SCA Standards & Regulations Across the Globe

Share this post

A General Overview

While it is hard to get official statistics on how many people have a credit or debit card issued by a member of the EMVCo consortium (Eurocard, Mastercard, Visa, etc.), the most common standard for SCA is likely the one mandated by the 3-D Secure protocol. Well, at least when we look at transaction volumes.

As a quick reminder, 3D secure is an additional security layer for online credit and debit card transactions. Today, most internet shopping from Europe and the US is still happening via card-not-present transactions protected by this 3-D Secure. Implementations of the initial 1.x version of 3-D Secure mainly were done using SMS messaging for authentication. Now, the required 2.x version supports app-based out-of-band authentication mechanisms, such as what we at Okay provide. Related to EMVCo are the PCI DSS multifactor authentication guidelines. But, when protecting payment systems, these do not cover the transactions directly.

United States 

When we look at major US banks – such as Bank of America and Wells Fargo – we can see that they have at least partly adopted the FIDO2 standard. The Fast Identity Online (FIDO) Alliance is an industry association first launched back in 2013. The association used to be concerned with hardware solutions, including trusted platform modules and USB tokens as 2nd-factor authentication. But today, with FIDO2, the association has gained much more traction as an SCA mechanism. The limitation is that FIDO2 is mainly concerned with integrating your identity with a web browser, perhaps not so relevant in an app-driven world.


Asia, particularly China, is, as usual, a slightly different story. In the last few years, the WeChat wallet has become the most common way to pay when shopping or buying online, with an estimated 900 million users in 2021. Perhaps surprisingly, the WeChat wallet is based on SMS one-time-pin codes and links your wallet to either a Chinese ID card or an existing bank account. So from a European security perspective, it was similar to wallet solutions popular in Europe a decade ago.


In Europe, the Payment Services Directive, followed by the PSD2 and the PSD2 RTS, have been the regulatory driving force for stricter SCA requirements over the last decade. However, unlike the worldwide standard driven by industry organisations, Europe-wide regulation is not so much a standard as it is a guideline left to enforce by the various “National Competent Authorities” (NCAs). This means that how you authenticate and sign up for a service will differ based on your country…

To continue reading this article, check out the full blog post over on the Okay blog section

Article by Okay AS

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?