Strong Customer Authentication: PSD2 Implementation Guide

Strong Customer Authentication (SCA) requirements under PSD2 have fundamentally changed how payment authentication works. We provide a practical implementation guide for fintech platforms.

Understanding SCA

PSD2's Strong Customer Authentication requirement mandates that electronic payments use at least two independent authentication factors from three categories:

• Knowledge: Something only the user knows (password, PIN)
• Possession: Something only the user has (mobile device, hardware token)
• Inherence: Something the user is (fingerprint, face recognition)

For fintech platforms processing payments, this means rethinking authentication flows to balance security requirements with user experience.

When SCA Applies

SCA is required when:

• Initiating an electronic payment
• Accessing payment account information online
• Performing any action through a remote channel that may imply a risk of fraud

Exemptions to Know

Not every transaction requires SCA. Key exemptions include:

• Low-value transactions: Under €30 (with cumulative limits)
• Trusted beneficiaries: Recipients the payer has whitelisted
• Recurring transactions: Same amount, same payee (after initial SCA)
• Transaction Risk Analysis (TRA): Low-risk transactions based on fraud rates
• Secure corporate payments: Dedicated B2B payment processes

Understanding exemptions is crucial—applying SCA unnecessarily damages conversion rates, while incorrectly claiming exemptions risks regulatory issues and liability shifts.

3D Secure 2 Implementation

For card payments, 3DS2 is the primary SCA mechanism. Key implementation considerations:

Frictionless Flow

3DS2 supports "frictionless" authentication where the issuer approves based on risk assessment without customer interaction. This happens when:

• Device fingerprint matches known patterns
• Transaction characteristics are low-risk
• Issuer's fraud models give high confidence

// Example 3DS2 authentication request
$threeDsRequest = [
    'threeDSCompInd' => 'Y',
    'browserInfo' => [
        'browserAcceptHeader' => $request->header('Accept'),
        'browserIP' => $request->ip(),
        'browserLanguage' => 'en-GB',
        'browserUserAgent' => $request->userAgent(),
        // Additional browser data...
    ],
    'acctInfo' => [
        'chAccAgeInd' => '04', // Account age indicator
        'chAccChange' => '20240115', // Last account change
        'nbPurchaseAccount' => 12, // Purchases in last 6 months
    ],
];

Challenge Flow

When frictionless authentication isn't possible, the customer faces a "challenge"—typically a one-time password sent to their mobile or biometric verification in their banking app. Your UI must:

• Handle the redirect to the issuer's authentication page
• Display embedded challenges (iframes) correctly
• Manage timeouts and failures gracefully
• Resume the payment flow upon successful authentication

Open Banking and SCA

For payment initiation via Open Banking, SCA is delegated to the customer's bank (ASPSP). Your role is to:

• Initiate the authentication redirect
• Handle the callback with authentication result
• Manage the consent lifecycle

This simplifies SCA implementation since the bank handles the authentication mechanics, but introduces dependency on bank UX quality and availability.

Optimising for Conversion

SCA inevitably adds friction. To minimise conversion impact:

• Use exemptions appropriately: Apply TRA exemptions when your fraud rates qualify
• Optimise 3DS2 data: Rich data improves frictionless approval rates
• Mobile-first design: Ensure authentication flows work smoothly on mobile
• Clear communication: Explain why authentication is needed and what to expect
• Fallback handling: When SCA fails, offer alternatives rather than dead ends

Monitoring and Compliance

Track key metrics to ensure SCA is working correctly:

• SCA challenge rate (aim to minimise)
• Challenge success rate (identify friction points)
• Exemption usage and approval rates
• Fraud rates by authentication method

Conclusion

SCA requirements add complexity to payment flows, but with careful implementation, the impact on user experience can be minimised. Understanding exemptions, optimising 3DS2 data collection, and monitoring authentication metrics are key to balancing security requirements with commercial performance.