PSD2 is Approaching… Have You Started Testing SCA Compliance?
Bird
Jan 7, 2022
Compliance
1 min read
Key Takeaways
PSD2 (the second Payment Services Directive) is a European regulation designed to strengthen payment security, protect consumers, and drive collaboration between banks and fintechs.
Although PSD2 formally took effect in 2019, enforcement was extended until 31 December 2020 to give financial institutions more time to adapt.
A core requirement of PSD2 is Strong Customer Authentication (SCA), which mandates multi-factor authentication for online payments and account access.
SCA requires meeting at least two out of three elements:
Knowledge (password, PIN)
Possession (mobile device, token)
Inherence (biometrics like fingerprint or face ID)
Banks must decline transactions that require SCA but do not meet these factors.
SCA applies to electronic transactions and account access across the EEA, but excludes merchant-initiated direct debits and in-person card payments (except contactless rules).
Businesses must ensure their authentication flows comply to avoid increased payment failures after PSD2 enforcement.
Implementing SCA can be simplified using SMS-based verification as the “possession” factor, paired with a verification tool for secure authentication.
Bird’s SMS API helps companies meet SCA requirements by delivering OTPs reliably with high deliverability, geographic flexibility, and carrier-level failovers.
Companies are advised to start testing early due to the sensitivity and criticality of payment flows.
Bird offers internal SCA specialists to help companies architect and validate compliant flows.
Q&A Highlights
What is PSD2?
PSD2 is the European Union’s updated Payment Services Directive, designed to increase security, transparency, and innovation in payments.
When does PSD2 enforcement begin?
Although PSD2 formally began in 2019, enforcement of SCA was extended until 31 December 2020.
What is Strong Customer Authentication (SCA)?
SCA is a mandatory multi-factor authentication requirement for online payments and account access within the EEA.
What three factors make up SCA?
Knowledge (password/PIN), Possession (device), and Inherence (biometrics).
When is SCA required?
Each time a customer accesses an online payment account or initiates an electronic transaction within the EEA.
Are any transactions exempt from SCA?
Yes — merchant-initiated direct debits and most in-person card payments, except where contactless rules apply.
What happens if SCA isn’t performed?
Banks must decline the transaction.
Does SCA apply to all European transactions?
It applies to transactions where both the issuing and acquiring banks are located in the EEA.
How can businesses become SCA-compliant?
By implementing multi-factor authentication flows that meet PSD2 requirements, often using SMS-based verification as the possession factor.
How does Bird help with SCA compliance?
Its SMS API delivers verification codes reliably worldwide with high deliverability, failovers, and direct carrier routes.
Why is early testing important?
SCA directly impacts payment flow continuity — businesses need time to validate and adjust to avoid failed transactions.
Does Bird offer implementation support?
Yes — Bird provides SCA specialists who can guide companies through implementation and testing.
