Ultimate Guide to PSD2 SCA (Strong Customer Authentication)

Covery Blog / Antifraud, Chargeback prevention, Covery, Fraud prevention, Tips / Ultimate Guide to PSD2 SCA (Strong Customer Authentication)

Ultimate Guide to PSD2 SCA (Strong Customer Authentication)

While PSD2 (Payment Service Directive 2nd edition) for EU businesses was passed in 2015, some aspects of its implementation are due in 2022. This means all businesses operating in the EU (or working with European customers) still have time to ensure PSD2 compliance and avoid paying hefty fees.

SCA or Strong Customer Authentication is one of the key requirements of PSD2. Our recent article briefly explained the difference and relations between PSD2, SCA, and 3D Secure. Now it’s time to cover in more detail how SCA works and why you must implement it before September 2022.

As enterprise-grade risk management and fraud prevention platform, Covery has in-depth experience in fighting all kinds of fraud and ensuring regulatory compliance for our customers. Covery is PSD2 compliant and we have already implemented SCA and 3DS capabilities into our platform. Read on to learn how to use it to benefit your business.  

What does SCA stand for in PSD2?

SCA is an authentication method involving a combination of two or more things a customer KNOWS (a PIN code or a secret question), a customer HAS (a mobile device or email), and something a customer IS (biometrics like fingerprints or retina scans). SCA is required when both the issuer and the acquirer banks are in the EEA. When only one of these entities is in the EU, SCA is possible but not required, a so-called “one leg out” situation. 

As a part of PSD2, SCA is intended to curb the growth of fraud in the EU and worldwide. Non-compliance with SCA will result in increased decline rates and a reduction in conversion, so it’s best to implement SCA capabilities for your business beforehand.

What are SCA and 2FA?

While SCA might look similar to 2FA or 2-factor authentication and follow the same logic, these are not necessarily one and the same. 2FA is a particular case of MFA (multi-factor authentication) that mostly requires you to have access both to your credentials (something you KNOW) and the mobile device you HAVE (to receive a one-time password or OTP in SMS). As it stands, it does not cover any aspect of what you ARE (though the fingerprint and retina scan technology are being actively developed). 

What is an example of SCA?

To ensure SCA compliance, every transaction initiated by your customer must be verified by at least two elements related to possessioninherence, and knowledge (one from any of the two, or more).

For example, knowledge elements can include:

  • PIN
  • Password
  • Passphrase
  • Secret question
  • Memorized visual elements, like a swiping path on a mobile device.

At the same time, an email address, OTP details, and credit card details do not count as a reliable authentication element for knowledge.

When we talk about inherence elements, we can mention:

  • Voice pattern
  • Fingerprint
  • Retina and/or iris scans
  • Face scans

There also are more exotic elements like vein recognition, keystroke records, heart rate records, etc. These are not widespread as of yet but are already listed to support future technology advances.

However, a memorized swipe path or 3DS2 details like OTP do not count as inherence elements.

To speak of possession, there are things like:

  • OTP sent to a device
  • SSH token generated by a device
  • QR scans or TAN scans of a credit card 
  • Card reader scans
  • Dynamic card security codes
  • App or browser binding with a device evidenced through a chip or private key.

The printed OTP list, printed card details, and random app installed on a device don’t count as sufficient possession elements.

As you can see, there is quite a wide variety of elements that comply with PSD2 SCA regulations, which should bolster the growth of the software ecosystem used to ensure the safety of transactions in the EU.


PSD2 compliance and SCA implementation are crucial for the long-term success of any business operating in the EU. You can invest in creating your own anti-fraud software compliant with PSD2 requirements or go for a reliable anti-fraud system like Covery, which will ensure this compliance from the get-go.

Covery is ISO 27001, GDRP, and PSD2 compliant and provides support for SCA, 3DS 2, and 2FA for your transaction processing and monitoring activities. However, this is just the tip of the iceberg. To learn the full range of services you can get with Covery — order a free demo!