Learn how strong customer authentication (SCA) works under PSD2, when it’s required, common exemptions, and how developers can build secure customer auth flows.

DeScope's resource offers insights, tutorials, and resources for software developers and IT professionals. Readers can learn about software architecture, cloud computing, and cybersecurity. With articles, tutorials, and best practices, DeScope provides  guidance and expertise for building and securing digital infrastructure.

Descope

Strong Customer Authentication (SCA) is a PSD2 requirement for electronic payments in the European Economic Area that mandates two-factor verification using knowledge, possession, or inherence factors. SCA applies primarily to customer-initiated online transactions, with exemptions for low-risk, low-value, and merchant-initiated payments. Implementation methods include passkeys, magic links, authenticator apps, and hardware security keys. While SCA reduces fraud and unauthorized transactions, poorly designed flows can increase checkout friction and reduce conversion rates by up to 24%. Developers should support multiple MFA methods, minimize redirects, and implement risk-based authentication to balance security with user experience.

Strong Customer Authentication 101: Understanding SCA

When strong customer authentication is required

Strong customer authentication methods and technologies

Impacts on business and customer experience

The future of strong customer authentication