standardized interfaces restricts banks' ability to evolve proprietary systems tailored to , while overly detailed regulatory technical standards constrain experimentation with low-friction alternatives like advanced or behavioral . Such constraints are argued to favor compliance over creativity, particularly for resource-limited startups navigating complex processes for third-party providers. A core concern is that PSD2's one-size-fits-all mandates undervalue adaptive, market-led innovations, prioritizing regulatory uniformity over tailored solutions that could balance mitigation with minimal disruption. Critics assert that prescriptive requirements overlook how voluntary of risk-based authentications in less regulated environments can yield effective outcomes without mandating universal friction, potentially fostering greater efficiency and . This approach risks over-regulation by amplifying administrative loads—such as excessive reporting and supervisory divergences—without commensurate evidence of superior long-term gains relative to flexible frameworks.

Evasion and Adaptation by Fraudsters

Fraudsters have responded to (SCA) by pivoting to social engineering tactics that exploit user behavior rather than technical vulnerabilities in protocols. Techniques such as real-time for one-time passwords (OTPs) or prompts to authorize fraudulent transactions have proliferated, as SCA relies on user possession of devices and knowledge of credentials, both of which can be coerced or intercepted during the authentication window. analyses indicate this shift has driven a rise in authorized push payment (APP) scams and related impersonation fraud, where victims are manipulated into completing SCA-compliant actions themselves. Account takeover (ATO) incidents, often facilitated by combined with OTP , have increased post-SCA rollout, underscoring the protocol's limitations against persistent credential compromise. Reports from fraud intelligence firms document ATO attack rates surging 122% year-over-year in during Q3 2025, with broader consumer victimization rising from 18% in 2023 to 24% in 2024, as criminals adapt by targeting pre-authentication stages or exploiting device possession. Global inconsistencies in enforcement enable regulatory , where fraudsters redirect operations to non-compliant regions outside the , displacing rather than eliminating . The () has noted this vulnerability, emphasizing that uneven adoption undermines deterrence and allows cross-border exploitation of weaker jurisdictions. SCA offers limited protection against friendly —where legitimate holders initiate and later dispute —and insider threats, such as unauthorized use by family members or compromised devices via that maintains possession factor integrity while bypassing behavioral scrutiny. These gaps highlight SCA's focus on initiation over ongoing session monitoring, permitting evasion through human or environmental factors inherent to the model.

Future Directions

PSD3 and PSR Reforms

The Payment Services Directive 3 (PSD3), proposed by the on 28 June 2023, seeks to refine strong customer authentication (SCA) requirements introduced under PSD2 by introducing greater flexibility, including the delegation of authentication processes to qualified third parties while mandating that payment service providers (PSPs) retain ultimate control and liability for . This delegated model allows issuers to outsource elements of SCA—such as biometric or device-bound verification—to merchants, acquirers, or specialized providers, potentially streamlining low-risk transactions without requiring full two-factor challenges on every initiation. PSD3 also explicitly accommodates emerging authentication technologies like passkeys, which leverage for phishing-resistant, device-synced verification, positioning them as compliant alternatives to traditional knowledge- or possession-based factors. Refinements to exemption criteria, such as expanded transaction risk analysis thresholds and low-value payment waivers, aim to promote inclusivity for vulnerable users while addressing PSD2-era feedback on excessive friction, with implementation targeted for 2026 or later pending trilogue agreement expected in late 2025. Complementing PSD3, the proposed —envisioned as directly applicable law without transposition delays—enhances mitigation through mandatory incident reporting within four hours for significant breaches and a dedicated regime shifting responsibility to PSPs for authorized push payment () scams exceeding €50,000 or involving . These measures build on empirical data from 2022–2024, where reduced card-not-present by up to 80% in compliant jurisdictions but correlated with 10–20% cart abandonment rates due to hurdles, prompting regulators to prioritize dynamic assessments over rigid two-factor mandates. further mandates PSPs to implement dedicated prevention frameworks, including real-time monitoring and customer education, to curb evasion tactics observed in post-PSD2 patterns. PSD3 and PSR also address intersections with the Markets in Crypto-Assets Regulation (MiCA), effective from June 2023, by classifying certain crypto-asset transfers as payment services subject to SCA where fiat on-ramps occur, with the European Banking Authority advising national authorities to enforce PSD rules on crypto exchanges to prevent fraud leakage. This interplay ensures consistent liability for hybrid transactions, responding to rising crypto-related scams documented in 2023–2024 Europol reports, while avoiding overreach into pure asset transfers under MiCA's custody rules. Overall, these reforms reflect a data-driven pivot toward adaptive, user-centric security, informed by PSP consultations highlighting SCA's trade-offs between fraud suppression and conversion efficiency.

Integration with Emerging Tech

Strong customer authentication (SCA) protocols are increasingly incorporating passkeys based on the FIDO2 standard, which enables phishing-resistant delegated authentication by binding cryptographic keys to specific domains and devices, thereby serving as a possession factor or replacing traditional knowledge-based elements like passwords. This integration allows for outcome-based SCA, where successful passkey attestation confirms transaction legitimacy without additional steps in low-risk scenarios, as demonstrated in European payment pilots leveraging extensions. Industry analyses from 2025 highlight that such implementations effectively neutralize AI-generated attempts, which exploit traditional multi-factor methods, by ensuring credentials never traverse networks in transferable form. Biometric technologies, including facial recognition and behavioral analysis, augment as factors, often combined with device-bound elements to satisfy two-factor requirements while minimizing user friction. Emerging pilots integrate liveness detection via to counter spoofing, addressing causal vulnerabilities like presentation attacks that undermine static ; for instance, dynamic behavioral evaluate session anomalies in , enabling risk-adapted exemptions from full SCA challenges. These approaches prioritize root-cause mitigation over superficial layering, such as verifying ongoing user presence rather than relying solely on initial enrollment scans, though adoption lags due to hurdles in cross-device ecosystems. AI-driven enhancements to risk-based (RBA) within frameworks refine dynamic scoring by analyzing transaction velocity, geolocation discrepancies, and device fingerprints, permitting exemptions for transactions below elevated risk thresholds as per PSD2 exemptions. Verifiable 2024 deployments in banking consortia have shown models reducing unnecessary authentication prompts by integrating with exemptions, though empirical gains vary by model training data quality and remain susceptible to adversarial inputs mimicking legitimate . To uphold causal , these systems must evolve beyond correlative signals—such as IP anomalies—to detect device-level compromises, like exfiltration, integrating endpoint for holistic assessment rather than isolated factors.

Global Adoption

European Enforcement

The enforcement of strong customer authentication (SCA) under PSD2 varied across (EEA) countries and the , with national competent authorities implementing phased rollouts amid initial delays. In the , the extended the deadline for SCA on e-commerce transactions to 14 March 2022, marking full enforcement after prior postponements from 2021 targets. Similarly, and experienced implementation challenges, with full compliance ramp-ups extending into 2021-2022 due to difficulties in adapting payment infrastructures to SCA requirements. The (EBA) provided oversight through guidelines and monitoring, ensuring progressive alignment, as most EEA states achieved mandatory enforcement by mid-2021. Cross-border payments within the (SEPA) benefit from mutual recognition of compliance among EEA participants, facilitating seamless authentication for euro-denominated transfers. Post-Brexit, the retained SEPA scheme participation, but transactions between and entities introduced complications, including the need for firms to adhere to separate regulatory technical standards for , potentially increasing friction in authentication processes. Empirical data indicate that stricter enforcement correlates with reduced fraud in high-compliance jurisdictions. In the Netherlands, where SCA was rigorously applied early, online banking and card payment fraud declined significantly following implementation, contributing to overall EEA trends where SCA-authenticated transactions exhibited fraud rates 40-60% lower than non-SCA ones by 2023. The EBA's monitoring confirmed these outcomes, with card fraud rates for SCA-protected payments averaging below 0.03% of transaction value in the first half of 2023.

Non-European Variants and Trends

In the United States, no federal mandate equivalent to Europe's has been enacted as of October 2025, with online payment security instead driven by voluntary implementation of EMVCo's () protocols and requirements under state-level regulations, such as New York Department of cybersecurity rules mandating MFA for certain high-risk access. Adoption of 2.0 continues to expand, supported by network incentives from and , amid projections that U.S. payers will increasingly encounter frictionless flows as global norms pressure domestic issuers and acquirers. India's (UPI), handling billions of monthly transactions, functions with de facto strong authentication via Aadhaar-linked , including and for PIN-less approvals introduced in October 2025, which verify user identity against government-issued biometric databases without relying on traditional two-factor elements like knowledge-based secrets. This approach has facilitated UPI's dominance in low-value transfers while maintaining fraud losses below 0.01% of transaction volume as reported by the in fiscal year 2024-25. Australia's New Payments Platform (NPP), launched in 2018 for account-to-account transfers, incorporates voluntary strong customer authentication options such as and one-time passcodes, but lacks SCA-style mandates, relying instead on issuer-led risk assessments and data-sharing consortia to curb authorized push payment . NPP volumes exceeded 30% of non-cash payments by mid-2025, with rates for transactions averaging under 0.05% through enhanced rather than universal multi-factor . Visa and Mastercard have accelerated global rollout of 3DS 2.0 protocols beyond , achieving transaction volumes of $14.1 billion for Secure in fiscal year 2023 with fraud reductions up to 70% compared to non-3DS flows, yet merchant resistance persists due to integration expenses estimated at 1-2% of revenue for small businesses and potential authorization rate dips from added steps. Empirical outcomes in mandate-light regimes like and indicate that low persistence—often below 0.1% across digital payments—stems more from ecosystem-wide defenses, including analytics and biometric prevalence, than from SCA's prescriptive two-element , challenging attributions of Europe's card decline exclusively to regulatory coercion.

References

  1. [1]
    L_2015337EN.01003501.xml
    Summary of each segment:
  2. [2]
    Strong Customer Authentication & Compliance Under PSD2
    Sep 5, 2024 · Strong customer authentication (SCA) is a security requirement introduced by the Revised Payment Services Directive (PSD2) to reduce the risk of fraud in ...
  3. [3]
    Strong customer authentication requirement of PSD2 comes into force
    Sep 13, 2019 · The SCA requirement makes it easier and safer for consumers to pay for goods and services online and helps fight fraud.
  4. [4]
    2019_4564 Exemptions from Strong Customer Authentication (SCA)
    Jun 19, 2020 · Article 15 of the RTS allows for PSPs to apply an exemption from Strong Customer Authentication, where the payer initiates a credit transfer.Missing: challenges | Show results with:challenges
  5. [5]
    Strong Customer Authentication: How SCA changed payments
    Many detractors claim that it added friction at the checkout stage, making online payments more difficult. For example, strong customer authentication in the ...
  6. [6]
    Meeting the Hidden Cost of Strong Customer Authentication (SCA)
    A report highlighting the challenges and potential improvements of strong customer authentication (SCA) implementation across the EU.Missing: controversies | Show results with:controversies
  7. [7]
    Problems With EU Payment Security Persist - Dark Reading
    Proposed new security procedures within the EU have troubled some payment service providers, leading to the postponement of their implementation.
  8. [8]
    Response to discussion on RTS on strong customer authentication ...
    It is understood that if a merchant does not implement strong customer authentication, then it is liable for fraud, consistent with the current contractual ...
  9. [9]
    2020_5619 Independence of the elements for SCA
    Apr 23, 2021 · SCA elements must be independent, meaning a breach of one doesn't compromise others. While two different categories are preferred, elements ...
  10. [10]
    EBA publishes an Opinion on the elements of strong customer ...
    Jun 21, 2019 · SCA is defined in the Directive as an "authentication based on the use of two or more elements categorised as knowledge (something only the user ...
  11. [11]
    2020_5366 Clarification on where the creation of the authentication ...
    Jul 30, 2021 · Article 97(2) of PSD2 requires PSPs to apply SCA that includes elements, which dynamically link the transaction to a specific amount and a specific payee.
  12. [12]
    ECB publishes fifth report on card fraud - European Union
    In 2016, for the first time in five years, fraud rates involving cards issued in SEPA showed a slight decrease of 0.4% compared with 2015, falling to €1.8 ...
  13. [13]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366
  14. [14]
    35 Password Statistics 2025 - Data Breaches & Industry Report
    Jul 28, 2025 · Weak passwords cause 30% of global data breaches, and poor practices cause 81% of company breaches. 30% of internet users use password managers ...
  15. [15]
    Password breach statistics in 2025 - Heimdal Security
    Sep 2, 2025 · 16 billion passwords were leaked in one of the biggest data breaches of all time. 94% of passwords are used to access multiple accounts. ...Password Breach Data For... · Password Guessing: Brute... · Some Positives: Passwords...
  16. [16]
    2025 Data Breach Investigations Report - Verizon
    About 88% of breaches reported within this attack pattern involved the use of stolen credentials. Learn how Zero Trust security principles can minimize your ...Missing: static | Show results with:static
  17. [17]
    Is SMS OTP Reliable? Its Vulnerabilities and Alternatives - Authgear
    Sep 4, 2025 · The vulnerabilities inherent in SMS technology make OTP messages susceptible to a range of cyberattacks, from SIM swapping to SS7 exploits.
  18. [18]
    SIM Swap Scam Statistics 2025: $26M Lost in the U.S - DeepStrike
    Sep 9, 2025 · Explore SIM swap scam statistics for 2025. Learn how $26M was lost in the U.S., UK cases rose 1055%, and how to prevent SIM hijacking ...
  19. [19]
    SIM Swap Fraud 2025: Stats, Legal Risks & 360° Defenses - Keepnet
    Jul 5, 2025 · In the UK alone, reports of SIM-swap fraud rocketed 1,055 % in 2024—from just 289 incidents to almost 3,000, according to Cifas' Fraudscape data ...
  20. [20]
    2020_5353 On the requirements for 'inherence' in strong customer ...
    Apr 23, 2021 · If a strong customer authentication (SCA) element is to count as 'inherence' it must involve physical properties, physiological characteristics or behavioural ...
  21. [21]
    Biometrics Statistics: Trends, Adoption & Challenges - OLOID
    The global biometrics market size was estimated at USD 41.58 billion in 2023 and is predicted to hit around USD 267.05 billion by 2033 with a double-digit CAGR ...
  22. [22]
    Biometric Authentication: A Comprehensive Guide - Descope
    Jun 13, 2025 · 72% of people worldwide preferred face verification for secure online transactions in 2022, and more than 50% of all users authenticated with ...What Is Biometric... · How Biometric Authentication... · The Present And Future Of...
  23. [23]
    2021_6141 Association of personalised security credentials to the ...
    Dec 17, 2021 · Article 97(1)(c) of Directive 2015/2366/EU (PSD2) requires payment service providers (PSPs) to apply strong customer authentication (SCA) ...
  24. [24]
    Strong Customer Authentication - Stripe
    Strong Customer Authentication (SCA) is a European regulatory requirement to reduce fraud and make online and contactless offline payments more secure.
  25. [25]
    Understanding Strong Customer Authentication & PSD2 | Adyen UAE
    Strong Customer Authentication (SCA) is a European regulatory requirement with the goal of making electronic payments more secure and reducing fraud. Shoppers ...Missing: facts | Show results with:facts
  26. [26]
    PSD2: What it means for Payment Service Providers (PSPs) - Ravelin
    Strong customer authentication (SCA) becomes mandatory for all electronic payments under PSD2, although the provisions relating to SCA will only apply from 18 ...
  27. [27]
    PSD2 Compliance: What You Need to Know - Securiti
    Apr 16, 2024 · PSD2 provides a flexible provision when it comes to penalties for non-compliance. Article 103 of the Directive allows Member States to define ...
  28. [28]
    PSD2 compliance: What businesses need to know - NorthRow
    Sep 20, 2023 · Non-compliance with PSD2 can lead to fines and other penalties imposed by regulatory authorities. It's crucial for companies to ensure they are ...
  29. [29]
    Payment Services Directive: frequently asked questions
    In particular, PSD2 requires payment service providers to apply strong customer authentication (SCA) for electronic payment transactions as a general rule. To ...
  30. [30]
    L_2018069EN.01002301.xml - EUR-Lex - European Union
    As fraud methods are constantly changing, the requirements of strong customer authentication should allow for innovation in the technical solutions addressing ...
  31. [31]
    EMV® 3-D Secure - EMVCo
    Specifically, EMV 3DS supports SCA by enabling the use of two-factor authentication. Its flexibility allows issuers to accommodate their authentication ...
  32. [32]
    SECURITY - Strong Customer Authentication (SCA) - Mastercard
    EMV 3DS 2.0 helps comply with SCA (and with other global regulations) by gathering up to 150 data points for each transaction. With EMV 3DS 2.0 you can minimize ...
  33. [33]
    Open banking APIs explained | Stripe
    Sep 25, 2024 · Open banking APIs create a standardized, secure channel for data exchange between banks and third-party providers (TPPs).How do open banking APIs... · How to protect personal...
  34. [34]
    Risk-based authentication: The secret to meeting PSD2 compliance ...
    Feb 13, 2025 · Risk-based authentication, supported by AI-driven fraud detection, provides a scalable approach to balancing security and customer experience.
  35. [35]
    [PDF] PSD2 SCA Regulatory Guide - Visa
    Jan 1, 2021 · contextual data used within a Risk Based Analysis approach, provides a proven, accurate basis for assessing fraud risk and has minimal user ...
  36. [36]
    [PDF] PSD2 SCA for Remote Electronic Transactions Implementation Guide
    Dec 31, 2020 · ... delegated authentication, please refer to. Visa Business News: Authentication of Token Transactions with Visa Delegated Authentication. 29 ...
  37. [37]
    Delegated Authentication for Merchants - Mastercard Developers
    Reduce fraud due to cryptographic proof of authentication. Help to comply with Strong Customer Authentication (SCA) requirements in regulated markets.How It Works · Enrollment · Returning Checkout
  38. [38]
    SCA Implementation: What's Expected from PSPs in the UK and EU?
    SCA Implementation: What's Expected from PSPs in the UK and EU? · “99% of EU merchants are able to support SCA; · 94% of all payment cards in the EU are SCA- ...
  39. [39]
    PSD2 SCA exemptions: Transaction Risk Analysis (TRA) - Blog
    Feb 13, 2023 · Among PSD2 SCA exemptions, transaction risk analysis (TRA) might become the most popular. To be effective, it requires robust fraud ...
  40. [40]
    [PDF] EBA Opinion on new types of payment fraud and possible mitigants
    Apr 29, 2024 · Both MITs and MOTO transactions featured considerably higher fraud rates in H1 2022 (i.e. more than 0.1% in value – or more than 1 euro.Missing: thresholds | Show results with:thresholds
  41. [41]
    [PDF] Card-Not-Present Fraud around the World - U.S. Payments Forum
    In contrast to ATM and point-of-sale fraud, CNP fraud was the only category reporting an increase over the previous year, up 20.6 percent from 2012. While ...Missing: statistics | Show results with:statistics
  42. [42]
    [PDF] European Fraud Report – Payments Industry Challenges - Nets
    Jun 21, 2019 · Among these are the increases across Europe in Card Not Present (CNP) fraud, which now represents almost 80% of the total volume of fraudulent ...
  43. [43]
    Estonia has the lowest number of cases of card fraud in the euro area
    Feb 25, 2014 · The number of fraud cases involving cards issued in the SEPA rose in 2012 by 15% to 9 million transactions with a total value of 1.3 billion ...
  44. [44]
    Magnetic Stripe vs. Chip Cards: Differences and Security Explained
    Skimming is a common form of fraud associated with magnetic stripe cards, costing financial institutions and consumers over $1 billion annually. EMV chips are ...
  45. [45]
    All About Fraud: How Crooks Get the CVV - Krebs on Security
    Apr 26, 2016 · A common point of confusion is that there are actually two CVVs per card – one is encoded only on the mag stripe (the “CVV” or “CVV1”) and the ...
  46. [46]
    Target Data Breach: What Happened and How to Prevent It
    Feb 24, 2025 · The hackers stole data from up to 40 million credit and debit cards of shoppers who visited Target stores during the 2013 holiday season.
  47. [47]
    [PDF] A “Kill Chain” Analysis of the 2013 Target Data Breach
    Mar 26, 2014 · On December 19, 2013, Target publicly confirmed that some 40 million credit and debit card accounts were exposed in a breach of its network. 1.
  48. [48]
    The revised Payment Services Directive (PSD2)
    Mar 13, 2018 · Payment service providers are required to ensure strong customer authentication for the initiation and processing of electronic payments.Missing: core | Show results with:core
  49. [49]
    EU Regulatory Technical Standards Enter Into Force - Jones Day
    Mar 26, 2018 · PSD2 mandates the European Banking Authority ("EBA") with developing RTS on strong customer authentication ("SCA") and secure standards of ...<|separator|>
  50. [50]
    [PDF] PSD2: WHAT'S NEXT? - FIS
    As such, the European Banking Authority (EBA) announced in June 2019 that each country in the EEA could delay SCA implementation if they wished.Missing: states | Show results with:states
  51. [51]
    Three years since PSD2 marked the start of Open Banking, the UK ...
    Jan 13, 2021 · The legislation that enabled open banking in the UK took effect on 13 January 2018, when PSD2 came into effect. This meant regulated TPPs could ...
  52. [52]
    PS19/26: Brexit - Regulatory Technical Standards for Strong ...
    Following the completion of the EU-UK exit implementation period, the instruments set out in PS19/26 will come into force on the 31 December 2020. Technical ...
  53. [53]
    Response to discussion on RTS on strong customer authentication ...
    Response to discussion on RTS on strong customer authentication and secure communication under PSD2 ... Which challenges do you identify for fulfilling the ...
  54. [54]
    PSD2 regulation and compliance - Get ready with Thales
    Aug 5, 2024 · The core principles of the PSD2 RTS – i.e., Strong Customer Authentication (SCA), Secured Communication, Risk Management, and Transaction ...
  55. [55]
    EBA publishes Opinion on the deadline and process for completing ...
    Oct 16, 2019 · EBA publishes Opinion on the deadline and process for completing the migration to strong customer authentication (SCA) for e-commerce card-based ...Missing: rollout extensions
  56. [56]
    Strong customer authentication and coronavirus | FCA
    Apr 30, 2020 · Due to the Covid crisis, the deadline for strong customer authentication (SCA) implementation for e-commerce is extended to 14 September 2021. ...
  57. [57]
    What is PSD2 - Signifyd
    After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action. Pursuant to ...Missing: impact | Show results with:impact<|separator|>
  58. [58]
    No general transition period granted in Sweden for implementation ...
    Sep 10, 2019 · Like in the rest of the EU, the PSD2 rules regarding SCA, as implemented within the Swedish payments legislation, will apply as of 14 September ...
  59. [59]
    Guidelines on security measures for operational and security risks ...
    The Guidelines have been developed in close cooperation with the European Central Bank (ECB), and are in support of the objectives of PSD2.Missing: high- extensions
  60. [60]
    EU And UK To Further Diverge In Key Payment Regulations In 2022
    According to the European Banking Authority (EBA), SCA has already had a tangible impact on fraud on the continent. In a report published in June 2021, the ...
  61. [61]
    [PDF] EBF-PSD2-Guidance-Final-v.120.pdf - European Banking Federation
    Jan 13, 2020 · This document provides guidance for banks on the interpretation and practical application of the revised Payment Services Directive (PSD2).
  62. [62]
    Deadline Extension for Strong Customer Authentication - Banfico
    Jul 26, 2021 · Across the EU, SCA has already gone live and the European Banking Authority (EBA), in contrast to the FCA, has ruled against more delays.Missing: rollout | Show results with:rollout
  63. [63]
    [PDF] 2024 REPORT ON PAYMENT FRAUD - European Banking Authority
    In particular fraud rates for card transactions acquired by PSPs outside the EEA for both SCA and non-SCA transactions were substantially higher than for other ...
  64. [64]
    [PDF] PSD2 And Strong Customer Authentication (SCA): An Issuer Guide
    Transactions out of scope for SCA include recurring transactions (after the first transaction has been authenticated), MOTO, one-leg-out transactions and direct.<|separator|>
  65. [65]
    Report on card fraud in 2020 and 2021 - European Central Bank
    In 2021 the total value of CNP fraud amounted to €1.28 billion (see Chart 2), showing a strong decline compared with 2020 (-12.1%). The majority of CNP fraud ...
  66. [66]
    [PDF] A study on the application and impact of Directive (EU) 2015/2366 ...
    Nov 3, 2024 · This study contributes to the review of the Directive (EU) 2015/2366 on Payment Services. (PSD2) by assessing whether the introduction of the ...
  67. [67]
    New Report Shows PSD2's Ongoing Impact in the Payment Space
    Jun 2, 2023 · Overall, the report estimates that consumers saved roughly €900 billion in fraud losses due to PSD2's improved customer protection measures. On ...
  68. [68]
    The impact of regulation on retail payments security: Evidence from ...
    Using a model for panel data, we estimate that SCA reduces the risk of fraud by 60 percent for remote payments made by card and by 80 percent for e-money ...
  69. [69]
    SCA study forecasts €57 billion loss in economic activity in Europe
    Jun 4, 2019 · Study conducted by 451 Research forecasts that Europe's online economy risks losing €57 billion as Strong Customer Authentication (SCA) is ...
  70. [70]
    The impact of Payment Services Directive 2 on the PayTech sector ...
    The results show that the adoption of PSD2 in November 2015 caused a rapid but temporary surge in PayTech start-ups in Europe. After national transpositions of ...
  71. [71]
    Maximizing TRA Exemptions To Minimize the PSD2 Revenue Hit
    Feb 12, 2019 · ... cart abandonment rates of roughly 10-20% for 3DS 1.0. The SCA requirement of PSD2 may help safety and security, but it will almost certainly ...
  72. [72]
    Prepare for Strong Customer Authentication (SCA) without impacting ...
    Mar 14, 2022 · ... SCA enforcement, with added customer checkout friction (41%) and increased cart abandonment rates (38%). SCA is designed to deter online ...
  73. [73]
    https://www.ozforensics.com/blog/articles/5-ways-biometric-verification-is-revolutionizing-neobanks-and-digital-payments
  74. [74]
    The growth of biometric authentication under SCA | Paysafe
    Why fingerprint, facial, and voice recognition technology will improve conversion rates at the online checkout.
  75. [75]
    OTPs for customer authentication: Past their expiry date and holding ...
    OTPs are obsolete due to symmetric nature, reliance on browser-based communications, SMS vulnerability, and poor user experience with error-prone entry.
  76. [76]
    PSD2 and Strong Customer Authentication: Impacts on Conversion
    Apr 4, 2019 · Twenty six percent of customers will abandon their purchase if the checkout process is too long or too complicated. You've probably done this ...
  77. [77]
    [PDF] The Evolving Needs of Today's Marketplace - The Hive Network
    Implementation of Strong Customer Authentication. (SCA) in Europe has created complexity for some marketplaces. Conversion rates have dropped at times by 20%.<|separator|>
  78. [78]
    The State of Strong Customer Authentication - Chargeback Gurus
    Aug 23, 2021 · PSD2 was passed in 2015 and took effect in September 2019, but the deadline for implementation of the Strong Customer Authentication (SCA) ...Missing: date | Show results with:date
  79. [79]
    How Mobile Apps Can Cut the Drop-Off Rate in Sign-In Process
    Mar 24, 2021 · In our tests, SMS OTP 2FA takes anywhere from 15 seconds to up to 45 seconds, depending on how long it takes until the SMS arrives – if it ...Missing: SCA | Show results with:SCA
  80. [80]
    Failure to deliver: Your mobile onboarding is costing you users!
    Mar 3, 2021 · Using SMS OTP for mobile authentication causes up to 30% user drop-off. Learn why this legacy method causes delays – and what you can do ...Missing: SCA | Show results with:SCA
  81. [81]
    Guide to PSD2, Strong Customer Authentication & 3D Secure
    These three elements are inherence, possession, and knowledge. Or in other ... Article 8 of the technical standards refers to authentication elements that would ...
  82. [82]
    Uncertainty over UK implementation of PSD2 is stifling innovation ...
    Mar 9, 2016 · Uncertainty over the way the UK will implement the updated EU Payment Services Directive (PSD2) is stifling innovation, businesses have ...Missing: criticism | Show results with:criticism
  83. [83]
    Defending Fintechs or Defending the Past? Rethinking Regulation ...
    Sep 8, 2025 · Decades of groundwork via PSD1, PSD2 ... Over-regulation stifles innovation and burdens fintech competitiveness, ultimately hurting consumers.
  84. [84]
    PSD2 has made APP financial fraud worse: Here's how we solve it
    Sep 19, 2024 · Although SCA has effectively put a stop to one type of fraud (ATO), it's also led to a rise in social engineering attacks, ironically causing ...
  85. [85]
    The EBA opinion paper on new types of payment fraud - BioCatch
    SCA has successfully prevented ATO fraud alongside better transaction monitoring, but the bulk of the long-term drop in fraud numbers has come from credit ...<|separator|>
  86. [86]
    Q3 2025 Digital Trust Index: Account Takeover Fraud ... - Sift Science
    Fraudsters are doubling down on fintech & finance, where attacks surged 122% year-over-year (from 0.54% to 1.2%), exploiting the high value of financial ...
  87. [87]
    Beyond the Breach: 2024 Account Takeover Data & Insights - Sift
    Dec 20, 2024 · This year, 24% of consumers reported being victims of account takeover, up from 18% in 2023. The most commonly breached websites and apps ...
  88. [88]
    Response to discussion Paper on the EBA's preliminary ...
    A greater harmonisation among countries is also highly desirable to avoid that fraudsters take advantage from regulatory arbitrage. • The EBA GL 2020/01 ...Missing: displacement | Show results with:displacement
  89. [89]
    What Do the EU PSD3 Proposals Mean for the Payments Sector?
    Jul 5, 2023 · Changes to strong customer authentication and open banking requirements and introduction of a broad “open finance” regime. Requirement for ...Missing: reforms | Show results with:reforms
  90. [90]
    Delegated Authentication & Passkeys under PSD3 / PSR - Corbado
    May 6, 2025 · Learn about delegated strong customer authentication in PSD3 & PSR, how passkeys could fit, compliance shifts, and what's still undecided.
  91. [91]
    What You Really Need to Know About PSD3 - Endava
    PSD3 explicitly says that authentication can now be delegated to third parties. That could be a merchant, gateway/acquirer, marketplace or wallet, as long as ...
  92. [92]
    PSD3 / PSR Implications for Passkeys (SCA & Passkeys IV) - Corbado
    Apr 15, 2024 · Explore the impact of PSD3/PSR on SCA, focusing on passkey authentication and regulatory changes. Learn how PSD3 will enhance digital payments and security.
  93. [93]
    PSD3/PSR: Customer Authentication| ALLES LEGAL #109
    Aug 27, 2025 · From a technical angle, passkeys are increasingly recognised as SCA-compliant and could replace traditional passwords. Delegated authentication ...<|separator|>
  94. [94]
    PSD3 & PSR: What EU's New Payment Rules Mean for ... - Flagright
    Aug 25, 2025 · EBA is expected to update the Regulatory Technical Standards on SCA to refine exemption thresholds and require better fraud analytics for risk- ...
  95. [95]
    Shedding light on PSD3/PSR | Deloitte Luxembourg
    Jul 11, 2024 · With an expected 18-month transition period, EU Member States should be ready for the implementation of the PSD3 and PSR by around 2026.<|separator|>
  96. [96]
    EU institutions negotiate revised payments legislation
    Sep 29, 2025 · PSR transforms open banking, which was introduced by PSD2 and Commission Delegated Regulation (EU) 2018/389 on strong customer authentication ...
  97. [97]
    https://www.onespan.com/blog/preparing-for-psd3
  98. [98]
    https://www.fscom.co/blog/psd3-and-the-psr-what-payment-and-e-money-firms-need-to-know-now/
  99. [99]
    EBA publishes No Action letter on the interplay between Payment ...
    Jun 10, 2025 · The letter assesses the provisions set out in MiCA and PSD2 and advises NCAs under PSD2 to view the transfer of crypto assets as a payment service under PSD2.Missing: PSR | Show results with:PSR
  100. [100]
    4 Ways That PSD3 Will Improve SCA - Blog - Wultra
    Jun 11, 2024 · The proposed PSD3/PSR directive focuses on clarifying and improving how SCA requirements are applied in real-life scenarios.Missing: response feedback
  101. [101]
    Deploy FIDO Standards to Meet PSD2 SCA Requirements
    Sep 20, 2017 · With How Passkeys Work, you have an easy-to-deploy way to meet PSD2 SCA requirements, while meeting organizational and user demand for transaction convenience.
  102. [102]
    Outcome-Based Strong Customer Authentication with Passkeys
    May 1, 2025 · The European Union's Payment Services Directive (PSD2) introduced Strong Customer Authentication (SCA) using factors like knowledge, possession, ...
  103. [103]
    https://www.cybergensecurity.co.uk/the-future-of-digital-banking-security-biometrics-and-beyond
  104. [104]
    Why Your Business Needs Risk-Based Authentication in 2024?
    Feb 8, 2024 · By dynamically adjusting authentication requirements based on contextual risk factors, RBA helps detect and prevent unauthorized access attempts ...Missing: SCA | Show results with:SCA
  105. [105]
    (PDF) Artificial intelligence-based risk management for the banking ...
    Sep 22, 2025 · Despite benefits, AI poses challenges like data privacy, algorithmic bias, and model interpretability. The study discusses ethical ...
  106. [106]
    Deadline extension for Strong Customer Authentication | FCA
    May 20, 2021 · The deadline for implementing Strong Customer Authentication (SCA) for e-commerce transactions has been extended to 14 March 2022.
  107. [107]
    SCA Confusion Over Member State Ramp Ups
    Apr 13, 2021 · Italy and Spain have struggled to adapt to the new compliance requirements set out by SCA, according to data released by the payments ...
  108. [108]
    Managing SCA enforcement changes in Europe - Stripe
    Jun 9, 2021 · SCA requirements are now fully enforced in almost all eligible European countries, signaling a massive shift in the European payment landscape.
  109. [109]
    [PDF] EPC065-19 EPC Board Decision Paper on Brexit v1.0 - 7 March.pdf
    Mar 7, 2019 · UK PSPs applied to maintain SEPA participation after Brexit. During the transition period, UK remains in SEPA. Post-Brexit, participation ...Missing: SCA mutual
  110. [110]
    [PDF] UK Finance Industry Guidance on Strong Customer Authentication ...
    Dec 15, 2020 · This guidance assists the UK finance industry in implementing strong customer authentication requirements under PSD2, which have been in place ...
  111. [111]
    FCA final rules concerning SCA in the event of a hard Brexit
    Oct 28, 2019 · Payment service providers must comply with the provisions of the UK-RTS in the event of a no-deal Brexit. In the event of a no-deal Brexit, ...Missing: SEPA complications
  112. [112]
    [PDF] How to keep payments safe and secure in a changing world
    In recent years, The Netherlands has enjoyed a significant decline in online banking and payment card fraud,1 partly because those parties with an important ...
  113. [113]
    [PDF] EBA CONSUMER TRENDS REPORT 2022/23
    Apr 24, 2023 · ... SCA has reduced fraud rates by 40% to 60%. Notwithstanding these achievements, the EBA articulated a large number of recommendations in its ...
  114. [114]
    The EBA and ECB release a joint report on payment fraud
    Aug 1, 2024 · The report assesses payment fraud reported by the industry across the European Economic Areas (EEA), which amounted to €4.3bn in 2022 and €2.0bn in the first ...
  115. [115]
    2025 global regulatory updates on strong authentication - OneSpan
    Jul 22, 2025 · The Council proposes to relax the Commission's requirement that strong customer authentication must not only rely on smart phones or smart ...
  116. [116]
    Strong Customer Authentication in the United States: When, Not If
    The Result: Although adoption of SCA will reduce card fraud and chargeback liability, SCA likely will add "friction" to the customer experience, which could ...Missing: controversies | Show results with:controversies<|separator|>
  117. [117]
    US 3D Secure Payment Authentication Market - Forecast to 2034
    The U.S. 3D secure payment authentication market size was valued at USD 393.61 million in 2024 and is projected to grow at a CAGR of 11.39% during 2025–2034.<|control11|><|separator|>
  118. [118]
    Now, approve UPI payments with fingerprint, facial authentication
    Oct 7, 2025 · The government is introducing on-device biometric authentication and Aadhaar-based Face Authentication for UPI to make transactions simpler, ...
  119. [119]
    India to Enable Aadhaar-Linked Biometric UPI Payments - ID Tech
    Oct 7, 2025 · India will begin allowing Unified Payments Interface transactions to be authenticated through fingerprint or facial recognition tied to Aadhaar ...
  120. [120]
    UPI Is Set to Add Biometric Authentication for Real-Time Payments
    Oct 7, 2025 · India's Unified Payments Interface (UPI) is launching a feature that allows users to approve payments using a fingerprint or facial scan.Missing: customer | Show results with:customer
  121. [121]
    New Payments Platform (NPP) in Australia | Real-Time Payments
    Sep 1, 2025 · Explore how the New Payments Platform (NPP) is transforming payments in Australia. Learn its features, risks, and how banks can fight fraud ...
  122. [122]
    Next generation defence: Safer solutions in real time - Westpac IQ
    Aug 29, 2025 · Launched in 2018, Australia's New Payments Platform (NPP) now handles over 30% of transfers. One of the big advantages of the NPP is speed ...<|separator|>
  123. [123]
    3D Secure Payment Authentication Market Size, Share & Trends
    Visa Secure (3D Secure 2.0) reported $14.1 billion in total payment volume in FY2023, with fraud rates on Visa Secure transactions being 70% lower than non-3DS ...Missing: resistance costs
  124. [124]
    https://finance.yahoo.com/news/3d-secure-2-0-payer-111900819.html
  125. [125]
    Trends in Payments, Clearing and Settlement Systems
    ... New Payments Platform (NPP). The NPP is a fast payments system that will ... rates of card fraud that are less than half of that observed in Australia.