Strong Customer Authentication (SCA)

Wed 27 February 2019


On September 14, 2019, a new regulation for authentication will be introduced in Europe. Known as Strong Customer Authentication (SCA), this regulation will apply to online payments within the European Economic Area (EEA) where the cardholder’s bank and the business’s payment provider are both in the EEA. Some businesses outside of Europe may also be impacted depending on how European issuers implement the new authentication rules.

In order to stop the rise of fraud, the European Union is introducing new regulation that will require European businesses to implement even stricter authentication flows into their payment experience. Known as Strong Customer Authentication (SCA), this regulation is part of a broader European payments law, the second Payment Services Directive (PSD2).

SCA requires that businesses use two independent authentication elements to verify payments. Transactions that don’t meet these new authentication requirements or qualify for any exemption may be declined starting September 14, 2019. 3D Secure 2—the new version of 3D Secure rolling out in 2019—will be the primary authentication method used to meet SCA requirements for card payments.

What is Strong Customer Authentication?

Strong Customer Authentication is a new mandatory requirement for authenticating online payments that will be introduced in Europe on September 14, 2019. It will require payments to be authenticated using at least two of the following three elements:




For example a password, PIN or an answer to a security question that is only known to the customer. Card data is not considered a valid knowledge factor For example, a hardware or software token whether using a mobile phone or two factor authentication key that you have in your possession. For example, a biometric fingerprint, facial recognition (i.e. FaceID) or optical scans.

As of September 14, 2019, unauthenticated payments that require SCA will be declined by the customer's bank. 

The new version of the 3D Secure authentication standard is being rolled out in 2019 and will be the main method for authenticating card payments to meet these requirements. CityPay are in the process of accrediting with the all Acquirers with version 2.2.0 of the standard in early 2019.

Additional payment methods such as ApplePay already use additional layers of authentication and are expected to already meet these guidelines.

Which transactions will require Strong Customer Authentication?

Strong Customer Authentication will apply to customer initiated online payments within Europe. Recurring and continuous authority transactions will not require SCA.

A card payment will be in scope of the regulation if the cardholder’s bank and the business’s payment provider are both located in the European Economic Area (EEA).  

This exemption will apply when the customer makes a series of recurring payments for the same amount to the same business. SCA will be required for the customer’s first payment to the business, but not for subsequent payments.

How is CityPay helping you to prepare for Strong Customer Authentication?

CityPay are building solutions to help you navigate this complex regulation and offer better authentication experiences to the end card holder. Paylink 3 customers will automatically be upgraded to 3D Secure version 2 when this is available. During the migration period transactions will be assessed to be upgraded dynamically from 3D Secure 1 to 3D Secure 2.

PayPOST integrations will also dynamically work however there is work in progress to upgrade to a new 6.0 of the API.

+44 (0)1534 884000