On 14 September 2019, the Strong Customer Authentication (SCA) requirements under the EU's revised Payment Services Directive (PSD2) officially took effect. The regulation required that electronic payments be authenticated using at least two of three factors: something the customer knows (password or PIN), something the customer possesses (phone or card), and something the customer is (biometric).
What SCA Required
For online card payments, SCA effectively mandated two-factor authentication for most transactions. The previous single-factor approach - entering a card number, expiry date, and CVV - was no longer sufficient. Payment service providers were required to implement 3D Secure 2 (3DS2) or equivalent protocols to add a second authentication factor.
Exemptions were built into the regulation for low-value transactions (under EUR 30), trusted beneficiaries, recurring payments, and transactions assessed as low risk through transaction risk analysis (TRA). The TRA exemption in particular became a critical tool for maintaining conversion rates while complying with the regulation.
Delayed Enforcement
While the legal deadline was 14 September 2019, the reality was more complicated. The European Banking Authority (EBA) acknowledged that the industry was not ready and issued an opinion in June 2019 allowing national competent authorities to grant additional time for compliance. Most major markets - including the UK, France, Germany, and the Netherlands - implemented extended migration timelines, with full enforcement not taking effect until late 2020 or early 2021 in many jurisdictions.
Impact on E-Commerce
The introduction of SCA had a measurable impact on e-commerce payment flows across Europe. Initial implementations saw elevated rates of transaction abandonment as consumers encountered unfamiliar authentication steps. Over time, as 3DS2 implementations matured and biometric authentication on mobile devices became widespread, the friction reduced significantly.
Legacy
PSD2 SCA became the global reference point for payment authentication regulation. The UK retained SCA requirements post-Brexit. Other jurisdictions, including India, Australia, and Singapore, implemented or strengthened their own multi-factor authentication requirements for digital payments, often citing PSD2 as a precedent.
Sources: