Why the UK is ready for Strong Customer Authentication

Share this post

The problem of online fraud has been around for decades, and has been steadily growing alongside the staggering growth of eCommerce. Combatting this problem requires a multi-faceted approach from merchants, the payments industry, law enforcement and ordinary people, and one recent development has been the launch of Strong Customer Authentication (SCA) across Europe as part of the Payment Services Directive 2 (PSD2) regulations.

SCA adds new layers of protection to online payments for everyone involved in the payments process. At it’s most basic, SCA requires banks to ask for two forms of identification before they process a payment:

  • Knowledge, such as a password or PIN.
  • Possession, a mobile phone or a card reader.
  • Inherence, something inherent to a customer such as their fingerprint.


A rocky road to SCA compliance?

Many people will have used SCA-compliant payments already – the 3D Secure and 3D Secure 2 standards used by the vast majority of websites are one example. However, the road to becoming SCA-compliant has not been easy: PSD2 was passed in 2015 and went into full effect in 2019, but delays in implementation meant that the European Banking Authority extended the time allowed for companies to become SCA-compliant to 2019, then 2020, and now January of 2022 in the UK. Although it seems that this is the last time that the deadline will be extended, the question becomes whether the UK is truly ready to make the switch.

To answer this The Payments Association conducted a research programme with major stakeholders in the UK payments industry, conducting in-depth interviews with representatives from companies like Visa, Lloyds Banking Group, JP Morgan and retailers like John Lewis Partnership. The results showed that overall the UK’s payment industry is more than ready for the SCA deadline, as are major merchants, and it is only some SMEs that are lagging behind.

Achieving compliance

The study found that in Europe, where SCA has largely been rolled out, compliance has been achieved without disruption to consumers. As with any change to payment security, there is a risk that customers would experience increased friction from the verification process that might cause them to abandon their transactions, or that over-sensitive automated verification processes would reject legitimate payments. It was found that this was not the case for the most part, though variations do exist between countries and between website-based payments and in-app payments. Overall though it was found that SCA is having a positive impact on fraud levels, with Visa noting a 20% reduction in reported fraud and the European Banking Association analysis showing a 33% reduction in the cost of fraud to issuers.

Using the European experience as a measurement, The Payment Association’s whitepaper found that the UK is well prepared, given the extra time granted by the FCA and the changes that have already been undertaken by so many stakeholders. Larger payment gateways, which process over 85% of transactions, are ready before the enforcement deadline, as are many of the remaining 15%. Large eCommerce merchants are also believed to be ready based on interviews with select representatives of the industry. Although most of them would process payments with the large payment gateways that have already adopted SCA, it is unknown how many will see disruption due to lack of action. There seems to be a case for a communication campaign to help SMEs understand the requirements and how to become compliant before the deadline.

Reducing friction in payments

The findings identify how the UK’s payment industry is moving from focussing on basic compliance to optimisation. 3DS has recently been updated to a 2.3 version, which adds new authentication approaches and streamlines the authentication approach. This reflects an increased emphasis on reducing friction, which also manifests as regulatory conditions that allow transactions to be exempt from SCA if a ‘Transactional Risk Analysis’ deems it be low risk. Also possible are ‘Payment Links’ sent by email, text message or instant messaging that take a cardholder directly to a 3DS Server to authenticate their payment and card tokenization, which allows for cards to be used for recurring payments and subscription services without SCA needing to be done every time. Merchants seem to be enthusiastic about the use of these systems to reduce friction.

Furthermore, the research has shown that after a difficult start the UK is ready to deploy SCA across every payment. Although there will be a period of adjustment, particularly for small companies and customers who are less technologically sophisticated. However, it will be a significant part of reducing digital fraud, which is reaching epidemic levels and seriously cutting into the profits of everyone involved in the payments process, from merchants through to acquirers and card schemes, at a time when they should be experiencing unprecedented profits. It won’t be enough on its own to make fraud so difficult that it won’t be worth attempting, but it will move the UK’s commercial industries to a place where they are safer and more profitable than ever before and provide a base on which to expand.

To download a copy of the ‘Strong Customer Authentication: UK readiness status and key learnings from Europe whitepaper’, visit: https://thepaymentsassociation.org/whitepaper/the-long-and-winding-road-to-sca/


About the author

Tony Craddock is Director General at The Payments Association (formerly the Emerging Payments Association (EPA)).


An enthusiastic business leader of the world’s most influential trade association in payments, a lively public speaker and avid networker, Tony is passionate about payments and the difference it can make to lives everywhere. Tony champions payments technologies globally. He shares his deep payments knowledge, borne from 15 years in payments and evangelical zeal for innovation, when speaking and chairing conferences, publishing books and white papers, or enrolling payments leaders to join the EPA’s collaboration network. A serial entrepreneur; Tony invests in many early stage payments and PayTech companies – enabling them to succeed in a highly competitive payments ecosystem.


Tony conceived and launched The Payments Association (EPA) in 2012. The community promotes the UK as global hub for payments innovation and the interests of its 150+ members, which include banks, card schemes, PSPs, issuers, processors, acquirers, who all come together to drive collective industry change.


Tony also leads the communities of EPA Asia and PA EU. His vision is that this global network of interconnected capabilities, people and knowledge will prove to be transformational in how the world works, for the benefit of everyone. In 2019, Tony set up the Inclusion Foundation, a not-for-profit platform company promoting products that help address financial exclusion.


About The Payments Association

The Payments Association (previously the Emerging Payments Association or EPA) is a community for all companies in payments, whatever their size, capability, location or regulatory status. Its purpose is to empower the most influential community in payments, where the connections, collaboration and learning shape an industry that works for all. It works closely with industry stakeholders such as the Bank of England, the FCA, HM Treasury, the PSR, Pay.UK, UK Finance and Innovate Finance.

Through its comprehensive programme of activities and with guidance from an independent Advisory Board of leading payments CEOs, The Payments Association facilitates the connections and builds the bridges that join the ecosystem together and make it stronger. These activities include a programme of monthly digital and face-to-face events including an annual conference, PAY360, the Emerging Payments Awards dinner, CEO round tables and training activities. The Payments Association also runs five stakeholder working project group covering financial inclusion, regulation, financial crime, cross-border payments and open banking. The volunteers in these groups represent the collective views of the industry and work together to ensure the big problems facing the industry are addressed effectively and collectively. The association also conducts original research which is made available to members and the authorities. These include monthly whitepapers, insightful interviews and tips from the industry’s most successful CEOs.


Article by SkyParlour

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?