How does SCA work?

Methods of authentication and relevant transactions.


What constitutes a method of authentication?

There are three valid categories of authentication available as part of SCA. Within each category, there are a number of potential methods for satisfying that category.

The three categories are:

  • Knowledge (something only the payer knows) - examples include a password, PIN, passphrase or secret fact/answer,
  • Possession (something only the payer possesses) - examples include their mobile phone, smart watch, smart card or a token
  • Inherence (something the payer is) - examples include a fingerprint, facial recognition, voice patterns, DNA signature and iris format

Only when the payer has been able to provide two of these forms of authentication, will they be allowed to complete their payment.

SEPA countries map

The three types of authentication allowed under SCA

On 21 June 2019, the EBA released a new opinion on what may constitute a compliant element in each of the three possible categories of inherence, possession and knowledge, as well as additional requirements on dynamic linking and the independence of elements.

What transactions does SCA apply to?

SCA is being brought in to make dealing with money and making payments online more secure and to reduce payment fraud. At a high level, SCA will be required where a payer transfers funds or access their account information.

In particular:

  • each time a payer accesses its payment account online,
  • initiates an electronic payment transaction or
  • carries out any action through a remote channel which may imply a risk of payment fraud or other abuse

The main impact is very likely to be on card payments and bank transfers. The reason for this being that card payments are instant and initiated by the end-customer, and the payment or the consent to access account details is instant, which creates risk.

Does SCA apply to recurring payments?

Where payments are initiated by an end customer, SCA will only apply to the first payment in a set of recurring payments for the same amount. However, if the amount changes, then SCA will apply.

Where payments are initiated by the merchant receiving the funds, SCA will typically (although not in the case of standard direct debits) be required for the first payment in a series of recurring payments. So long as the subsequent payments are initiated by the merchant, further SCA will not be required so long as the amounts being charged are within the reasonable expectation of the end customer.

This means subscription businesses, SaaS businesses and membership businesses will all need to prepare for SCA.

There are, however, multiple exemptions to SCA, and certain out of scope transactions that will benefit businesses with recurring revenue.

‹ View table of contents Next page ›

Latest features

Security vs. convenience in the payment experience: What matters most to online shoppers?

We surveyed 4,000 customers across the UK, France, Germany and Spain about their attitudes to security and convenience when shopping online. Get all the insights here.

The new CFO: How 4 CFOs have seen their roles evolve

Hear from the CFOs at GoCardless, SideTrade, The FD Centre and Wolffepack as they discuss how the role has evolved – with insight into the challenges and opportunities they face in a changing financial landscape.

How to scale a fintech: Strategic advice from industry leaders

Learn from the leaders of Monzo, TransferWise, Funding Circle and more, with over 30 pieces of wisdom for scaling your fintech. Get your free copy now.

View all


Reference guides

View all