SCA
securityFull Name: Strong Customer Authentication
Definition
Strong Customer Authentication (SCA) is a regulatory requirement introduced by the European Union's revised Payment Services Directive (PSD2) that mandates multi-factor authentication for electronic payment transactions and certain other financial operations. SCA requires that authentication use at least two independent elements from three categories: knowledge (something only the user knows, such as a password or PIN), possession (something only the user possesses, such as a smartphone or hardware token), and inherence (something the user is, such as a fingerprint or facial recognition). The EUDI Wallet is uniquely positioned to satisfy SCA requirements because it inherently combines device possession (the smartphone containing the wallet's secure enclave and device-bound keys) with biometric inherence (fingerprint or face recognition for wallet activation), and can optionally include a knowledge factor (wallet PIN). This makes the EUDI Wallet a powerful tool for streamlining payment authentication across the European digital economy while maintaining the high security standards mandated by EU financial regulation.
SCA Requirements Under PSD2
PSD2's SCA requirements, which became fully enforceable across the EU in 2021, apply to customer-initiated electronic payments, access to online payment accounts, and actions through remote channels that may imply a risk of payment fraud. The Regulatory Technical Standards (RTS) on SCA specify that the authentication elements must be independent, meaning that the compromise of one element does not compromise the reliability of the others. The authentication must also include dynamic linking for payment transactions, binding the authentication to the specific amount and payee.
Dynamic linking is particularly important for the EUDI Wallet's role in payment authentication. When a user authorizes a payment through their EUDI Wallet, the authentication process must clearly show the payment amount and the payee to the user, and the resulting cryptographic proof must be bound to these specific values. This prevents an attacker from modifying the payment details after the user has authorized the transaction, a type of attack known as transaction manipulation.
SCA includes exemptions for low-value transactions (under 30 euros, up to a cumulative threshold), trusted beneficiaries, recurring payments of the same amount, and transactions assessed as low risk through transaction risk analysis. When the EUDI Wallet is used for payment authentication, these exemptions can be applied by the payment service provider, allowing a streamlined user experience for routine, low-risk payments while maintaining full SCA for higher-risk transactions.
EUDI Wallet as an SCA Solution
The EUDI Wallet's architecture makes it a natural SCA solution that exceeds the minimum requirements. The device possession factor is satisfied by the smartphone that contains the wallet's secure enclave, where the device-bound private keys are stored. These keys cannot be extracted from the secure enclave, ensuring that possession of the physical device is required for any authentication. The inherence factor is satisfied by the biometric authentication (fingerprint or facial recognition) required to unlock the wallet and authorize credential presentations.
For payment authentication specifically, the EUDI Wallet can present a payment credential or a qualified electronic attestation linked to the user's payment account. The presentation process includes the user reviewing the payment details on their device screen, authenticating with biometrics, and the wallet generating a cryptographic signature over the transaction details using the device-bound key. This signature serves as both the SCA proof and the dynamic link to the specific payment, satisfying all PSD2 requirements in a single, user-friendly step.
The EUDI Wallet's selective disclosure capability adds a privacy advantage for payment authentication. While traditional SCA methods (such as SMS OTPs or banking app notifications) involve the payment service provider communicating directly with the customer's device, the EUDI Wallet allows the authentication to occur locally on the device without requiring real-time communication with the payment provider's servers. This reduces latency, improves reliability, and limits the data exposure associated with the authentication process.
Integration with European Payment Infrastructure
The convergence of the EUDI Wallet and European payment infrastructure represents a significant opportunity for both identity and financial services. The European Payments Initiative (EPI) and the digital euro project at the European Central Bank have both acknowledged the EUDI Wallet as a potential authentication mechanism for next-generation European payment solutions. By using the EUDI Wallet for both identity verification and payment authentication, the checkout experience can be dramatically simplified.
For online merchants, accepting the EUDI Wallet for SCA eliminates the need for separate 3D Secure redirects, SMS OTP verification, or banking app confirmations. The customer simply scans a QR code or taps a button to present their payment credential from the wallet, authenticating with a single biometric step. This reduction in friction is expected to decrease cart abandonment rates, which have been estimated at 20-30% due to SCA-related authentication challenges in European e-commerce.
For in-store payments, the EUDI Wallet can combine identity verification and payment authorization in a single gesture. A customer purchasing age-restricted goods could present both their age verification credential and their payment authorization from the same wallet in a single interaction, streamlining the checkout process while maintaining full regulatory compliance with both eIDAS 2.0 identity requirements and PSD2 payment authentication requirements.