What Is SCA or 2FA?

SCA (Strong Customer Authentication) is the identity‑verification mechanism that requires the use of at least two independent authentication factors (2FA) before authorizing an electronic payment. It is mandated by Article 97 of Directive (EU) 2015/2366 (PSD2) and, in Spain, by Royal Decree‑Law 19/2018.

Its purpose is to reduce fraud in both remote and in‑person transactions within the European Economic Area (EEA). Since December 31, 2020, the final enforcement date in Spain, SCA applies to all electronic payments initiated by the customer, except for the exemptions defined in Delegated Regulation (EU) 2018/389.

How Strong Customer Authentication (2FA) works

SCA requires combining two of three categories of authentication factors before completing a payment:

• Knowledge: something only the user knows, such as a PIN or password.
• Possession: something only the user has, such as a mobile phone or a physical chip card.
• Inherence: something the user is, such as a fingerprint or facial recognition.

These factors must be independent: compromising one must not compromise the other. In addition, Delegated Regulation (EU) 2018/389 requires dynamic linking, meaning the authentication code must be tied to the exact amount and the specific beneficiary. If either is altered, the code becomes invalid.

In practice, the 3D Secure 2 (3DS2) protocol is the most widely used channel to meet SCA requirements for online card payments. 3DS2 sends over one hundred contextual data points to the issuer, enabling risk‑based authentication (RBA) and allowing many verifications to be completed without visible friction for the buyer.

Regulatory impact and security requirements for 2FA

SCA operates within a three‑layer regulatory framework:

• PSD2 Directive (Directive (EU) 2015/2366): establishes the general obligation for strong authentication.
• Delegated Regulation (EU) 2018/389 (EBA RTS): defines technical requirements, valid factors, and exemptions.
• Royal Decree‑Law 19/2018: transposes PSD2 into Spanish law and grants supervisory and sanctioning powers to the Bank of Spain, with fines of up to 10% of annual turnover or 10 million euros.

The SCA exemptions most relevant to ecommerce are:

• Low‑value payments: transactions under €30, with a cumulative limit of €100 or five consecutive unauthenticated operations.
• Transaction Risk Analysis (TRA): the payment service provider may exempt transactions if its fraud rate remains below specific thresholds. For example, to exempt payments up to €100, the fraud rate must be below 0.13%.
• Fixed‑amount recurring payments: SCA applies only to the first transaction. Subsequent charges of the same amount to the same merchant are exempt.
• Trusted beneficiaries: the customer may whitelist a merchant through their issuer.

Compliance with PCI DSS v4.0 complements SCA on the technical side. Requirement 8.4 mandates multi‑factor authentication (MFA) for all access to the cardholder data environment, strengthening end‑to‑end security.

Operational advantages and disadvantages of using 2FA

The operational key is implementing a smart SCA strategy: triggering full authentication when risk requires it and requesting exemptions (TRA, low‑value) when risk models allow. This balance between security and user experience is what separates merchants with strong conversion rates from those suffering high checkout abandonment.