Hubbry Logo
Strong customer authenticationStrong customer authenticationMain
Open search
Strong customer authentication
Community hub
Strong customer authentication
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Strong customer authentication
Strong customer authentication
Strong customer authentication
View on Wikipedia
from Wikipedia

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.[1] Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement,[1] and many contactless card payments do not use a second authentication factor.

The SCA requirement came into force on 14 September 2019.[2] However, with the approval of the European Banking Authority,[3] several EEA countries have announced that their implementation will be temporarily delayed or phased,[4][5] with a final deadline set for 31 December 2020. [6]

Requirement

[edit]

Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:[7]

(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Article 4(30) defines "strong customer authentication" itself (as multi-factor authentication):[7]

an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

Implementation

[edit]

The European Banking Authority published an opinion on what approaches could constitute different "elements" of SCA.[3]

3-D Secure 2.0 can (but does not always[3]) meet the requirements of SCA. 3-D Secure has implementations by Mastercard (Mastercard Identity Check)[8] and Visa[9] which are marketed as enabling SCA compliance.

E-commerce merchants must update the payment flows in their websites and apps to support authentication.[10] If authentication is not supported, many payments will be declined once SCA is fully implemented.[10]

History

[edit]

On 31 January 2013, the European Central Bank (ECB) issued recommendations on Internet payment security, requiring strong customer authentication.[11] The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission[12] process to the ECB identified three solutions to strong customer authentication, two of which are based on reliance authentication, and the other being the new variant of 3-D Secure which incorporates one-time passwords.

Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2. PSD2 strong customer authentication has been a legal requirement for electronic payments and credit cards since 14 September 2019.[13]

Criticism

[edit]

In 2016, Visa criticised the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt sales at online retailers.[14]

In 2019, consumer representation group Which? noted that many UK banks were implementing SCA by requiring a phone capable of receiving a text message or push notification. When surveyed, nearly one in five Which? members were concerned that they may be unable to make payments if there was no alternative, either due to poor reception or not owning a phone.[15]

In 2020, an independent report conducted by consultancy firm CMSPI found that the potential disruption caused by strong customer authentication (excluding the United Kingdom) could be €108 billion in 2021.[16]

Outside Europe

[edit]

The Reserve Bank of India has mandated an "additional factor of authentication" for card-not-present transactions.[17]

A proposal to make 3-D Secure mandatory in Australia was blocked by the Australian Competition & Consumer Commission in 2016 after objections.[18]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Strong customer authentication

View on Grokipedia
from Grokipedia
Strong customer authentication (SCA) is an mandated by the European Union's Revised (PSD2), defined as a process using two or more independent elements categorized as (something only the user knows, such as a ), possession (something only the user has, such as a device), and inherence (something the user is, such as ), designed to ensure the breach of one element does not compromise the others while protecting authentication data . SCA requires payment service providers to apply this multi-factor verification whenever a payer accesses their payment account online, initiates an electronic payment transaction, or performs remote actions posing risks, with elements dynamically linked to the specific transaction amount and payee to prevent unauthorized use. Enforced initially in September 2019 following PSD2's 2015 , full implementation encountered delays across member states and the due to technical readiness issues among providers, extending compliance deadlines into 2021 and 2022 in some jurisdictions. The protocol's primary aim is to curb electronic payment , particularly in and , by shifting liability for unauthorized transactions to providers failing adequate , though exemptions exist for low-value payments, secure corporate processes, and transactions below thresholds to mitigate usability disruptions. While SCA has demonstrably strengthened defenses against account takeovers and card-not-present through heightened verification rigor, its rollout sparked debate over balancing security gains against friction, as mandatory prompts often interrupt seamless transactions, prompting regulatory adjustments like expanded exemptions and ongoing refinements under PSD3 proposals. Implementation challenges, including hurdles for third-party providers and variable adoption rates, underscored tensions between reduction imperatives and practical deployment, with some analyses highlighting persistent vulnerabilities in exempted scenarios despite overall liability shifts favoring consumers.

Definition and Requirements

Core Principles

Strong customer authentication (SCA) constitutes an authentication process based on the use of two or more elements categorized as (something only the user knows, such as a or PIN), possession (something only the user possesses, such as a device or token), and (something the user is, such as biometric characteristics). These elements must be drawn from distinct categories to verify the payer's identity during electronic payment transactions and account access, with application mandated for remote channels to mitigate fraud risks. The elements employed in SCA are required to be independent, such that the breach or compromise of one does not undermine the reliability of the others, thereby preventing scenarios where a single propagates to full failure. This independence is further reinforced by design features that safeguard the confidentiality of data, ensuring no shared secrets or correlated weaknesses across factors. A critical component of SCA involves dynamic linking, where mechanisms incorporate elements that uniquely bind the challenge to the transaction's specific amount and payee, rendering intercepted codes unusable for altered or replayed transactions. This measure counters man-in-the-middle and replay attacks by enforcing transaction-specific validation, distinct from static codes. At its foundation, SCA operates on the principle that layering independent verification factors distributes risk across multiple causal barriers, such that unauthorized actors must overcome disparate hurdles simultaneously—a configuration empirically justified by pre-regulatory patterns of payment fraud, where single-factor compromises like credential theft enabled widespread unauthorized access and losses exceeding €1 billion annually in SEPA card fraud by the mid-2010s.

Authentication Elements

Strong customer authentication under the Revised (PSD2) mandates the use of two or more distinct elements from three categories: , possession, and . These elements ensure that relies on factors not easily transferable or replicable, thereby reducing unauthorized access risks through empirical validation of user identity. The element consists of information only the user knows, such as a (PIN) or static . However, static passwords exhibit significant vulnerabilities, as evidenced by their role in major data breaches; for instance, weak or compromised passwords contributed to 30% of global data breaches, with over 16 billion unique passwords exposed across incidents reported up to 2025. Stolen credentials were factors in 88% of breaches analyzed in patterns involving initial access, underscoring how reusable knowledge factors enable credential-stuffing attacks when databases are compromised. The possession element involves an object or device exclusively under the user's control, such as a hardware token, , or software generating one-time codes via an app. Common implementations include dynamic linking through short-lived codes sent to a registered device, but short message service ()-based variants face exploitation via SIM-swapping attacks, where fraudsters hijack phone numbers to intercept codes. In the United States, SIM swap scams resulted in $26 million in losses in 2025, while reports surged 1,055% from 289 incidents in prior years to nearly 3,000 in 2024, driven by social engineering of carriers. The element relies on inherent user characteristics, including physiological traits like or behavioral patterns like . methods, such as facial recognition and scanning, have seen rapid due to their balance of usability and resistance to remote , with the global biometrics market valued at $41.58 billion in 2023 and projected to exceed $267 billion by 2033. Surveys indicate 72% of global consumers preferred facial verification for secure transactions in 2022, reflecting empirical preferences for frictionless over knowledge or possession factors prone to . This growth stems from biometrics' causal advantage in verifying without shared secrets, though implementation must address false positives from environmental variables.

Regulatory Mandates

The Revised (PSD2), formally Directive () 2015/2366, imposes a legal obligation on payment service providers (PSPs), including account servicing PSPs (ASPSPs) such as banks, to implement strong customer authentication (SCA) for electronic payment transactions as specified in Article 97. This mandate requires SCA—combining at least two independent factors of , possession, and —for payer-initiated transactions, effective from 14 September 2019, following the directive's transposition into national laws by 13 January 2018. Phased enforcement was permitted by the (), with many member states granting temporary extensions beyond the initial deadline to facilitate compliance, though the core requirement remained binding. The scope encompasses all electronic payments within the (EEA), excluding certain low-value or exempted transactions, but mandates SCA as the default for online and remote payments to mitigate risks. Non-application of SCA triggers a liability shift under PSD2 rules: the PSP or merchant not enforcing it assumes responsibility for resulting unauthorized or fraudulent transactions, reversing the prior default where issuers often bore such costs. This mechanism applies specifically to EEA-denominated or EEA-originated transactions, even if involving non-EEA entities, thereby extending indirect pressure for compliance beyond EU borders. Non-compliance enforcement falls to national competent authorities, as per Article 103 of PSD2, which mandates member states to impose "effective, proportionate and dissuasive" penalties, including administrative fines scaled to the severity of breaches and the entity's size. While fine caps vary—e.g., unlimited in some jurisdictions or tied to multiples—the prospect of such sanctions, coupled with liability exposure, has demonstrably accelerated SCA adoption rates among PSPs, with regulatory scrutiny focusing on persistent non-adherence post-2019 rollout. Member states retain discretion in penalty design, but PSD2 emphasizes deterrence to ensure uniform application across the .

Implementation

Technical Mechanisms

Strong customer authentication under the Regulatory Technical Standards (RTS) mandates the use of at least two independent factors from three categories: (e.g., a or PIN), possession (e.g., a device or token), and (e.g., biometric data such as fingerprints or facial recognition). These factors must be designed to remain independent, such that compromise of one does not automatically enable breach of the others, as a single endpoint—such as a user's device—can be fully controlled by or physical theft, allowing capture of isolated credentials without additional barriers. Authentication codes generated for transactions incorporate cryptographic methods like one-time passwords or digital signatures, resistant to forgery, replay attacks, and through dynamic linking to specific transaction details including amount, payee, and account numbers. For card-not-present payments, the 2.0 protocol implements SCA by facilitating data exchange between merchants, acquirers, and s, enabling frictionless authentication for low-risk transactions without user intervention. This involves sharing up to 150 data elements per transaction—such as device attributes, transaction history, and behavioral signals—for , allowing approval if fraud probability falls below predefined thresholds, while escalating to challenge flows (e.g., or OTP) for higher risks to satisfy the two-factor requirement. Secure communication protocols underpin SCA deployment, requiring (TLS) version 1.2 or equivalent to encrypt data in transit, ensuring and against interception or tampering. Tokenization replaces sensitive elements like primary account numbers with non-sensitive equivalents during transmission, minimizing exposure even if channels are partially compromised, as full card data reconstruction demands separate vault access. Multi-factor enforcement addresses endpoint vulnerabilities causally: a single possession factor, for instance, fails against SIM-swapping or device that proxies inputs, but pairing with or forces attackers to exploit uncorrelated vectors simultaneously, exponentially raising the required resources and detection likelihood. In contexts under PSD2, SCA integrates with application programming interfaces (APIs) via dedicated secure interfaces that third-party providers (TPPs) use for payment initiation or account information services, embedding multi-factor checks at consent and transaction stages. These APIs adhere to standardized protocols like OAuth 2.0 for authorization flows, combined with SCA elements to verify user intent, preventing unauthorized access while enabling TPPs to initiate dynamically linked payments without storing credentials. Compliance requires APIs to support real-time risk monitoring and fallback to challenge-based authentication if automated assessments deem risks elevated, preserving integrity across distributed systems.

Compliance Strategies

Payment service providers (PSPs) and merchants implement risk-based authentication (RBA) to fulfill strong customer authentication (SCA) mandates under PSD2 by analyzing transaction-specific risks and enforcing SCA selectively for elevated threats, thereby minimizing user friction for low-risk interactions. This method incorporates algorithms trained on historical fraud datasets, incorporating factors like device attributes, geolocation inconsistencies, and behavioral to generate real-time risk scores. Delegated authentication frameworks shift the SCA responsibility to card issuers, enabling merchants to offload technical integration while ensuring regulatory adherence through issuer-managed verification. Visa's delegated model, introduced for tokenized transactions, leverages issuer decisions to authenticate without merchant-side prompts, as outlined in its PSD2 implementation guidance effective December 2020. Similarly, Mastercard's Delegated Authentication for Merchants, available via its developer platform, supplies cryptographic evidence of prior SCA to support seamless repeat payments and reduce abandonment rates. Testing and certification protocols, aligned with (EBA) guidelines on SCA elements, require PSPs to validate authentication systems through scheme-specific assessments from Visa and , including protocol compliance and fallback mechanisms. By mid-2021, these efforts yielded compliance rates exceeding 90% across major European markets, with 94% of payment cards SCA-enabled and 99% of merchants equipped to process compliant transactions.

Exemptions and Risk-Based Approaches

Under the Revised (PSD2), exemptions from strong customer authentication (SCA) are stipulated in the Regulatory Technical Standards (RTS) to reconcile enhanced security with practical usability, permitting payment service providers (PSPs) to forgo SCA for specified low-risk scenarios provided monitoring confirms minimal . These include transaction (TRA), low-value payments, secure corporate processes, trusted beneficiaries, and recurring transactions, with PSPs required to maintain quarterly rate assessments to validate exemption eligibility. The TRA exemption, outlined in Article 18 of the RTS, allows PSPs to bypass SCA for remote electronic payments deemed low-risk via real-time analysis, applicable to transactions up to exemption threshold values (ETVs) such as €100, €250, or €500 depending on the tier, where fraud rates must remain below reference levels—for instance, no more than 0.13% of transaction value for card-based payments ≤€100 or 0.06% for ≤€250—calculated over recent quarters without abnormal patterns or high-risk indicators. Low-value exemptions under Article 16 apply to remote transactions ≤€30, with cumulative amounts not exceeding €100 or five consecutive transactions since the last SCA. Secure corporate processes (Article 17) exempt payments by legal entities using dedicated, authority-verified secure interfaces; trusted beneficiaries (Article 13) permit exemption for subsequent payments to pre-designated payees after initial SCA; and recurring payments (Article 14) waive SCA for follow-on fixed-amount transactions post-setup . These mechanisms, especially TRA and recurring exemptions, mitigate user friction by enabling seamless processing for routine low-risk activities, thereby curbing cart abandonment; industry assessments indicate that unmitigated SCA enforcement could reduce transaction acceptance rates by around 20% in due to added steps. Exemptions avert excessive regulatory burdens that could stifle legitimate commerce, yet (EBA) data from 2022 monitoring—covering 32% of remote card transactions—reveals elevated in exempted categories like merchant-initiated transactions (MITs), exceeding 0.1% in value for MITs and / orders, surpassing rates in SCA-compliant flows and signaling potential dilution if detection lapses or exemptions are over-applied without rigorous controls. The EBA attributes this to fraudster adaptation, recommending intensified monitoring to preserve exemptions' risk-based integrity without undermining SCA's core deterrent against unauthorized access.

Historical Development

Origins in Payment Security

The proliferation of in during the and drove a surge in card-not-present (CNP) transactions, which bypass physical card inspection and rely primarily on static details like card numbers and CVV codes for verification. This shift exposed vulnerabilities in legacy authentication, as fraudsters exploited remote access without multi-layered checks, leading to CNP comprising nearly 80% of total card volume by the late . In the SEPA area, card transaction values reached €1.3 billion in 2012, reflecting a 15% year-over-year increase in cases to 9 million incidents, predominantly fueled by CNP schemes amid rising . Single-factor methods, such as magnetic stripe data for point-of-sale (POS) transactions, stored unchanging track information that could be easily skimmed or cloned using inexpensive devices, resulting in annual global losses exceeding $1 billion from skimming alone. For CNP payments, the printed CVV (CVV2) provided minimal additional security, as it remained constant and susceptible to compromise through phishing, keyloggers, or merchant data leaks, without dynamic validation against real-time risks like malware infection. These limitations ignored underlying causal pathways of fraud—such as network intrusions enabling bulk data theft—allowing attackers to replicate credentials en masse for unauthorized use. A stark illustration occurred in the 2013 , where hackers accessed POS systems via stolen vendor credentials, extracting magnetic stripe data from approximately 40 million credit and debit cards over three weeks during the holiday season. The static nature of stripe-encoded details, including CVV1, facilitated card cloning for both POS and CNP fraud, underscoring how reliance on knowledge-based factors alone failed to mitigate breaches originating from third-party access or unpatched vulnerabilities. Such incidents, coupled with persistent CNP escalation, demonstrated the inadequacy of pre-multi-factor protocols in addressing adaptive threats like and endpoint compromises.

PSD2 Introduction and Timeline

The Second Payment Services Directive (PSD2), formally Directive (EU) 2015/2366, was adopted by the European Parliament and the Council on 25 November 2015 to revise and expand the original PSD framework, aiming to enhance consumer protection, foster competition in payment services, and mandate secure authentication for electronic payments. It entered into force on 12 January 2016, with European Economic Area (EEA) member states required to transpose its provisions into national law by 13 January 2018. Article 97 of PSD2 specifically introduced requirements for strong customer authentication (SCA), stipulating that payment service providers must apply authentication based on at least two distinct factors—knowledge (something only the user knows), possession (something only the user has), and inherence (something the user is)—for initiating electronic payments and accessing payment accounts, unless exemptions applied. To operationalize SCA, the (EBA) was mandated under PSD2 to develop Regulatory Technical Standards (RTS). The EBA launched public consultations on draft RTS in 2016, incorporating feedback from stakeholders on technical feasibility and implementation burdens, before submitting the final draft to the in June 2017. The Commission endorsed the RTS in November 2017, which were published in the Official Journal and became applicable from 14 September 2019, aligning with the end of the two-year transposition period plus an 18-month for SCA enforcement. Initial SCA application was set for January 2018 alongside transposition, but widespread industry concerns over readiness—cited in consultations as risks to payment infrastructure stability—prompted delays. The permitted national competent authorities to grant extensions of up to 18 months (to March 2021) or further for low-risk transactions, resulting in staggered enforcement across most EEA states by December 2020. This phased approach, informed by empirical assessments of sector preparedness, mitigated potential disruptions such as transaction failures during peak rollout. In the , PSD2 transposition occurred on 13 January 2018, enabling the launch of under the Competition and Markets Authority's oversight, but complicated SCA alignment with EU timelines. Post-transition period, UK regulators enforced full SCA compliance from October 2021, integrating it with domestic standards to address certification and divergences from the EEA.

Rollout Challenges and Delays

The implementation of strong customer authentication (SCA) under PSD2 encountered significant technical hurdles, particularly in integrating two-factor authentication elements such as , hardware tokens, or dynamic linking with existing payment infrastructures. Payment service providers (PSPs) faced challenges in upgrading legacy systems to comply with the Regulatory Technical Standards (RTS) on SCA, including the adoption of 3D Secure 2.0 protocols and secure communication channels, which required extensive testing and coordination among banks, merchants, and third-party providers. These integration complexities contributed to widespread unreadiness, prompting the (EBA) to issue an opinion in October 2019 recommending a maximum enforcement delay until 31 December 2020 for full migration to SCA in e-commerce card-based payments, allowing PSPs additional time to address operational risks without immediate penalties. National interpretations and enforcement timelines varied, exacerbating rollout fragmentation. In the , the (FCA) initially delayed SCA enforcement to 14 March 2021 amid industry preparation gaps, and further extended it to 14 September 2021 citing disruptions that hindered testing and deployment. In contrast, Sweden's Finansinspektionen enforced SCA without a transitional period starting 14 September 2019, adhering strictly to PSD2 timelines and declining general exemptions that could prolong vulnerabilities in payment security. These divergent approaches, rooted in national competent authorities' discretion under EBA guidelines, resulted in uneven compliance by mid-2020, with some jurisdictions granting temporary derogations for low-value or low-risk transactions while others prioritized immediate application, thereby extending periods of inconsistent fraud mitigation across the . Cross-border inconsistencies further complicated rollout, as varying national transpositions of PSD2 led to mismatched exemption criteria and authentication protocols. By mid-, post-Brexit divergences between the and amplified these issues, with UK PSPs operating under extended FCA timelines clashing against stricter EBA-enforced deadlines in , creating barriers for multinational merchants and exposing transactions to regulatory arbitrage. Bureaucratic delays in harmonizing these interpretations, including prolonged consultations on exemptions like transaction risk analysis, causally sustained elevated exposure in non-compliant channels, as PSPs navigated fragmented supervisory expectations rather than uniform standards. The EBA's refusal of additional EU-wide extensions beyond December underscored the tension between regulatory ambition and practical feasibility, forcing accelerated adaptations that strained resources without resolving underlying coordination failures.

Effectiveness and Empirical Impact

Fraud Reduction Metrics

Transactions authenticated via strong customer authentication (SCA) under PSD2 exhibit markedly lower fraud rates compared to non-SCA transactions across payment instruments in the (EEA). According to the joint (EBA) and (ECB) report on payment , SCA-authenticated card payments recorded a fraud rate of 0.017% of transaction value in the first half of 2023, roughly half the 0.034% rate for non-SCA card payments. This disparity holds particularly for remote electronic payments, where card-not-present (CNP) fraud accounted for 82% of card fraud value in the same period, with SCA implementation credited for mitigating such losses through enforced multi-factor verification. Overall payment in the EEA totaled €4.3 billion in 2022, with card fraud stable at €633 million in the first half of 2023 despite rising transaction volumes, attributable in part to SCA's causal effect in curbing unauthorized CNP initiations. Credit transfers, 77% SCA-authenticated by value in early 2023, showed fraud rates as low as 0.001%, underscoring SCA's role in maintaining unauthorized well below exemption thresholds outlined in PSD2 regulatory technical standards (typically 0.1-0.2% depending on transaction value). While SCA has reduced authorization-stage , empirical data indicate a partial shift toward pre-authentication attacks, such as account takeovers via , which comprised a growing share of "other" fraud categories in 2022-2023 reporting. Over 92% of card involved fraudster-initiated transactions, but SCA compliance exceeded 65% of card payment value by mid-2023, correlating with stabilized or declining CNP volumes post-rollout compared to pre-PSD2 baselines.

Economic Costs and Benefits

Implementation of strong customer authentication (SCA) under PSD2 has entailed substantial one-off costs across the , estimated at €5 billion for SCA rollout alone, encompassing upgrades to authentication systems, integration with protocols like 3DS 2.1, and compliance testing for payment service providers. These expenses have disproportionately burdened small and medium-sized enterprises (SMEs), which face ongoing annual compliance costs including maintenance and transaction monitoring, often exceeding €278 million EU-wide for banks and adding operational burdens like per-transaction fees for methods such as one-time passwords (approximately €0.05 each). In low-fraud sectors, remains questionable, as a of stakeholders report that PSD2 implementation costs have overshadowed perceived benefits, with limited scalability for smaller firms lacking resources for advanced risk-based exemptions. On the benefits side, SCA facilitates a liability shift under PSD2, whereby payment service providers applying SCA assume fraud responsibility, thereby reducing merchant losses from unauthorized transactions that previously fell under acquirer liability. Empirical data indicate annual fraud savings of €900 million EU-wide attributable to SCA, with reductions in remote payment fraud risks by 60% for card transactions and up to 80% for e-money, alongside observed drops of 40% in account attacks for major providers. These prevention gains have been modeled to yield net savings over time by curbing chargebacks and enhancing trust, though short-term analyses reveal trade-offs where SCA-induced transaction failures contributed to €33.5 billion in merchant business losses during initial rollout periods (2020-2021). Causal analysis underscores deadweight losses from SCA's friction, as evidenced by projected €57 billion in forgone economic activity from abandonment if exemptions are not optimized, diverting resources from toward regulatory adherence and slowing adaptation in markets with stringent mandates compared to those employing lighter authentication regimes. While PSD2's broader provisions spurred a 70% rise in new PayTech startups, SCA-specific compliance has imposed asymmetric costs that hinder agility for entities in high-friction environments, prioritizing enforcement over efficiency gains in low-risk scenarios. Overall, cost-benefit evaluations highlight that mitigation benefits accrue primarily to issuers and consumers, but merchants and SMEs endure disproportionate ongoing economic burdens, with net positive returns contingent on effective risk-based to minimize abandonment.

User Experience Data

Following the enforcement of (SCA) requirements under PSD2, online merchants experienced initial spikes in cart abandonment rates of roughly 10-20%, primarily due to the added friction from mandatory two-factor verification steps akin to earlier () protocols. Surveys of merchants indicate that 38% identified increased cart abandonment as a major consequence of SCA implementation, often linked to drop-off during prolonged checkout processes. These effects were particularly pronounced in high-volume environments, where even minor delays in prompted users to exit transactions. Risk-based exemptions and frictionless authentication flows, such as low-value or trusted exemptions, have subsequently reduced abandonment impacts, enabling merchants to maintain higher completion rates by applying SCA selectively to higher-risk payments. Biometric methods, including and recognition, have demonstrated superior outcomes over traditional (OTP) alternatives, with adoption yielding 2-3 percentage point increases in transaction success rates by minimizing manual input errors and delays. Despite these mitigations, SCA's authentication challenges have drawn criticism for exacerbating usability barriers for elderly consumers and individuals with limited , who report higher rates of failed attempts with app-based or SMS-delivered OTPs compared to integrated . The introduced friction also correlates with diminished impulse buying, as interrupted checkout flows reduce spontaneous completions, with up to 26% of users abandoning carts perceived as overly complex or time-consuming. Overall, while seamless SCA variants foster greater consumer tolerance, persistent step-up prompts contribute to a net usability trade-off, balancing enhanced against measurable declines in transaction fluidity.

Criticisms and Limitations

Friction and Conversion Impacts

SCA's mandatory authentication challenges introduce substantial into online payment flows, leading to documented reductions in conversion rates. Industry reports have recorded drops of up to 20% in conversion rates for marketplaces implementing SCA, as the additional verification steps disrupt the seamless checkout experience essential for completing transactions. This effect is particularly pronounced for high-velocity merchants in sectors like retail and , where rapid processing is standard and any interruption amplifies abandonment risks. The primary mechanisms driving this friction stem from required dynamic linking elements, such as one-time passwords (OTPs), which necessitate user input and verification pauses. SMS-based OTP delivery, a common fallback method, incurs average delays of 15 to 45 seconds for message receipt alone, compounded by entry time, resulting in heightened user frustration and mid-process exits. Authentication flows dependent on such SMS OTPs exhibit abandonment rates reaching 30%, as consumers perceive the added effort as disproportionate to the transaction's value. These usability barriers causally incentivize behavioral adaptations, including shifts to lower-friction alternatives where exemptions apply or complete withdrawal from the purchase, as empirical patterns in decision-making reveal a low tolerance for procedural delays in high-stakes digital interactions. Consequently, the friction not only erodes immediate sales but also fosters long-term evasion strategies among users, diminishing the practical reach of protocols in competitive markets.

Regulatory Overreach Concerns

Compliance with strong customer authentication (SCA) requirements under the 2 (PSD2) has placed a disproportionate burden on small and medium-sized enterprises (SMEs), exacerbating operational challenges and potentially reinforcing incumbents' market dominance. Implementation costs for SCA ecosystem-wide are estimated at approximately €5 billion in one-off expenditures, including development and integration, with smaller firms experiencing amplified impacts due to resource constraints and the absence of proportionality in regulatory demands. Legal uncertainties arising from divergent national implementations further elevate these costs, identified as the primary expense driver for SMEs, prompting some smaller payment service providers to exit the market altogether. This uneven cost distribution is contended to disadvantage agile newcomers, as larger banks leverage to comply more readily, thereby limiting competitive dynamics in payments services. PSD2's mandatory API standards and prescriptive SCA rules have drawn criticism for impeding innovation by imposing rigid technical and licensing hurdles that delay product development and market entry. Pre-implementation uncertainties, such as those surrounding the UK's transposition of PSD2 in 2016, were highlighted by businesses as actively stifling through prolonged on compliance pathways. The directive's emphasis on standardized interfaces restricts banks' ability to evolve proprietary systems tailored to , while overly detailed regulatory technical standards constrain experimentation with low-friction alternatives like advanced or behavioral . Such constraints are argued to favor compliance over creativity, particularly for resource-limited startups navigating complex processes for third-party providers. A core concern is that PSD2's one-size-fits-all mandates undervalue adaptive, market-led innovations, prioritizing regulatory uniformity over tailored solutions that could balance mitigation with minimal disruption. Critics assert that prescriptive requirements overlook how voluntary of risk-based authentications in less regulated environments can yield effective outcomes without mandating universal friction, potentially fostering greater efficiency and . This approach risks over-regulation by amplifying administrative loads—such as excessive reporting and supervisory divergences—without commensurate evidence of superior long-term gains relative to flexible frameworks.

Evasion and Adaptation by Fraudsters

Fraudsters have responded to strong customer authentication (SCA) by pivoting to social engineering tactics that exploit user behavior rather than technical vulnerabilities in protocols. Techniques such as real-time for one-time passwords (OTPs) or prompts to authorize fraudulent transactions have proliferated, as SCA relies on user possession of devices and knowledge of credentials, both of which can be coerced or intercepted during the authentication window. Industry analyses indicate this shift has driven a rise in authorized push payment (APP) scams and related impersonation fraud, where victims are manipulated into completing SCA-compliant actions themselves. Account takeover (ATO) incidents, often facilitated by combined with OTP , have increased post-SCA rollout, underscoring the protocol's limitations against persistent credential compromise. Reports from fraud intelligence firms document ATO attack rates surging 122% year-over-year in during Q3 2025, with broader consumer victimization rising from 18% in 2023 to 24% in 2024, as criminals adapt by targeting pre-authentication stages or exploiting device possession. Global inconsistencies in SCA enforcement enable regulatory , where fraudsters redirect operations to non-compliant regions outside the , displacing rather than eliminating . The () has noted this vulnerability, emphasizing that uneven adoption undermines deterrence and allows cross-border exploitation of weaker jurisdictions. SCA offers limited protection against friendly —where legitimate account holders initiate and later dispute transactions—and insider threats, such as unauthorized use by family members or compromised devices via that maintains possession factor integrity while bypassing behavioral scrutiny. These gaps highlight SCA's focus on transaction initiation over ongoing session monitoring, permitting evasion through human or environmental factors inherent to the model.

Future Directions

PSD3 and PSR Reforms

The Payment Services Directive 3 (PSD3), proposed by the on 28 June 2023, seeks to refine strong customer authentication (SCA) requirements introduced under PSD2 by introducing greater flexibility, including the delegation of authentication processes to qualified third parties while mandating that payment service providers (PSPs) retain ultimate control and liability for compliance. This delegated model allows issuers to outsource elements of SCA—such as biometric or device-bound verification—to merchants, acquirers, or specialized providers, potentially streamlining low-risk transactions without requiring full two-factor challenges on every initiation. PSD3 also explicitly accommodates emerging authentication technologies like passkeys, which leverage for phishing-resistant, device-synced verification, positioning them as compliant alternatives to traditional knowledge- or possession-based factors. Refinements to exemption criteria, such as expanded transaction risk analysis thresholds and low-value payment waivers, aim to promote inclusivity for vulnerable users while addressing PSD2-era feedback on excessive friction, with implementation targeted for 2026 or later pending trilogue agreement expected in late 2025. Complementing PSD3, the proposed Payment Services Regulation (PSR)—envisioned as directly applicable law without transposition delays—enhances mitigation through mandatory incident reporting within four hours for significant breaches and a dedicated liability regime shifting responsibility to PSPs for authorized push payment (APP) scams exceeding €50,000 or involving . These measures build on empirical data from 2022–2024, where SCA reduced card-not-present by up to 80% in compliant jurisdictions but correlated with 10–20% cart abandonment rates due to hurdles, prompting regulators to prioritize dynamic assessments over rigid two-factor mandates. PSR further mandates PSPs to implement dedicated APP prevention frameworks, including real-time monitoring and customer education, to curb evasion tactics observed in post-PSD2 patterns. PSD3 and PSR also address intersections with the Markets in Crypto-Assets Regulation (MiCA), effective from June 2023, by classifying certain crypto-asset transfers as payment services subject to SCA where fiat on-ramps occur, with the European Banking Authority advising national authorities to enforce PSD rules on crypto exchanges to prevent fraud leakage. This interplay ensures consistent liability for hybrid transactions, responding to rising crypto-related scams documented in 2023–2024 Europol reports, while avoiding overreach into pure asset transfers under MiCA's custody rules. Overall, these reforms reflect a data-driven pivot toward adaptive, user-centric security, informed by PSP consultations highlighting SCA's trade-offs between fraud suppression and conversion efficiency.

Integration with Emerging Tech

Strong customer authentication (SCA) protocols are increasingly incorporating passkeys based on the FIDO2 standard, which enables phishing-resistant delegated authentication by binding cryptographic keys to specific domains and devices, thereby serving as a possession factor or replacing traditional knowledge-based elements like passwords. This integration allows for outcome-based SCA, where successful passkey attestation confirms transaction legitimacy without additional steps in low-risk scenarios, as demonstrated in European payment pilots leveraging extensions. Industry analyses from 2025 highlight that such implementations effectively neutralize AI-generated attempts, which exploit traditional multi-factor methods, by ensuring credentials never traverse networks in transferable form. Biometric technologies, including facial recognition and behavioral analysis, augment SCA as factors, often combined with device-bound elements to satisfy two-factor requirements while minimizing user friction. Emerging pilots integrate liveness detection via AI to counter spoofing, addressing causal vulnerabilities like presentation attacks that undermine static ; for instance, dynamic behavioral evaluate session anomalies in real-time, enabling risk-adapted exemptions from full SCA challenges. These approaches prioritize root-cause mitigation over superficial layering, such as verifying ongoing user presence rather than relying solely on initial enrollment scans, though adoption lags due to hurdles in cross-device ecosystems. AI-driven enhancements to risk-based (RBA) within SCA frameworks refine dynamic scoring by analyzing transaction velocity, geolocation discrepancies, and device fingerprints, permitting exemptions for transactions below elevated risk thresholds as per PSD2 exemptions. Verifiable 2024 deployments in banking consortia have shown AI models reducing unnecessary authentication prompts by integrating with SCA exemptions, though empirical gains vary by model training data quality and remain susceptible to adversarial inputs mimicking legitimate . To uphold causal , these systems must evolve beyond correlative signals—such as IP anomalies—to detect device-level compromises, like exfiltration, integrating endpoint for holistic assessment rather than isolated factors.

Global Adoption

European Enforcement

The enforcement of strong customer authentication (SCA) under PSD2 varied across (EEA) countries and the , with national competent authorities implementing phased rollouts amid initial delays. In the , the extended the deadline for SCA on e-commerce transactions to 14 March 2022, marking full enforcement after prior postponements from 2021 targets. Similarly, and experienced implementation challenges, with full compliance ramp-ups extending into 2021-2022 due to difficulties in adapting payment infrastructures to SCA requirements. The (EBA) provided oversight through guidelines and monitoring, ensuring progressive alignment, as most EEA states achieved mandatory enforcement by mid-2021. Cross-border payments within the (SEPA) benefit from mutual recognition of SCA compliance among EEA participants, facilitating seamless authentication for euro-denominated transfers. Post-Brexit, the retained SEPA scheme participation, but transactions between and entities introduced complications, including the need for firms to adhere to separate regulatory technical standards for SCA, potentially increasing friction in authentication processes. Empirical data indicate that stricter enforcement correlates with reduced fraud in high-compliance jurisdictions. In the Netherlands, where SCA was rigorously applied early, online banking and card payment fraud declined significantly following implementation, contributing to overall EEA trends where SCA-authenticated transactions exhibited fraud rates 40-60% lower than non-SCA ones by 2023. The EBA's monitoring confirmed these outcomes, with card fraud rates for SCA-protected payments averaging below 0.03% of transaction value in the first half of 2023. In the United States, no federal mandate equivalent to Europe's SCA has been enacted as of October 2025, with online payment security instead driven by voluntary implementation of EMVCo's (3DS) protocols and requirements under state-level regulations, such as New York Department of cybersecurity rules mandating MFA for certain high-risk access. Adoption of 3DS 2.0 continues to expand, supported by network incentives from Visa and , amid projections that U.S. payers will increasingly encounter frictionless flows as global norms pressure domestic issuers and acquirers. India's (UPI), handling billions of monthly transactions, functions with de facto strong authentication via Aadhaar-linked , including and recognition for PIN-less approvals introduced in October 2025, which verify user identity against government-issued biometric databases without relying on traditional two-factor elements like knowledge-based secrets. This approach has facilitated UPI's dominance in low-value transfers while maintaining fraud losses below 0.01% of transaction volume as reported by the in fiscal year 2024-25. Australia's New Payments Platform (NPP), launched in 2018 for real-time account-to-account transfers, incorporates voluntary strong customer authentication options such as and one-time passcodes, but lacks SCA-style mandates, relying instead on issuer-led risk assessments and data-sharing consortia to curb authorized push payment . NPP volumes exceeded 30% of non-cash payments by mid-2025, with rates for real-time transactions averaging under 0.05% through enhanced monitoring rather than universal multi-factor . Visa and Mastercard have accelerated global rollout of 3DS 2.0 protocols beyond , achieving transaction volumes of $14.1 billion for Visa Secure in fiscal year 2023 with fraud reductions up to 70% compared to non-3DS flows, yet merchant resistance persists due to integration expenses estimated at 1-2% of revenue for small businesses and potential authorization rate dips from added steps. Empirical outcomes in mandate-light regimes like and indicate that low persistence—often below 0.1% across digital payments—stems more from ecosystem-wide defenses, including real-time analytics and biometric prevalence, than from SCA's prescriptive two-element verification, challenging attributions of Europe's card decline exclusively to regulatory coercion.

References

  1. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L2366
  2. https://www.pingidentity.com/en/resources/blog/post/the-scoop-on-strong-customer-authentication-sca.html
  3. https://finance.ec.europa.eu/publications/strong-customer-authentication-requirement-psd2-comes-force_en
  4. https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2019_4564
  5. https://comms.airplus.com/en/blog/sca-payment-impact
  6. https://www.biocatch.com/press-release/meeting-the-hidden-cost-of-strong-customer-authentication
  7. https://www.darkreading.com/application-security/problems-with-eu-payment-security-persist
  8. https://www.eba.europa.eu/eba-response/304
  9. https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2020_5619
  10. https://www.eba.europa.eu/publications-and-media/press-releases/eba-publishes-opinion-elements-strong-customer-authentication
  11. https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2020_5366
  12. https://www.ecb.europa.eu/press/intro/mip-online/2018/html/1809_fifth_report_on_card_fraud.da.html
  13. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366
  14. https://www.demandsage.com/password-statistics/
  15. https://heimdalsecurity.com/blog/password-breach-statistics/
  16. https://www.verizon.com/business/resources/reports/dbir/
  17. https://www.authgear.com/post/sms-otp-vulnerabilities-and-alternatives
  18. https://deepstrike.io/blogs/sim-swap-scam-statistics-2025
  19. https://keepnetlabs.com/blog/what-is-sim-swap-fraud
  20. https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2020_5353
  21. https://www.oloid.com/blog/biometrics-by-the-numbers-a-deep-dive-into-trends-adoption-and-challenges
  22. https://www.descope.com/learn/post/biometric-authentication
  23. https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2021_6141
  24. https://stripe.com/guides/strong-customer-authentication
  25. https://www.adyen.com/en_AE/knowledge-hub/psd2-understanding-strong-customer-authentication
  26. https://www.ravelin.com/blog/psd2-what-the-legislation-means-for-payment-service-providers-psps
  27. https://securiti.ai/psd2-compliance/
  28. https://www.northrow.com/blog/psd2-compliance-what-businesses-need-to-know
  29. https://ec.europa.eu/commission/presscorner/detail/fr/memo_15_5793
  30. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32018R0389
  31. https://www.emvco.com/emv-technologies/3-d-secure/
  32. https://www.mastercard.com/gateway/payment-solutions/secure-payments/strong-customer-authentication.html
  33. https://stripe.com/resources/more/open-banking-apis-explained-what-they-are-and-how-they-work
  34. https://thepaymentsassociation.org/article/risk-based-authentication-the-secret-to-meeting-psd2-compliance-without-sacrificing-convenience/
  35. https://www.visa.co.uk/content/dam/VCOM/regional/ve/unitedkingdom/PDF/sca/visa-psd2-sca-regulatory-guide-v1-december-2020.pdf
  36. https://www.visa.es/content/dam/VCOM/regional/ve/unitedkingdom/PDF/sca/Visa-PSD2-SCA-for-Remote-Electronic-Transactions-Implementation-Guide.pdf
  37. https://developer.mastercard.com/product/delegated-authentication-for-merchants/
  38. https://www.vixio.com/insights/pc-sca-implementation-whats-expected-psps-uk-and-eu
  39. https://blog.mangopay.com/en/home/psd2-sca-exemptions-transaction-risk-analysis-tra
  40. https://www.eba.europa.eu/sites/default/files/2024-04/363649ff-27b4-4210-95a6-0a87c9e21272/Opinion%2520on%2520new%2520types%2520of%2520payment%2520fraud%2520and%2520possible%2520mitigations.pdf
  41. https://www.uspaymentsforum.org/wp-content/uploads/2017/03/CNP-Fraud-Around-the-World-WP-FINAL-Mar-2017.pdf
  42. https://www.nets.eu/solutions/fraud-and-dispute-services/Documents/Nets-Fraud-Report-2019.pdf
  43. https://www.eestipank.ee/en/press/estonia-has-lowest-number-cases-card-fraud-euro-area-25022014
  44. https://www.investopedia.com/terms/m/magnetic-stripe-card.asp
  45. https://krebsonsecurity.com/2016/04/all-about-fraud-how-crooks-get-the-cvv/
  46. https://www.strongdm.com/what-is/target-data-breach
  47. https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883
  48. https://www.ecb.europa.eu/press/intro/mip-online/2018/html/1803_revisedpsd.en.html
  49. https://www.jonesday.com/en/insights/2018/03/eu-regulatory-technical-standards-for-strong-custo
  50. https://www.fisglobal.com/-/media/fisglobal/files/pdf/white-paper/psd2-whitepaper.pdf
  51. https://www.openbanking.org.uk/news/three-years-since-psd2-marked-the-start-of-open-banking-the-uk-has-built-a-world-leading-ecosystem/
  52. https://www.fca.org.uk/publications/policy-statements/ps19-26-brexit-regulatory-technical-standards-strong-customer-authentication
  53. https://www.eba.europa.eu/eba-response/345
  54. https://cpl.thalesgroup.com/blog/access-management/psd2-compliance
  55. https://www.eba.europa.eu/publications-and-media/press-releases/eba-publishes-opinion-deadline-and-process-completing
  56. https://www.fca.org.uk/news/statements/strong-customer-authentication-and-coronavirus
  57. https://www.signifyd.com/resources/fraud-101/what-is-psd2/
  58. https://www.lexology.com/library/detail.aspx?g=3007b849-6d10-4d2f-88ac-e62b9c06095d
  59. https://www.eba.europa.eu/guidelines-security-measures-operational-and-security-risks-under-psd2
  60. https://www.vixio.com/insights/pc-eu-and-uk-further-diverge-key-payment-regulations-2022
  61. https://www.ebf.eu/wp-content/uploads/2020/01/EBF-PSD2-Guidance-Final-v.120.pdf
  62. https://banfico.com/deadline-extension-for-strong-customer-authentication/
  63. https://www.eba.europa.eu/sites/default/files/2024-08/465e3044-4773-4e9d-8ca8-b1cd031295fc/EBA_ECB%25202024%2520Report%2520on%2520Payment%2520Fraud.pdf
  64. https://www.aciworldwide.com/wp-content/uploads/2021/04/PSD2-and-SCA-An-Issuer-Guide-thought-leadership-US.pdf
  65. https://www.ecb.europa.eu/press/cardfraud/html/ecb.cardfraudreport202305~5d832d6515.en.html
  66. https://www.ecri.eu/sites/default/files/a-study-on-the-application-and-impact-of-directive-ev0423061enn.pdf
  67. https://chargebacks911.com/fintech-friday-new-psd2-study/
  68. https://www.sciencedirect.com/science/article/abs/pii/S1544612323001721
  69. https://stripe.com/newsroom/news/sca-impact-study
  70. https://www.sciencedirect.com/science/article/pii/S0167268120302328
  71. https://www.riskified.com/blog/how-maximizing-the-use-of-the-tra-exemption-will-minimize-the-revenue-hit-of-psd2/
  72. https://www.accertify.com/resource/prepare-for-strong-customer-authentication-sca-without-impacting-customer-friction/
  73. https://www.ozforensics.com/blog/articles/5-ways-biometric-verification-is-revolutionizing-neobanks-and-digital-payments
  74. https://www.paysafe.com/us-en/resource-center/the-growth-of-biometric-authentication-under-sca/
  75. https://www.entersekt.com/resources/blog/tpost/re2do6clu1-otps-for-customer-authentication-past-th
  76. https://www.forter.com/blog/psd2-and-your-bottom-line-the-impacts-of-sca-on-conversion/
  77. https://www.thehive-network.com/wp-content/uploads/2021/07/The_evolving_needs_of_todays_marketplace.pdf
  78. https://www.chargebackgurus.com/blog/strong-customer-authentication
  79. https://www.ipification.com/blog/how-mobile-apps-can-cut-the-drop-off-rate-in-sign-in-process/
  80. https://idlayr.com/blog/mobile-onboarding-is-costing-you-users/
  81. https://www.ravelin.com/insights/ultimate-guide-psd2-strong-customer-authentication
  82. https://www.pinsentmasons.com/out-law/news/uncertainty-over-uk-implementation-of-psd2-is-stifling-innovation-businesses-warn
  83. https://payall.com/resources/insights/defending-fintechs-or-defending-the-past-rethinking-regulation-in-a-rapidly
  84. https://www.electronicpaymentsinternational.com/comment/psd2-has-made-app-financial-fraud-worse-iain-swaine-explains-how-to-solve-it/
  85. https://www.biocatch.com/blog/eba-opinion-paper-new-types-payment-fraud-good-bad-ugly
  86. https://sift.com/index-reports-account-takeover-fraud-q3-2025/
  87. https://sift.com/blog/beyond-the-breach-2024-account-takeover-data-insights/
  88. https://www.eba.europa.eu/eba-response/34055
  89. https://www.sidley.com/en/insights/newsupdates/2023/07/what-do-the-eu-psd3-proposals-mean-for-the-payments-sector
  90. https://www.corbado.com/blog/delegated-sca-psd3-passkeys
  91. https://www.endava.com/insights/articles/what-you-really-need-to-know-about-psd3
  92. https://www.corbado.com/blog/psd3-psr-passkeys
  93. https://paytechlaw.com/en/psd3-psr-alles-legal-109/
  94. https://www.flagright.com/post/impact-of-payment-services-directive-3-psr-on-payment-processors
  95. https://www.deloitte.com/lu/en/Industries/banking-capital-markets/perspectives/shedding-light-on-psd3-psr.html
  96. https://www.taylorwessing.com/en/insights-and-events/insights/2025/09/eu-institutions-negotiate-revised-payments-legislation
  97. https://www.onespan.com/blog/preparing-for-psd3
  98. https://www.fscom.co/blog/psd3-and-the-psr-what-payment-and-e-money-firms-need-to-know-now/
  99. https://www.eba.europa.eu/publications-and-media/press-releases/eba-publishes-no-action-letter-interplay-between-payment-services-directive-psd23-and-markets-crypto
  100. https://www.wultra.com/blog/4-ways-that-psd3-will-improve-sca
  101. https://fidoalliance.org/fido-standards-meet-psd2-sca-requirements/
  102. https://www.corbado.com/blog/outcome-based-sca-passkeys
  103. https://www.cybergensecurity.co.uk/the-future-of-digital-banking-security-biometrics-and-beyond
  104. https://www.loginradius.com/blog/identity/advanced-risk-based-authentication-2024
  105. https://www.researchgate.net/publication/394543153_Artificial_intelligence-based_risk_management_for_the_banking_sector_impact_and_challenges
  106. https://www.fca.org.uk/news/statements/deadline-extension-strong-customer-authentication
  107. https://thepaymentsassociation.org/article/sca-confusion-over-member-state-ramp-ups/
  108. https://stripe.com/blog/managing-sca-enforcement-changes-in-europe
  109. https://www.europeanpaymentscouncil.eu/sites/default/files/kb/file/2019-03/EPC065-19%2520EPC%2520Board%2520Decision%2520Paper%2520on%2520Brexit%2520v1.0%2520-%25207%2520March.pdf
  110. https://www.ukfinance.org.uk/sites/default/files/uploads/pdf/UK%2520Finance%2520SCA%2520Guidance%2520Document%2520-%2520December%25202020.pdf
  111. https://www.regulationtomorrow.com/eu/fca-final-rules-concerning-sca-in-the-event-of-a-hard-brexit/
  112. https://www.betaalvereniging.nl/wp-content/uploads/How-to-keep-payments-safe-and-secure-Marco-Doeland.pdf
  113. https://www.eba.europa.eu/sites/default/files/document_library/Publications/Reports/2023/1054879/Consumer%2520Trends%2520Report%25202022-2023.pdf
  114. https://www.eba.europa.eu/publications-and-media/press-releases/eba-and-ecb-release-joint-report-payment-fraud
  115. https://www.onespan.com/blog/regulatory-updates-strong-authentication-digital-banking-and-workforce
  116. https://www.jonesday.com/en/insights/2020/12/strong-customer-authentication-in-the-united-states-when-not-if
  117. https://www.polarismarketresearch.com/industry-analysis/us-3d-secure-payment-authentication-market
  118. https://www.livemint.com/industry/banking/devicebased-biometric-fingerprint-facial-authentication-upi-payments-npci-11759851878779.html
  119. https://idtechwire.com/india-aadhaar-upi-biometric-payments-rollout-october-2025/
  120. https://www.paymentsjournal.com/upi-is-set-to-add-biometric-authentication-for-real-time-payments/
  121. https://www.tookitaki.com/blog/new-payments-platform-npp-australia
  122. https://www.westpaciq.com.au/thought-leadership/2025/08/next-generation-defence-safer-solutions-in-real-time
  123. https://www.maximizemarketresearch.com/market-report/3d-secure-payment-authentication-market/281250/
  124. https://finance.yahoo.com/news/3d-secure-2-0-payer-111900819.html
  125. https://www.rba.gov.au/publications/annual-reports/psb/2017/trends-in-payments-clearing-and-settlement-systems.html
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.