Strong Customer Authentication or SCA: is Europe 3D secure (2.0)-Ready?

Share this post

As part of a European Union mandate called the Revised Directive on Payment Services, or (PSD2), merchants operating in the EU economic zone must use payment service providers within the European Economic Area that offer what is known as strong customer authentication.

This is also sometimes referred to as the SCA requirement or the PSD2 compliance. In essence, this directive ensures that transactions occurring within the EU’s economic territories make use of multi-factor authentication in order to verify a buyer’s identity.

Whereas physical cards have strong authentication elements through the tried-and-true PIN and chip system, virtual transactions are fraught with more opportunities for fraud and misuse because of the relatively lower threshold of identity verification required to participate in a transaction.

Though first proposed in 2019 the EU allowed for a staggered implementation on a country-by-country basis thus allowing a final December 31, 2020 compliance date by which all member countries will have agreed to the implementation of the directive’s strong SCA requirement.

The directive applies to situations wherein a user can access an online account, initiate an electronic payment, or perform any financial transaction using third-party networks that could potentially expose that user to fraud or abuse.

It further defines strong customer authentication as a process whereby two or more elements are used to verify the person’s identity and permission to perform the initiated online transaction.

For Internet users and the customers of online merchants, the benefits of this strong customer authentication are fraud prevention and a superior experience on both ends of the transaction. While many payment providers initially balked at the aggressive rollout of PSD2 compliance requirements for strong customer authentication, the impact of the 2020 economic situation and COVID-19 accelerated harmonization across processing providers in the European Union as the volume of online transactions grew concomitant with the new demand for online services and transactions.

The standard for strong customer authentication (SCA) that has emerged is 3D Secure 2.0. Though preferred, experts report that it is not necessarily robust in all of the ways envisioned in the directive thus leading to some friction between major proponents of 3D Secure 2.0 and payments processors such as Mastercard and Visa.

A requirement since September 2019 and with a final implementation date through the end of December 2020, the implementation is now in the phase known as a requirement. That translates into most major providers such as Mastercard and Visa, among others, requiring PSD2 compliance in order to utilize their third-party payments processing networks.

Mastercard points out that merchants should prepare for an immediate migration to EMV 3DS while those merchants in the now fully EU-exited United Kingdom face a September 2021 deadline for compliance.

Further, France is extending regulatory compliance for some companies on a case-by-case basis through the end of March 2021. While the challenges of meeting regulatory thresholds is often seem daunting, the benefits of SCA and adhering to the PSD2 compliance for both merchants and online users are manifold and evident in reduced fraud and chargebacks.

A recent survey carried out by global management consulting company Deloitte showed that a significantly vast majority of firms’ human and financial resources have been redirected to responding to PSD2 from a compliance standpoint. This is done in order for companies to meet regulatory deadlines.

As a result, it was established that 75% of the firms the company interviewed state to be broadly confident about their readiness to comply with the PSD2 primary legislation requirements which became enforceable in January 2021.

From a business and strategic perspective, 59% of firms report that PSD2 to be an opportunity for their business. It was reported that many firms plan to actually proactively embrace PSD2 and use it to drive their digital transformation. Reshaping digital business models is a step forward no business can escape if growth and development are on the agenda.

To conclude we feel that it is the right time for firms to start bridging the gap between their strategic aspirations and their strategic plans. Although competitive forces may not be strong initially, they are likely to gain pace rapidly, and firms that have not effectively positioned and differentiated themselves in the market may be left behind.

The team of Monneo will be glad to answer any particular questions addressed via our official website. We also encourage you to check our Insights section where we regularly post important information and articles related to digital banking, fintech, and B2B merchant payments topics.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?