91天堂原創

Regulatory Influencer: Strong Customer Authentication, Where Does It Go From Here?

September 18, 2025
<
Back
Strong customer authentication (SCA) was introduced across the European Economic Area (EEA) as a requirement of the revised Payment Services Directive (PSD2), which came into force on September 14, 2019, and the supporting technical standards. The requirement ensures that electronic payments are performed with multi-factor authentication to increase their security.

Strong customer authentication (SCA) was introduced across the European Economic Area (EEA) as a requirement of the revised  (PSD2), which came into force on September 14, 2019, and the supporting . The requirement ensures that electronic payments are performed with multi-factor authentication to increase their security.

According to EU regulations, SCA is an authentication based on the use of two or more independent elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inheritance (something the user is). The breach of one does not compromise the reliability of the others, and it is designed to protect the confidentiality of the authentication data.

requires all member states to ensure that payment service providers apply SCA where the payer:

  • Accesses its payment account online.
  • Initiates an electronic payment transaction.
  • Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.

The bigger picture

The implementation of SCA can be said to have had various successes with:

  • Reduction of fraud, especially in relation to card payments - A  issued in August 2024 by the European Banking Authority (EBA) and the European Central Bank (ECB) reported that card fraud risk was lower for transactions within the EEA owing to the mandatory application of strong customer authentication. The report confirmed the effectiveness of SCA requirements, particularly in protecting against card fraud.
  • High readiness for compliance with the SCA requirements, which implies that implementing SCA did not significantly disrupt how transactions were conducted - A  on payment service providers鈥 readiness to apply SCA showed:
    • 99 percent of EU merchants were able to support SCA.
    • 94 percent of all payment cards in the EU were SCA-enabled.
    • 82 percent of all payment service users were enrolled into an SCA solution.
    • 92 percent of e-commerce card-based authentication requests reported by acquirers were compliant with the SCA requirements.
    • 87 percent of initiated e-commerce card-based payment transactions reported by issuers complied with the SCA requirements.
  • Continuous clarifications and guidance on the application of SCA - To help reduce uncertainty, the EBA has published, and continues to publish,  in the form of Q&As on how SCA applies in various contexts, such as digital wallets and the initiation of payment transactions with digitised versions of payment cards.

Although the introduction of SCA in PSD2 was generally welcomed, as it created a framework for regulating payment security, it fell short in terms of practical implementation. It revealed several discrepancies, such as inconsistent implementation across the EU due to the complexity of complying with all parts of the regulatory technical standards (RTS), ambiguity over definitions and exemptions, and friction in the customer experience during authentication.

Four years on from the introduction of SCA, the European Commission, in 2023, put forward proposals that would foster a more secure and accessible payment environment, aligning with evolving consumer expectations and technological advancements in the European payment ecosystem under the proposed  (PSD3) and the  (PSR). As PSD2 is a directive, ambiguity arose in the transposition of the text across member states, whereas the introduction of the PSR aims to address this by making its provisions directly applicable and limiting their interpretation.

The proposals for PSD3 and the PSR , further improving consumer protection and competition in electronic payments and empowering consumers to share their data securely so that they can access a wider range of better and cheaper financial products and services. The proposals place consumers鈥 interests, competition, security and trust at their centre.

PSD3 and the PSR aim to build on and improve SCA by clarifying key definitions, further specifying exemptions for low-risk transactions and continuing to balance security with the development of user-friendly, innovative and accessible means of payment. The SCA requirements introduced in PSD2 could be perceived as very high-level requirements, failing to consider the practical implications and relying heavily on the complex technical standards. The proposed changes respond to areas where PSD2 and the current RTS left ambiguities or where the implementation diverged and caused friction. Under the PSR, PSPs will be required to apply SCA where the payer:

  • Accesses its payment account online.
  • Accesses payment account information.
  • Places a payment order for an electronic payment transaction.
  • Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.

Key clarifications and proposed changes under the PSR include:

  • The introduction of new definitions for merchant-initiated transactions and mail order or telephone orders.
  • The introduction of a distinct requirement for SCA to be applied at the set-up of the initial mandate for merchant-initiated transactions, without the need to apply SCA for subsequent transactions, which was introduced under the technical standards as an exemption from SCA and not referenced in PSD2.
  • More precise definitions of remote payment transactions, which were introduced under PSD2, have been streamlined further to allow for a clearer delineation of 鈥渋nitiation of a payment transaction鈥 and 鈥渞emote initiation of a payment transaction鈥.
  • The distinct introduction of detailed requirements for SCA regarding payment initiation and account information services, as these were not fleshed out under PSD2.
  • The introduction of accessibility requirements that require accessible authentication methods for customers, including those with disabilities, the elderly or others who do not have access to standard digital authentication methods, which align with the , which entered into force on June 28, 2025, as discussed in Regulatory Influencer: EU Accessibility Act - What Does It Really Mean?.

Why should you care?

Although the final texts of PSD3 and the PSR have not yet been finalised and are still in trilogue negotiations until the end of 2025, payment service providers and merchants should begin to adapt to the proposed changes, as they are substantial and affect compliance, technology, risk management and customer experience.

PSPs and merchants must proactively adapt their systems, processes and customer flows to prepare for the new SCA requirements. The proposed rules aim to improve security, further reduce fraud and clarify ambiguities from PSD2, but they also introduce new expectations and potential complexities; therefore, PSPs and merchants should:

  • Monitor the legislative progress: although the European Council has agreed to the texts of PSD3 and the PSR, entities should keep abreast of the latest developments, especially regarding the directive and regulation鈥檚 entry into force and applicability.
  • Perform a gap analysis of the current SCA set up, auditing current SCA methods and identifying flows that may rely on outdated exemptions.
  • Understand what is changing in SCA under PSD3 and the PSR, and review and update SCA policies to align with the new clarifications, such as merchant-initiated transactions, mail-order and telephone orders, and the dynamic linking to the payee and transaction amount.
  • Account information service providers and payment initiation service providers should ensure that they have SCA policies in place.
  • Plan for inclusive SCA options accessible to the elderly, those with disabilities and digitally excluded users.
  • Payment service providers should assess and test possible SCA outsourcing agreements with third parties, such as digital wallet providers.
  • Prepare for the potential relaxation of the rule on using two categories for authentication and assess the possible security implications.
  • Improve customer experience around authentication and consent by reviewing and redesigning checkout flows to reduce authentication friction and ensure clear user messaging around authentication steps, especially during merchant-initiated transactions or open banking flows.
  • Remember that PSD3 is a directive that needs to be transposed into national law, which may vary from country to country, and that the PSR is a regulation that is directly applicable across all EU countries without national interpretation. 

Next steps

The European Council, the European Parliament and the Council of Europe have approved both PSD3 and the PSR texts. The next step of the legislative process is the inter-institutional negotiation between all three institutions to reach the final texts, which will then need to be adopted by the Parliament and Council. However, subject to various factors within the legislative process, which may cause further delays, the implementation of PSD3 and the PSR is still unclear and could still be some way off. 

Toba Ojuri

Our premium content is available to users of our services.

To view articles, please Log-in to your account. Alternatively, if you would like to gain access to the tools that will help you navigate compliance risk with confidence please get in touch today.

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

September 18, 2025

Singapore And Thailand鈥檚 Tighter Anti-Scam Measures Create New Challenges

New frameworks aimed at disrupting scam syndicates, while limiting disruption to legitimate users, will place added compliance and operational burdens on banks and payment providers.
Read article
September 18, 2025

Regulatory Influencer: Israel Modernises Privacy Law With Comprehensive Reform

On August 14, 2025, the Privacy Protection Law (Amendment No. 13), 5774-2024 entered into force in Israel. The Knesset, Israel鈥檚 legislative body, approved the reform on August 5, 2024, marking the most significant overhaul of the country鈥檚 privacy regime since the original Privacy Protection Law of 1981.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can鈥檛 find what you鈥檙e looking for? Get in touch to speak to a member of our team, and we鈥檒l do our best to answer.
Contact us
No items found.
No items found.
European Union

Please choose your preferred
service to log in to.

Don鈥檛 have an account?