Skip to content

Strong Customer Authentication for Better Digital Security and PSD2 Compliance

May 11, 2021

Telesign Team
European Union Flag in front of a building

New regulations can seem like nothing more than red tape but, these regulations can also offer new opportunities to better serve your customers. One of these opportunities is the recently enacted European Union standards for Strong Customer Authentication (SCA). Strong Customer Authentication is a cornerstone of Payment Services Directive 2 (PSD2), a financial regulatory policy that recently went into effect across the EU to improve eCommerce security standards and reduce fraud rates from online card payments.


If you’re an eCommerce merchant or payment services provider conducting business within the EU, you’ll need to comply with PSD2 regulations to be able to process electronic payments, and the first thing you’ll need to do is implement Strong Customer Authentication. Gone are the days of relying only on usernames and passwords. Instead, SCA requires that you verify your customer’s identity using two out of the three following indicators:  

Inherence: Something the customer is  

          Ex: biometrics including fingerprint, face scan, voice recognition, typing cadence, signature recognition, etc.  

Knowledge: Something the customer knows  

          Ex. a username and/or password, v, PIN number, answers to security questions, etc.  

Possession: Something the customer has  

          Ex. A mobile phone, a hardware token, a one-time passcode, smart watch, smart card, etc.  

Strong Customer Authentication

These multi-factor authentication elements must be independent in that if one element is breached, it does not compromise the reliability of the others. By verifying two out of the three above qualifiers, eCommerce merchants and payment providers achieve SCA, become PSD2 compliant, and can continue processing online payments.  


When a customer logs onto an account using a username and password, you’ve already verified the ‘something a customer knows’ qualification, and you just need one more to have Strong Customer Authentication.  

Covering the ‘possession’ component of SCA can be as easy as implementing SMS and Voice two-factor authentication into your platform; this way, customers can combine a password (something they know) with an SMS one-time passcode that has been sent to their smartphone (something they possess) to meet SCA requirements.  


Multi-factor authentication and added verification steps can create user friction and impede checkout flow if not deployed carefully, so you’ll want to strike a balance between layers of security that add friction and a seamless user experience. A complicated verification process can cause churn, with users abandoning their cart, but a lack of security for user data makes for wary consumers. With back-end data verification methods and strong customer authentication, most online transactions will process as expected without users even knowing their phone number, email address, or SIM are being authenticated. However, it is possible a fraction of users will abandon their cart because of a verification step.  

You can mitigate this churn by offering a variety of methods for users to verify their authenticity. One-time-passcodes can be delivered via SMS or voice, extending flexibility, and reliable delivery of verification codes over a strong network reduces customer frustration from undelivered passcodes and improves checkout flow.  


Strong Customer Authentication requirements also lay out that card payments must be dynamically linked between payee and payor. Dynamic linking is used to prevent man-in-the-middle attacks, where a fraudster tries to interrupt the connection between the payer and the payee and hijack the authentication code to authorize fraudulent transactions. Dynamic Linking requires financial institutions to digitally connect the authentication code to both the payee and the amount, and specifically, PSD2 also requires verifications to meet the following qualifications:  

PSD2 dynamic linking

In simple terms, when dynamic linking is deployed, man-in-the-middle attacks fail because the authentication code is automatically rejected if the authentication trail (i.e., transaction information, amount, or the payee) has been altered.  


SCA is one of the most important steps to securing your digital platform and it is easy to do with the help of digital security solutions from companies like Telesign. We offer a whole host of SCA-ready products that can be deployed a la carte to make sure that our solutions can be tailored to your company’s precise needs. Don’t let something as simple as SCA be a barrier to achieving top-of-the-line security-become PSD2 compliant and see skyrocketing customer satisfaction from a seamless and secure consumer experience. Contact us today or click here to learn even more about PSD2 compliance.