The technological advance that the Internet brought about in the beginning has been growing exponentially to this day, helping to improve and facilitate people’s daily lives. But there have also been people who have used it maliciously and new forms of fraud have been devised, such as identity theft or theft of funds.
The European directive PSD2, which we will discuss below, was developed to give greater protection to the user, forcing the implementation of the SCA. In this article, we will tell you more about the SCA.
Table of Contents
1. What is the SCA?
SCA means “Strong Customer Authentication” by its acronym. It came up with the PSD2 law, which requires the use of this tool in all online payments to avoid online fraud.
The SCA mainly consists in asking for two ways of authentication before being able to make an online payment. There must be two authentication factors out of these three:
- Something that the client knows: It can be a pin or password.
- Something that the client has: It can be their mobile phone or their credit card.
- Something that the client is: It can be a fingerprint or any other biological feature measurable by a smartphone, such as the face through facial recognition.
2. SCA conditions
The authentication factors mentioned above will be requested if an online purchase is made on a European website. Because the PSD2 law ensures the safety of the user, it must make it impossible for anyone to know any other factor if the one entered is wrong. For this, there are four conditions:
- If a mistake is made when entering the code, the wrong factor will not be indicated.
- The maximum number of errors is five before temporary or permanent blocking.
- If the user is inactive for five minutes, they will be asked again to use SCA factors.
- The data must be safe from the interference of third parties to avoid data capture.
3. SCA exemptions
Payment service providers may not apply the SCA in the specific cases listed below:
- Contactless POS: In contactless card payment terminals, the cardholder can “swipe” the card up to five consecutive times if the total value of the purchases does not exceed the total of 150 euros or if any of them individually does not exceed 50 euros. If it is exceeded, the user will be asked for their PIN in the most common of cases.
- Electronic payments: Up to five consecutive operations if the total amount does not exceed 100 euros or if no individual operation exceeds 30 euros. As in the previous case, if this limit is exceeded, you will be asked for authentication again.
- Automatic POS for transport and parking.
- In transfers from the same person or company in the same bank.
- When the beneficiary is on the payer’s trusted beneficiaries list.
- When the same payer makes recurring operations towards the same beneficiary and these are always the same amount.
- Electronic payments only accessible to legal entities with special protocols.