Strong Customer Authentication

Strong Customer Authentication (SCA) is a requirement from the second Payment Services Directive (PSD2). The PSD2 text introduces strict security requirements for the initiation of electronic payments in order to reduce the risk of fraud. These requirements include strong customer authentication, which is an authentication process that validates the identity of the user of a payment service or a payment transaction, which will be compulsory on the 14th September 2019. Most payments will need at least 2 forms of authentication – or form factors – to process a payment from institutions (banks) that issue credit and debit cards.

Note: PayPal Payments Pro, PayPal-branded transactions, and their funding may be subject to SCA, but PayPal handles the authentication request and processing for you.

The three form factors for authentication are:

• Knowledge—Something you know. An example of this is a password.
• Possession—Something you have. Examples of this are: a one-time code generated by a security token or access through a trusted device by SMS or text message.
• Inherence—Something that you are and is unique to you. An example of this is a voice or finger print.

Related information

• Payment Services Directive (PSD2)—General PSD2 information for businesses.
• Payment Services Direction (PSD2) Compliance—PSD2 information specific to PayPal integrations.