Long reads

How Will Authentication Evolve in the Age of SCA?

Within months, we will have a clearer idea of the impact of Strong Customer Authentication (SCA), the regulatory requirement that has seen European merchants gather multi-factor authentication from customers for most online transactions.

This EU directive requires that the customer provides two of three identifying factors—something they know, something they own, or something they are. Exemptions automatically apply for some transactions—for example, those under EUR30, however after five transactions these will also need to be challenged, or once the total combined value of previous exempted transactions exceeds EUR100. So, there are a lot of factors to be aware of.

SCA delivers greater online security, but it also means additional authentication steps at checkout. Adding even a few more seconds on to the checkout process can mean the difference between a closed sale and an abandoned cart, so which methods should merchants use?

Below is an overview of the methods of authentication, and possible exemptions that may be sought.

Biometrics: inherence in technology

Biometrics offer a fast solution to the ‘inherence’ factor of multi-factor authentication. Fingerprints, facial recognition, making a short video to confirm identity, and retina scanning are all possibilities. This method is best suited for mobile commerce, given that smartphones are most likely to have biometric features built in; this method may be popular with seasoned online shoppers. Issuing Banks may adopt this authentication method over time by leveraging their mobile banking apps installed on consumer devices.

One-time codes

One of the key elements of multi-factor authentication are one off codes. Issuers send a single use code via SMS text message or phone call at checkout, which customers must use to complete a transaction. This method requires that customers have their mobile number registered with their card issuer, or at least be happy to provide their phone number in order to receive the code. There is also a risk that one-time passwords by SMS may not always be secure, and could potentially be intercepted. One-time codes via text messaging, along with inherence, may be more suited to mobile commerce than desktop commerce.

There are also, possible exemptions that can be claimed, including whitelisting and TRA.


Consumers will soon be able to make their own personal ‘whitelists’ of approved merchants, whereby the merchant is recognized as a ‘trusted beneficiary’. This means that after the first SCA challenge at checkout, consumers shouldn’t have to go through SCA when they buy from the merchant again. Brand loyalty and scale could be a significant factor—major merchants with mass appeal and recognition may find it easier to be whitelisted than a small independent merchant.

Transaction risk analysis (TRA)

For smaller merchants who might not enjoy the brand recognition that could make whitelisting more likely, Transaction risk analysis could represent a good opportunity for merchants to avail of an exemption.

Under the revised Payment Services Directive (PSD2) and SCA rules, if an acquirer’s fraud incidence rate is below a certain percentage, it can apply SCA exemptions, up to prescribed regulatory monetary thresholds, for merchants with a similarly low fraud incidence rate. For example, as an acquirer, J.P. Morgan has an entity that has a low fraud rate. If merchants have a similarly low fraud rate, merchants can consider applying to process transactions via this entity. Contact your J.P. Morgan representative to find out more.


The 31 December 2020 deadline in the European Union (14 September 2021 for UK-only transactions) for implementation could have been viewed as an extra burden to deal with. However, we saw it as an opportunity to ensure the most effective security protocols are in place and to future-proof our merchant clients.

As the industry becomes more mature with regards to Strong Customer Authentication (SCA), we will continue to have a clearer view of the impact and the evolving space of consumer authentication.

Comments: (1)

A Finextra member
A Finextra member 29 January, 2021, 11:09Be the first to give this comment the thumbs up 0 likes

Surely One Time Codes via SMS at checkout would not be compliant, as this is in effect a transaction? PSD2's rules on transcations require Dynamic Linking and Sign what you see elements that must profide Confidentiallity, Integrity and Authenticity.

To Quote Article 5 of the RTS:

2.   For the purpose of paragraph 1, payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following:


the amount of the transaction and the payee throughout all of the phases of the authentication;


the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code.

All things that SMS cannot provide.