Back

The importance of strong customer authentication in payment security

payment card, finger, fingerprint, authentication

Key Insights

  • Strong Customer Authentication (SCA) is a PSD2 regulation requiring two-factor verification to reduce fraud in electronic payments.

  • What is SCA in payments? It’s a way to confirm a payer’s identity using something they know, have, or are, like a PIN, smartphone, or fingerprint.

  • SCA is mandatory for most card-not-present and high-value contactless payments in the UK and EEA, but many exemptions apply.

  • Poor SCA implementation can lead to high cart abandonment rates, so optimized authentication flows are critical.

  • Aevi’s SCA-ready payment platform helps retailers stay compliant, minimize friction, and deliver secure in-person payment experiences.

Don't have time to read more now? Sign up to our newsletter to get the latest insights directly in your inbox. 

When a customer taps to pay in-store or enters card details online, they expect two things: that it works, and that it’s safe.

For global retailers managing high volumes of in-person and digital payments, this is a huge area of focus that they need to get right, as payment security can’t come at the cost of customer experience, and yet fraud prevention is non-negotiable.

This is where Strong Customer Authentication (SCA) comes in.

So, what is Strong Customer Authentication exactly? How does it work in real-world payment environments? And how can businesses meet SCA requirements without compromising speed or user experience?

This article breaks it down, from SCA explained in plain terms, to real-life use cases, and how Aevi’s embedded payment orchestration and security capabilities can help retailers meet today’s demands while preparing for what’s next.

Ready? Let’s go…

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication (SCA) is a security requirement introduced in September 2019 under PSD2, the second Payment Services Directive. It applies to all electronic payments in the European Economic Area, including in-person, online, and mobile transactions, unless the transaction is out of scope or qualifies for an exemption.

SCA is designed to make electronic payments safer by making sure the person making the payment really is who they say they are.

It’s just like unlocking your phone. Picking it up isn’t enough. You also need Face ID, a passcode, or a fingerprint. SCA works the same way, requiring at least two of three independent factors to approve a transaction:

  • icon bright ideas

    Something they know - like a password or PIN

  • Icon open payment solutions

    Something they have - such as their phone or payment card

  • Icon bionic payments

    Something they are - like a fingerprint or face scan

This extra layer of protection helps reduce fraud, especially in card-not-present transactions, which accounted for more than 73% of card fraud in Europe just a few years ago.

SCA is transforming how payments are built. Customers still expect speed and convenience at checkout, so retailers must balance security with simplicity.

From contactless face scans at the terminal to smart prompts during mobile checkout, it could be said that SCA is reshaping payment journeys, (albeit, quietly).

For retailers, that means asking a crucial question: is your payment infrastructure ready for this?

So what does that look like in the real world?

From ecommerce checkouts to in-store taps, SCA plays out differently depending on the channel, payment type, and device used. And not all implementations are created equal...

How Strong Customer Authentication works in practice

For many retailers, the challenge with SCA lies in meeting the requirements without adding unnecessary friction. How that plays out depends on where the payment is happening - online or in-store - and what kind of device or credential the customer is using.

Retailers need to think across both environments. Here’s a quick side-by-side look…

How SCA looks online vs. in-store

Table showing differences between online and in store methods

And here’s how those experiences differ in practice…

Online payments - the role of 3D Secure 2

For card-not-present payments like ecommerce checkouts, 3D Secure 2 (3DS2) (a security layer that asks customers to verify their identity during checkout) is the most common path to SCA compliance. It typically prompts the customer to:

  • Approve the payment with a fingerprint or facial recognition
  • Enter a one-time passcode
  • Confirm through their bank’s app

Done well, this all happens in a few seconds and keeps the checkout experience feeling seamless. Done poorly, and customers may abandon their purchase altogether.

In-store - tap, pay, and authenticate

At the point of sale, SCA is often seamless to the customer:

  • Contactless card payments under a certain value (e.g. £100 in the UK) are often exempt, though banks may trigger PIN entry after a number of consecutive transactions..
  • Chip-and-PIN or mobile wallet transactions (like Apple Pay or Google Pay) meet SCA requirements through cardholder PINs or device-based biometrics..
  • SoftPOS and mobile-first solutions often have authentication built into the customer’s device, combining compliance with speed and simplicity.

As contactless-first behaviours grow, more retailers are finding that mobile-led payment flows make it easier to meet SCA standards, without training customers to do something new.

Did you know? Some issuers use Host Based Solutions to meet SCA requirements without replacing physical cards. These approaches apply new logic during the authorisation process to stay compliant with PSD2.

Looking for in-person payment solutions that meet modern security standards? See how Aevi’s platform is built for compliance at scale. 

Now you know what Strong Customer Authentication is -  and how it works behind the scenes - it’s a good time to look at when it’s actually required, and how retailers can meet those requirements without making checkout a chore…

When is SCA required, and how does Aevi simplify it?

Strong Customer Authentication is required for most customer-initiated electronic payments within the UK and European Economic Area (EEA), especially in scenarios where fraud risk is higher. These include:

  • Online card payments (e.g. ecommerce transactions)
  • In-store contactless payments above certain thresholds
  • Adding or updating saved payment methods
  • Accessing sensitive account information, like payment history or card details

The requirement kicks in when both the merchant’s and the cardholder’s banks are located in the EEA. If a payment requires SCA and doesn’t meet the criteria, banks are required to decline it.

However, many transactions may qualify for exemptions, such as:

  • Recurring subscriptions
  • Low-value purchases
  • Payments to trusted beneficiaries
  • Merchant-initiated transactions (MITs)
  • Mail order/telephone order (MOTO)
  • Anonymous prepaid cards

These exemptions help reduce friction, but only if the payment platform can intelligently request and manage them.

That’s where Aevi comes in.

Aevi’s platform is built to support secure, seamless in-person payments that are fully SCA-compliant - without slowing things down at checkout. Whether it’s SoftPOS (with device-based biometrics), digital wallets, or contactless terminals, Aevi helps global retailers:

  • Handle authentication smoothly across regions and devices
  • Leverage SCA exemptions intelligently when eligible
  • Reduce friction while staying compliant with evolving PSD2 requirements
  • Embed secure payment logic into the customer journey, not bolt it on

In short, it’s about giving customers a secure experience they (or you!) don’t have to think twice about.
Want to explore how Aevi’s in-person payment solutions are SCA-ready? Let’s talk

Get our Aevi newsletter straight to your inbox!

Stay tuned for market insights, announcements and much more.

By completing this form, I accept Aevi's privacy policy.

MORE LIKE THIS

Copyright © 2014-2025 Aevi International