🇪🇺 European Union · Payments authentication
PSD2 (Strong Customer Authentication)
Payment Services Directive 2 and the SCA Regulatory Technical Standards (Delegated Regulation (EU) 2018/389)
PSD2 modernizes EU payment services and introduced Strong Customer Authentication (SCA) to reduce fraud in electronic payments. The SCA technical standards applied from 14 September 2019. SCA requires verifying the payer using at least two independent authentication factors plus dynamic linking for transactions.
Jurisdiction:🇪🇺 European Union
Type:Payments authentication
In effect:2019
Authority:European Banking Authority (EBA) and national competent authorities
Who it applies to
Payment service providers such as banks and payment institutions, and the merchants and platforms that process electronic payments and account access for customers in the EU.
Identity requirements
- Apply Strong Customer Authentication using at least two of knowledge, possession, and inherence factors
- Ensure the authentication factors are independent so breach of one does not compromise others
- Implement dynamic linking that ties an authentication code to a specific amount and payee
- Apply SCA when a payer accesses a payment account online or initiates an electronic payment
- Use defined SCA exemptions (such as low value or low risk) only within the permitted limits
- Secure the communication and authentication channels against interception and replay
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Authentication & MFA | Mandates two-factor strong customer authentication with independent factors for payments and account access. |
| Customer identity & consent (CIAM) | Shapes how customers authenticate and consent to access and payment initiation in digital channels. |
| Identity verification (KYC/proofing) | Reinforces verifying the payer's identity at the point of payment to reduce fraud. |
| Audit, logging & accountability | Requires fraud monitoring and demonstrable application of SCA and exemption controls. |
Penalties
Penalties are set by Member States under PSD2 and must be effective, proportionate, and dissuasive; specific maximums vary by national law.
Official source
https://eur-lex.europa.eu/eli/reg_del/2018/389/oj/engPSD2 (Strong Customer Authentication): frequently asked questions
- What is Strong Customer Authentication under PSD2?
- SCA requires authenticating the payer using at least two independent factors drawn from knowledge, possession, and inherence, plus dynamic linking for electronic payment transactions.
- When did SCA become mandatory?
- The SCA Regulatory Technical Standards applied from 14 September 2019, with phased enforcement for e-commerce in some markets.
- Are there exemptions from SCA?
- Yes, PSD2 allows exemptions such as low-value transactions, trusted beneficiaries, and transaction risk analysis, but only within the limits set in the technical standards.
Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all European Union regulations or the full country index.