What is Strong Customer Authentication (SCA) under PSD2?

PSD2 (Article 97 of Directive (EU) 2015/2366) requires payment service providers to apply **strong customer authentication** when a payer accesses a payment account online, initiates an electronic payment, or carries out any remote action that may imply a risk of fraud or abuse. SCA means authentication based on **at least two** elements from three independent categories — **knowledge** (e.g. a password or PIN), **possession** (e.g. a smartphone or hardware token) and **inherence** (e.g. a fingerprint or face scan). The key is **independence**: the breach of one element must not compromise the reliability of the others ^[1].

The operational detail sits in the **SCA-RTS — Commission Delegated Regulation (EU) 2018/389**, applicable since **14 September 2019** ^[2]. For remote payments it requires **dynamic linking**: the authentication code is tied to the specific amount and the specific payee, so any change to the transaction data invalidates the code.

The RTS also defines a set of **exemptions** from SCA (among them low-value and contactless payments, recurring payments of the same amount to the same payee, trusted beneficiaries, and a risk-based transaction-risk-analysis exemption) and the **secure-communication** rules between account-servicing banks and third-party providers: banks provide either a dedicated interface (API) or an adapted customer interface, with a **fallback / contingency mechanism** so authorised AISPs and PISPs are not cut off. (Specific article and threshold figures depend on the use case — we always link the primary text.)

In June 2023 the Commission proposed a reform package — a **PSD3 directive (COM(2023) 366)** and a directly applicable **Payment Services Regulation (COM(2023) 367)** — that would also evolve the SCA regime (among other things, authentication accessibility, the allocation of SCA responsibilities, and additional anti-fraud measures such as verification-of-payee). As of mid-2026 a **provisional political agreement (27 November 2025)** has been reached and the text is **close to adoption**, but it is **not yet adopted or published in the Official Journal** — until then the SCA regime from PSD2 + the SCA-RTS continues to apply unchanged.