PSD2 is Approaching… Have You Started Testing SCA Compliance?
Bird
7 Jan 2022
Compliance
1 min read
Key Takeaways
PSD2 (the second Payment Services Directive) is a European regulation designed to strengthen payment security, protect consumers, and drive collaboration between banks and fintechs.
Although PSD2 formally took effect in 2019, enforcement was extended until 31 December 2020 to give financial institutions more time to adapt.
A core requirement of PSD2 is Strong Customer Authentication (SCA), which mandates multi-factor authentication for online payments and account access.
SCA requires meeting at least two out of three elements:
Knowledge (password, PIN)
Possession (mobile device, token)
Inherence (biometrics like fingerprint or face ID)
Banks must decline transactions that require SCA but do not meet these factors.
SCA applies to electronic transactions and account access across the EEA, but excludes merchant-initiated direct debits and in-person card payments (except contactless rules).
Businesses must ensure their authentication flows comply to avoid increased payment failures after PSD2 enforcement.
Implementing SCA can be simplified using SMS-based verification as the “possession” factor, paired with a verification tool for secure authentication.
Bird’s SMS API helps companies meet SCA requirements by delivering OTPs reliably with high deliverability, geographic flexibility, and carrier-level failovers.
Companies are advised to start testing early due to the sensitivity and criticality of payment flows.
Bird offers internal SCA specialists to help companies architect and validate compliant flows.
Q&A Highlights
What is PSD2?
PSD2 is the European Union’s updated Payment Services Directive, designed to increase security, transparency, and innovation in payments.
When does PSD2 enforcement begin?
Although PSD2 formally began in 2019, enforcement of SCA was extended until 31 December 2020.
What is Strong Customer Authentication (SCA)?
SCA is a mandatory multi-factor authentication requirement for online payments and account access within the EEA.
What three factors make up SCA?
Knowledge (password/PIN), Possession (device), and Inherence (biometrics).
When is SCA required?
Each time a customer accesses an online payment account or initiates an electronic transaction within the EEA.
Are any transactions exempt from SCA?
Yes — merchant-initiated direct debits and most in-person card payments, except where contactless rules apply.
What happens if SCA isn’t performed?
Banks must decline the transaction.
Does SCA apply to all European transactions?
It applies to transactions where both the issuing and acquiring banks are located in the EEA.
How can businesses become SCA-compliant?
By implementing multi-factor authentication flows that meet PSD2 requirements, often using SMS-based verification as the possession factor.
How does Bird help with SCA compliance?
Its SMS API delivers verification codes reliably worldwide with high deliverability, failovers, and direct carrier routes.
Why is early testing important?
SCA directly impacts payment flow continuity — businesses need time to validate and adjust to avoid failed transactions.
Does Bird offer implementation support?
Yes — Bird provides SCA specialists who can guide companies through implementation and testing.
Financial institutions across the European Economic Area (EEA) are getting ready for PSD2 to come into full effect. Read more to see how your company can prepare itself.
What is PSD2?
The second Payment Services Directive (PSD2) was introduced on 8 October 2015 as a revision to the original Payment Services Directive. PSD2 went into effect on 14 September 2019, but due to delays, an extension has been granted and the directive will be enforced on 31 December 2020. PSD2 was created to ensure businesses are appropriately authenticating online payments in Europe, and to foster opportunities for collaboration between banks and fintech. A large aspect of the directive is Strong Customer Authentication, or SCA.
What is SCA?
How can your business become SCA compliant?
You can become SCA compliant by implementing two simple tools. All you need is the Bird SMS API combined with a Verification tool of your choice.
The Bird SMS API enables your business to send SMS messages at scale, around the world, with maximum message deliverability due to its built-in redundancies, failovers, and direct-to-carrier connections. Architected for geographic and regulatory differences, the SMS API is designed to deliver strategic global solutions.
While setup is straightforward, we would advise your business to start testing in the coming weeks due to the sensitivity of the directive. We have SCA experts on staff who would be happy to guide you through the process. Please reach out here.
