What is SCA?
Strong Customer Authentication (SCA) is the PSD2 requirement (Article 97) that electronic payments be authenticated using at least two of three independent elements: knowledge (something only the user knows — password, PIN), possession (something only the user has — phone, hardware token), and inherence (something the user is — fingerprint, face). SCA aims to reduce payment fraud, particularly card-not-present fraud, and is operationalised through the RTS on SCA (Commission Delegated Regulation 2018/389).
When SCA is required
- Online payments above EUR 30 (or in some configurations EUR 50).
- Account access via online banking or TPP.
- Sensitive actions: adding a new payee, increasing transfer limits.
SCA exemptions
- Low value (LV): below EUR 30 with cumulative caps.
- Trusted beneficiaries (TB): consumer whitelisted recipients.
- Recurring transactions: after initial SCA, subsequent same-amount/same-payee transactions.
- Transaction Risk Analysis (TRA): issuer-side risk scoring with low fraud rates allows exemption up to value thresholds.
- Corporate payments: dedicated processes for non-consumer payments.
Dynamic linking
For remote electronic transactions, the SCA elements must dynamically link the authentication to the specific amount and payee, so a captured authentication cannot be replayed for a different transaction. Practical effect: the OTP message or push notification shows the amount and merchant, and the device cryptographically binds the consent.
SCA in Turkish payments
Strong customer authentication migrated from PSD2 into Turkish practice through TCMB and BKM-administered rules: two of three factors (knowledge, possession, inherence), dynamic linking for remote payments, and exemption architecture — low-value, transaction-risk-analysis, trusted beneficiaries, recurring payments — that determines conversion economics. Product teams should treat exemptions as a designed portfolio: who claims them (issuer versus acquirer), what fraud-rate thresholds they require, and what the liability shift costs when an exemption is used. Diligence on payment startups reads SCA posture directly in two numbers — fraud basis points and authentication-abandonment rate — and in whether the exemption logic is documented or improvised.