What is SCA or Strong Authentication? New regulation in sight!


The SCA (Strong Customer Authentication) o Strong Authentication is primarily aimed at protecting online payment services from dangers such as fraud, theft of credentials or inappropriate fund transfers.

Not only in online payments. It also includes payments in physical commerce such as those made with contactless cards or smartcards.

The catch? Today only 14% of Ecommerce in Europe would meet this new standard according to a report by Mastercard.

When will compliance with SCA or Strong Authentication be mandatory?

This will become effective on September 14, 2019. We are talking about a regulation and therefore, it is a rule of direct application.

What is the main objective of the SCA?

It aims to increase the user security in Ecommerce. But this also goes hand in hand with innovative payment systems and requires using it as an international reference, not only within the borders of the European Union.

What does SCA consist of?

The SCA will require one more level of authentication to make online payments. It will be mandatory to use at least two of the following three:

  • Something owned by the user, such as their smartphone
  • Something known to the user as a password
  • Something inherent to the user, such as their fingerprint for example.

These are examples but they can be others as long as they comply with the safety characteristics established by the regulations.

They must also be independent, so that in the event of a failure in a possible fraud, only this information can be accessed (and not to two elements).

What conditions must the authentication code meet?

It is a single-use code, the result of the previous authentication elements. They must comply with certain premises:

  • In a possible disclosure, no one should take out information about such Elements.
  • It must not be possible to create a new code from the previous one.
  • It must be impossible to forge the code.

Payment service providers must also provide these guarantees:

  • If anything goes wrong in the code generation process, you should not know what it is.
  • The number of errors to perform a temporary or definitive block is at most 5 in a limited period of time.
  • The communication sessions will be protected against possible capture of authentication data or manipulation by outsiders.
  • After authentication, the user cannot remain inactive for more than 5 minutes.

 How are they going to achieve this?

Examining certain mechanisms to detect possible fraudulent or fraudulent operations or unauthorized'.

  • The lists of subtracted authentication elements.
  • Amounts of each payment transaction.
  • Signs of malware infections in any session of the authentication procedure.
  • In the event that the access device or software is provided by the payment service provider, a record of the use of the access device or software.

Payment Service Providers

Is it possible to be exempted from SCA or Strong Authentication?

In certain cases, payment service providers may not apply the SCA, but for this they must not leave any suspicion of fraud in the supervisory mechanisms. In which cases?

  • At Point-of-Sale Terminals (POS) with contactless system in up to 5 consecutive transactions, provided that the amount does not exceed 150 € and individually, none of them exceeds 50 €.
  • At Parking Payment Terminals (not attended).
  • When the payee is included in a list of trusted payees and meets the general authentication requirements.
  • In cases where the same user performs frequent operations with the same amount and beneficiary.
  • In transfers between two accounts of the same person (natural or legal) in the same entity.
  • In payments of legal entities with special protocols that are not available to users.

While not easy, just as GDPR was not, SCA or Strong Authentication does present a security opportunity for Ecommerce customers, and sales opportunity for technologically advanced companies.

They will be able to decide whether they want to become SCA experts, or directly hire a strategic partner to implement the regulation.

As expected, the SCA will be especially influential in mobile online commerce with the advent of biometric security by applications such as Apple Pay or Google Pay.

Have you heard about SCA or Strong Authentication, do you think you are ready, feel free to leave us a comment!

Follow us also on our social networks:

How useful did you find this content?

Click on a star to rate!

Average score 0 / Counting of votes: 0

So far, no votes. Be the first to rate this content.


Subscribe to our newsletter!

Don't worry, we won't fill your inbox with dozens of emails. Every month we compile the latest news from the digital marketing sector and send them to you. 

    geotelecom white.png
    logos partner4.png
    european union logo small2.png
    text unioneuropea english.png
    texto innovation english.png