Double verification for digital transactions
Payment services providers (PSPs), such as banks, use double verification for digital transactions, such as card payments or account-to-account transfers. This is also called ‘strong customer authentication’ (SCA). It provides an extra layer of protection for digital transactions.
What is SCA?
Under the Revised Payment Services Directive (PSD2), PSPs in the EU are required to apply SCA to most payments.
With SCA, a bank or payment institution verifies that the legitimate account or card holder is the person carrying out a digital transaction. This is done using so-called two-factor authentication (2FA), which involves two of a total of three different personal factors to confirm that the legitimate payer is authorizing a payment:
- Something that characterizes only the user, such as a fingerprint or facial recognition;
- Something only the user knows, such as a secret PIN;
- Something only the user possesses, such as a debit card, smartphone, or smartwatch.

When is SCA performed?
PSPs are required to perform SCA in various circumstances:
- When a user wants to access a payments account online;
- When a user makes an electronic payment;
- When a user performs a high-risk online transaction.
SCA in practice
Common examples of SCA include:
- Logging into a mobile banking app using a fingerprint or facial recognition (personal characteristic or ‘inherence’) on a unique personal smartphone (personal possession);
- Paying €100 in a store using a unique debit card (personal possession) and a secret PIN (personal knowledge);
- Increasing a payments limit via online banking, using a secret PIN (personal knowledge) on a unique access device (personal possession).
When making a card payment with a wearable, such as a smartwatch, SCA relies on entering a secret numeric code, providing a fingerprint, or facial recognition when putting on the smartwatch. As soon as the user takes off the smartwatch, they can no longer use it to make payments until they put it back on and unlock it again using SCA.
Exceptions (exemptions)
In practice, a user does not need to perform SCA for every payment transaction. For example, a PIN is often not required for a contactless card payment. This is because there are exceptions to the SCA requirement, including:
- For small amounts: payments of up to €50 are usually exempt from SCA, for a limited number of consecutive transactions.
- For recurring payments to the same recipient: SCA is required only for the first payment.
- For payments to a known recipient: the user can sometimes designate certain beneficiaries (with SCA) whom they trust, for whom SCA is not required thereafter.
- For low-risk transactions: a payment service provider may disable SCA if it assesses the risk to be low; if something does go wrong, the provider is liable for the damage.
The payment services provider determines whether or not to apply SCA. That provider remains responsible for compliance with PSD2, not the payer or payee. For transactions without SCA, the PSP of the payer is, in principle, liable for any damage resulting from misuse by a fraudster, not the legitimate account or card holder.
SCA and the EUDI Wallet
The second European eIDAS Regulation will introduce the EUDI Wallet (EU Digital Identity) in the future, which will also enable secure and reliable two-factor authentication. The EUDI Wallet will therefore play a role in strong customer authentication.
SCA and PSR/PSD3
PSD2 will soon be succeeded by two new EU laws: the PSR (Payment Services Regulation) and PSD3. We expect the rules for strong customer authentication to remain largely the same under PSR/PSD3. However, the new legislation does include a new guideline stating that performing SCA must not depend on having a smartphone. Banks and payment institutions must also offer alternative options. These could include a dedicated access device or a USB token to authorize online transactions on a laptop or desktop computer.
The Role of the Dutch Payments Association
- We monitor all European and domestic developments related to PSD2, PSD3, PSR, eIDAS 2.0, and the EUDI Wallet, and advocate for the interests of the Dutch payments sector in Brussels;
- We respond on behalf of our members to legislative consultations and support our members in complying with laws and regulations regarding reliable identification and authentication.