Assessing the Impact of PSD2s Strong Customer Authentication

03rd May 2019
Robbie MacDiarmid
Robbie MacDiarmid

In addition to increasing competition within the payments industry, PSD2 also aims to enhance the protection of end consumers. In order to achieve this, PSD2 incorporates Strong Customer Authentication (SCA): which is intended to ensure that authentication keeps up with the fast-paced technological changes in the payments industry.

By mandating that at least two independent elements are presented during a transaction’s authentication – categorised as either knowledge, inherence or possession – SCA aims to reduce fraud rates for merchants and guarantee more security for consumers. 

The relevant Regulatory Technical Standards (RTS) were published in March 2018 and are relatively complex for merchants and industry players to fully comply with by the deadline of 14th September 2019. SCA will be enforced from day one, in more of a ‘flipping a switch’ action than a gradual introduction, meaning that solutions must be finalised and tested before this deadline in order to be operational in time. However, merchants are also having to navigate the guidance being issued by national competent authorities: because regulatory bodies are interpreting numerous aspects of SCA
differently, merchants are now facing a number of risks and challenges that could have been avoided with more explicit definitions.

The SCA mandate has come later than open banking, and is also receiving less publicity – despite being vital to the ultimate success of PSD2. The potential issues with SCA are both complex and numerous and, with
the September 2019 RTS deadline fast approaching, regulators must begin to address these problems. It is critical that merchants work together to apply pressure and ensure a positive outcome. Previously we said ‘the
clock is ticking’: now, the alarm bells are ringing.

Robbie MacDiarmid - Economic Analyst


Due to the fact that 100% SCA enforcement has the potential to ruin certain business models, a number of exemptions have been defined by the EBA. These exemptions are applied for by the acquiring bank, and the issuing bank then has the opportunity to accept the exemption and allow a frictionless transaction, or reject the exemption and force strong authentication.
Alternatively, an issuing bank can exempt a transaction themselves if they so wish.

The main issues facing merchants with regard to SCA exemptions include:

  • Contactless
  • Whitelisting
  • Merchant Initiated Transactions (MIT)
  • Low value transactions
  • Corporate Payments
  • Transaction Risk Analysis (TRA)

Ultimately, while exemptions do have the potential to minimise the negative impact of SCA for some merchants, the benefits can only come to fruition if issuing banks have the technical ability to actually support the exemptions. It has been suggested that up to 30% of issuers will not be able to support exemptions by the September deadline, casting real doubt on whether merchants will be able to rely on the mechanism to dampen SCA’s hit to conversion rates.

You Might Also Be Interested In These...

Strong Customer Authentication (SCA) – Impact Assessment – February 2021

Our analysis of February data illustrates significant transaction failure with the estimated European failure rate on transactions at 31% compared to 33% in January 2021.

Read More >
Strong Customer Authentication (SCA) – Impact Assessment – January 2021

Our reporting started back in August – analysis suggested that the average failure rate was 35% across Europe, fast forward to January, we’re seeing 33%.

Read More >
Retailer Challenges in Implementing an MIT Strategy – CMSPI Insights

With several use cases for MITs, it is likely that most merchants will encounter these transactions in some way.

Read More >
Strong Customer Authentication Readiness: Germany In-Focus

This short report provides some insight into SCA in Germany as well as the evolution of 3DS testing data.

Read More >
Learn more about PSD2