Strong Customer Authentication (SCA): UX and Compliance in Open Banking

What Is Strong Customer Authentication (SCA)?

Strong Customer Authentication is a security rule under the EU’s Revised Payment Services Directive (PSD2) that requires two or more independent verification factors to approve digital payments. It launched fully on September 14, 2019, across the European Economic Area, and was designed to cut down on online fraud-especially card-not-present transactions, which made up over 73% of payment fraud in Europe before SCA.

SCA isn’t just asking for a password and a code. It demands three possible elements: something you know (like a PIN), something you have (like your phone), and something you are (like your fingerprint). But there’s a twist: dynamic linking. This means the authentication must be tied directly to the exact amount and recipient of the transaction. If someone changes the amount after you’ve approved it, the authentication fails. This is what sets SCA apart from regular two-factor auth.

How SCA Works in Practice

Most online payments use 3D Secure 2 (3DS2), which replaced the outdated 3DS1. Around 98% of European card issuers now use 3DS2 because it supports dynamic linking and works better on mobile devices. When you check out, you might see a pop-up asking you to approve the payment with your fingerprint, face scan, or a one-time code sent to your phone.

For in-person payments, SCA is already handled by Chip and PIN. Contactless payments under €50 don’t need SCA every time-but after you’ve spent €100-€150 total (depending on the country), you’ll be asked to enter your PIN. In France, it’s €150. In Germany, it’s €100. These rules vary slightly by country, but they all follow the same SCA logic.

Big payment platforms like Stripe, Adyen, and Square have built SCA into their systems. Stripe says 87% of European merchants now rely on 3DS2. Apple Pay and Google Pay are the gold standard for UX-they use your device as the “something you have” and your biometric unlock as the “something you are.” No extra steps. No pop-ups. Just tap and go. Adyen reports a 92% success rate for these flows.

Why SCA Breaks the Checkout Experience

Here’s the problem: SCA adds friction. Baymard Institute found that after SCA rolled out, cart abandonment jumped by an average of 14.7%. But that number hides the real story. Merchants using SMS codes saw abandonment spike to 22.1%. Those using biometrics? Only 6.2%. The difference isn’t small-it’s the difference between losing one in five customers and keeping four out of five.

Why? SMS codes are slow. They arrive late. Sometimes not at all. People get frustrated. A YouGov survey of 5,000 European shoppers found 41% of users experienced delays with SMS authentication. And 78% of consumers say they prefer fingerprint or face recognition. Only 12% want SMS.

Bad UX doesn’t just cost sales-it costs trust. When a customer sees a popup mid-checkout with no explanation, they think: “Is this legit?” or “Why am I being asked again?” That’s why clear messaging matters. Baymard’s research showed that explaining why authentication is needed cuts abandonment by 22%. And keeping the authentication inside the checkout flow-instead of redirecting to a bank page-boosts completion by 31%.

The Exemptions That Save the Day

SCA isn’t meant to be applied to every single transaction. There are smart exemptions built in.

• Low-value exemption: Transactions under €30 don’t need SCA. But only for up to five times in a row-or until you hit €100 total. After that, you’re back to authentication.
• Trusted beneficiary: If you’ve paid Amazon or Netflix before and approved SCA once, you can whitelist them. Future payments? No extra steps.
• Low-risk exemption: If the payment processor’s risk engine says the transaction is safe (fraud rate below 0.13 basis points), SCA can be skipped. Adyen’s system qualifies 82% of transactions for this. Stripe says 68% of all exempted payments fall under this category.

But here’s the catch: 31% of merchants misapply the low-risk exemption, according to EY’s 2023 report. That’s dangerous. If you skip SCA when you shouldn’t, and fraud happens, you might be liable for the loss.

That’s why tools like Adyen’s Riskified or Stripe’s Radar matter. They automate risk scoring. They learn from patterns. They reduce manual errors. For mid-sized merchants, implementing these tools costs around €45,000-but most see a return on investment in under 11 months, thanks to fewer fraud losses and higher conversion rates.

Compliance Risks and Real-World Fines

Regulators aren’t just watching-they’re punishing. In January 2023, the Dutch central bank fined a major bank €1.2 million for failing to properly enforce dynamic linking. That’s not a warning. That’s a message.

Even though 87% of payment providers now fully comply with SCA (up from 62% in 2020), 34% of merchants still struggle with exemptions. And it’s not just about fines. Failed authentications spike customer service calls. Reddit threads from r/ecommerce show that 47% of merchants report unexpected authentication failures. Another 38% say configuring exemptions is a nightmare.

And it’s getting more complicated. The UK still follows SCA rules post-Brexit, but under its own version of PSD2. So if you sell to both EU and UK customers, you’re managing two slightly different rulebooks. That’s a headache for small businesses without legal teams.

What’s Next for SCA?

SCA isn’t staying the same. The European Payments Council is pushing for FIDO2 passkeys by 2025. These are passwordless, phishing-resistant logins that use your device as the sole authenticator. No SMS. No codes. Just unlock your phone and pay.

Mastercard’s Identity Check Mobile processed nearly 25 billion authenticated transactions in 2022-with a 98.3% success rate. That’s the future: invisible authentication. Behavioral biometrics are already being tested. Instead of asking you to scan your face, the system learns how you hold your phone, how you type, how you move your cursor. If it detects a match, no challenge is triggered. Early pilots show an 89% drop in authentication prompts-and fraud stays below 0.03%.

The EBA is also considering lowering the low-value exemption from €30 to €25 to account for inflation. And they’re expanding SCA to open banking. Starting in Q2 2024, any app that accesses your bank account data (like Yolt or Monzo) will need to enforce SCA. That means even if you’re not paying, just viewing your balance, you’ll need to authenticate.

How to Get It Right

If you’re a merchant or developer, here’s what actually works:

1. Use biometrics as your default. Skip SMS unless you have no other option.
2. Explain the step. Don’t just pop up a screen. Say: “We need to verify your identity to protect your payment.”
3. Keep the flow inside your site. No redirects to bank pages.
4. Use a payment processor with smart risk engines. Don’t try to build exemption logic yourself.
5. Test everything. Run real-user tests with European customers. Watch where they drop off.

Small businesses spent an average of €10,000-€50,000 to get compliant. Some spent over €50,000. But the cost of not doing it? Higher fraud, lost sales, and regulatory penalties. The ROI isn’t just about security. It’s about keeping customers happy-and getting them to complete their purchase.

Why This Matters for Open Banking

Open banking lets third-party apps access your financial data with your permission. Think budgeting tools, comparison sites, or automated bill payers. But without SCA, anyone could fake access to your account.

Starting in 2024, every Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP) must use SCA. That means if you use a finance app to track your spending or send money to a friend, you’ll need to authenticate-not just once, but every time you connect to a new bank or make a payment.

This is a big shift. It makes open banking safer. But it also means apps need to design authentication into their flows from day one. If your budgeting app asks you to log in with your bank credentials and doesn’t support SCA, it won’t work after Q2 2024.