Skip to main content

PSD2 is Approaching… Have You Started Testing SCA Compliance?

Financial institutions in the EEA are preparing for PSD2’s full implementation. Learn how your company can get ready for the changes ahead.

PSD2 is Approaching… Have You Started Testing SCA Compliance?

Key Takeaways

  • PSD2 (the second Payment Services Directive) is a European regulation designed to strengthen payment security, protect consumers, and drive collaboration between banks and fintechs.

  • Although PSD2 formally took effect in 2019, enforcement was extended until 31 December 2020 to give financial institutions more time to adapt.

  • A core requirement of PSD2 is Strong Customer Authentication (SCA), which mandates multi-factor authentication for online payments and account access.

  • SCA requires meeting at least two out of three elements:Knowledge (password, PIN)

  • Possession (mobile device, token)

  • Inherence (biometrics like fingerprint or face ID)

  • Banks must decline transactions that require SCA but do not meet these factors.

  • SCA applies to electronic transactions and account access across the EEA, but excludes merchant-initiated direct debits and in-person card payments (except contactless rules).

  • Businesses must ensure their authentication flows comply to avoid increased payment failures after PSD2 enforcement.

  • Implementing SCA can be simplified using SMS-based verification as the "possession" factor, paired with a verification tool for secure authentication.

  • Bird’s SMS API helps companies meet SCA requirements by delivering OTPs reliably with high deliverability, geographic flexibility, and carrier-level failovers.

  • Companies are advised to start testing early due to the sensitivity and criticality of payment flows.

  • Bird offers internal SCA specialists to help companies architect and validate compliant flows.

Q&A Highlights

  • What is PSD2?PSD2 is the European Union’s updated Payment Services Directive, designed to increase security, transparency, and innovation in payments.
  • When does PSD2 enforcement begin?Although PSD2 formally began in 2019, enforcement of SCA was extended until 31 December 2020.
  • What is Strong Customer Authentication (SCA)?SCA is a mandatory multi-factor authentication requirement for online payments and account access within the EEA.
  • What three factors make up SCA?Knowledge (password/PIN), Possession (device), and Inherence (biometrics).
  • When is SCA required?Each time a customer accesses an online payment account or initiates an electronic transaction within the EEA.
  • Are any transactions exempt from SCA?Yes — merchant-initiated direct debits and most in-person card payments, except where contactless rules apply.
  • What happens if SCA isn’t performed?Banks must decline the transaction.
  • Does SCA apply to all European transactions?It applies to transactions where both the issuing and acquiring banks are located in the EEA.

What is PSD2?

The second Payment Services Directive (PSD2) was introduced on 8 October 2015 as a revision to the original Payment Services Directive. PSD2 went into effect on 14 September 2019, but due to delays, enforcement was extended until 31 December 2020.

PSD2 aims to improve the security of online payments in Europe and encourage innovation and collaboration between banks and fintech companies. A central requirement of the directive is Strong Customer Authentication (SCA).

What is SCA?

SCA authentication factors Strong Customer Authentication (SCA) is made up of three elements.

Factor

Description

Example

Knowledge

Something the user knows

Password, PIN

Possession

Something the user has

Mobile phone, hardware token

Inherence

Something the user is

Fingerprint, face recognition

  • Knowledge: something only the user knows, such as a password or PIN
  • Possession: something only the user possesses, such as a personal device (like a tablet or mobile phone)
  • Inherence: something the user is, such as a fingerprint or face recognition

Why this matters: Any noncompliance with these elements will require banks making transactions in Europe to decline payments that require SCA.

SCA is required each time a customer accesses their payment account online or initiates an electronic transaction. It is not applicable to merchant-initiated direct debits or in-person card payments outside of contactless payments. The requirements will apply to any transactions taking place in the EEA.

When SCA applies under PSD2

Scenario

SCA required?

Online account access

Yes

Electronic payment initiation

Yes

Merchant-initiated direct debits

No

In-person card payments

No (except contactless rules)

Transactions within the EEA

Yes

How can your business become SCA compliant?

A simple implementation approach

Example SCA implementation using SMS

SCA element

Example implementation

Bird role

Possession

One-time password via SMS

SMS API delivery

Knowledge or Inherence

PIN, password, or biometric

External verification tool

Transaction validation

OTP confirmation

High-deliverability messaging

You can become SCA compliant by implementing two simple tools. All you need is the Bird SMS API combined with a Verification tool of your choice.

The Bird SMS API enables your business to send SMS messages at scale, around the world, with maximum message deliverability due to its built-in redundancies, failovers, and direct-to-carrier connections. Architected for geographic and regulatory differences, the SMS API is designed to deliver strategic global solutions.

While setup is straightforward, we would advise your business to start testing in the coming weeks due to the sensitivity of the directive. We have SCA experts on staff who would be happy to guide you through the process. Please reach out here.‍

Other news

Read more from this category

Sep 24, 20183 Popular Banking Communication Channels