The payments industry is on the verge of one of its most significant regulatory upgrades in years as the European Union finalizes its new Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR). For digital banking, payments, and security leaders, the big question is this: What will change for Strong Customer Authentication (SCA) – and how should your authentication strategy evolve to remain compliant, frictionless, and resilient to fraud?
In this article, we break down what’s new, why it matters, and the practical implications for SCA and digital payment journeys. We also provide a helpful table comparing “Basic PSD2 SCA” and “Future-ready, PSD3-aligned SCA strategies”, plus expert guidance on upgrading your legacy SCA setups for the future.
In this article, we break down what’s new, why it matters, and the practical implications for SCA and digital payment journeys. We also provide a helpful table comparing “Basic PSD2 SCA” and “Future-ready, PSD3-aligned SCA strategies”, plus expert guidance on upgrading your legacy SCA setups for the future.
What is SCA under PSD2? Successes and shortcomings
Strong Customer Authentication (SCA) was a keystone requirement under PSD2, obligating banks and payment service providers to verify transactions using at least two independent factors: something the customer knows (password/PIN), something they have (phone/card), or something they are (biometrics like fingerprint or face). This, combined with exemptions for low-value or low-risk transactions, aimed to reduce payment fraud and increase consumer trust
Where PSD2 SCA worked
- The value of card-not-present (CNP) fraud fell significantly: EU-wide statistics showed a 33% drop in value after SCA took effect.
- Standardized adoption of two-factor and biometric methods greatly reduced unauthorized account takeovers.
Where it fell short
- Rising social engineering and authorized push payment fraud: Fraudsters increasingly manipulated users into approving payments with valid SCA, bypassing controls.
- Customer friction: Static rules, SMS OTPs, and inconsistent application of exemptions led to disrupted experiences and abandoned transactions.
- Complexity and compliance gaps: Fragmented national implementations created headaches for multi-market financial institutions.
SCA changes, signals, and proposals in PSD3
1. Flexibility in authentication methods and technologies
PSD3 and PSR will mandate broader support for authentication technologies, including robust support for biometrics (like face and fingerprint recognition), as well as new standards such as FIDO/WebAuthn (passwordless logins), and alternative channels for customers without smartphones. Banks must avoid “mobile-only” approaches and ensure accessibility across demographics and platforms
2. Stronger emphasis on fraud outcomes, not just compliance
PSD2 focused heavily on “checklist compliance.” PSD3 shifts the spotlight toward fraud reduction outcomes, introducing:
- Mandatory IBAN/name matching (Confirmation of Payee) for all credit transfers, not just instant or euro payments.
- Real-time, behavioral, and device intelligence-based transaction monitoring that detects anomalies such as device changes, remote session indicators, or abnormal user behavior to pre-empt fraud.
- Shared fraud data: PSPs, telcos, and social media should collaborate on threat intelligence, creating a more unified ecosystem.
3. Risk-based and context-aware approaches to SCA
PSD3 will further clarify and expand risk-based exemptions. Instead of static rules, SCA can be dynamically waived for low-risk payments (such as pre-authorized merchants and recurring subscriptions) — as long as Transaction Risk Analysis (TRA) shows minimal risk. FIs can expect:
- More use of behavioral biometrics and risk scoring during authentication.
- Context-driven “step-up” SCA only when prompted by risk signals.
4. Treatment of remote and high-risk transactions
Remote (online, mobile), high-value, and cross-border payments will face tighter controls. SCA will be required for actions such as:
- Adding or changing payment credentials or limits
- Device onboarding or app activation
- Sensitive settings changes or high-risk, remote actions, even outside payment flows
5. Expansion of SCA scope
PSD3 will close many loopholes seen under PSD2:
- SCA will apply to open-banking use-cases, with reduced re-authentication friction for data aggregators (platforms that act as a bridge between a customer’s bank account and their apps).
- All technical service providers involved in SCA (card schemes, gateways, wallet providers) will explicitly share liability for failures.
Practical impacts on key authentication journeys
Logins to banking portals or apps
- Risk-based authentication can reduce repeated SCA for recognized users and trusted sessions.
- Step-up SCA for login from new devices or locations.
Step-up SCA for high-risk actions
Adding beneficiaries, raising limits, or managing credentials prompts adaptive SCA decisions—adding a biometric or push notification verification step instead ofan SMS OTP only.
Securing E-commerce with PSR
- 3DS flows will integrate behavioral and device intelligence, plus biometric or passkey options.
- SCA triggered only when real-time risk assessment flags anomalies.
Instant payments and cross-channel transactions
- Name/IBAN matching on all credit transfers to combat authorized fraud.
- SCA obligations become clearer and more harmonized across the EU market
SCA implementation under PSD2 vs. PSD3
How Banks can migrate from legacy SCA to a unified, orchestrated authentication layer
The PSD3 and PSR regulatory reset is a prime opportunity to unify and future-proof your FI’s authentication stack:
- Assess current SCA deployments for device and channel coverage, compliance gaps, and customer experience pain points.
- Orchestrate authentication flows centrally: Route all SCA logic (step-up, fallback, adaptive checks) through a unified platform or API that supports omnichannel, biometrics, FIDO, and contextual risk scoring.
- Prioritize user-centricity: Offer multiple authentication options (SMS, biometrics, hardware token, mobile push), catering to accessibility requirements and reducing friction.
- Invest in behavioral analytics: Integrate device, session, and other behavioral analytics signals to enable real-time, invisible authentication, especially for vulnerable or high-risk users.
- Stay close to regulatory updates: Work with technology partners who can push configuration-level changes and support rapid regulatory adaptation as the European Banking Authority (EBA) and National Competent Authorities refine payment regulations .
Don't let PSD3 be a last-minute scramble. Download the PSD3 Readiness Guide to see how to turn compliance into a competitive advantage.
Design principles for PSD3-ready SCA
- Outcome-focused: Aim for measurable reductions in fraud, especially social engineering and authorized push payment scams.
- Adaptive and context-aware: Use risk analytics to dynamically step up or step down SCA, minimizing unnecessary friction for low-risk transactions.
- Inclusive: Ensure SCA is accessible to all demographics (not just mobile-first), supporting multi-device and non-digital experiences where needed.
- Orchestrated and modular: Build for rapid adaptation, plugging in new authentication technologies andAPIs without re-engineering your core stack.
- Collaborative intelligence: Share fraud signals, behavioral insights, and contextual data across PSPs, telecos, and social network platforms, as PSD3 mandates.
Conclusion: Is your FI ready for the PSD3 SCA evolution?
By embracing a unified, risk-based, omnichannel authentication strategy, banks and PSPs can not only stay compliant with PSD3 SCA changes, but also dramatically improve fraud outcomes and customer experience.
For further reading, visit the Entersekt blog and the resources section for whitepapers, analysis, and news on secure digital banking and payments.
