What is SCA?
Strong Customer Authentication (SCA) is the PSD2 requirement (Article 97) that electronic payments be authenticated using at least two of three independent elements: knowledge (something only the user knows — password, PIN), possession (something only the user has — phone, hardware token), and inherence (something the user is — fingerprint, face). SCA aims to reduce payment fraud, particularly card-not-present fraud, and is operationalised through the RTS on SCA (Commission Delegated Regulation 2018/389).
When SCA is required
- Online payments above EUR 30 (or in some configurations EUR 50).
- Account access via online banking or TPP.
- Sensitive actions: adding a new payee, increasing transfer limits.
SCA exemptions
- Low value (LV): below EUR 30 with cumulative caps.
- Trusted beneficiaries (TB): consumer whitelisted recipients.
- Recurring transactions: after initial SCA, subsequent same-amount/same-payee transactions.
- Transaction Risk Analysis (TRA): issuer-side risk scoring with low fraud rates allows exemption up to value thresholds.
- Corporate payments: dedicated processes for non-consumer payments.
Dynamic linking
For remote electronic transactions, the SCA elements must dynamically link the authentication to the specific amount and payee, so a captured authentication cannot be replayed for a different transaction. Practical effect: the OTP message or push notification shows the amount and merchant, and the device cryptographically binds the consent.
Türkiye uygulaması
BDDK ve BKM kart işlem standartları SCA-eşdeğer iki-faktörlü doğrulama kurallarını uygular; özellikle 3D Secure 2.x adopsiyonu Türk kart işlemleri için yerleşmiştir. BDDK Ödeme Hizmetleri Tebliği ve sektör pratiği müşteri risk-bazlı istisna mantığını AB modeline benzer şekilde işletir. Türk e-ticarette PSP’ler (Iyzico, Craftgate, Param) 3DS2 + risk skorlamayı paketler.
Do: implement 3DS 2.x for card payments; use risk-based exemption where supported to balance UX and fraud; track exemption windows.
Don’t: attempt to bypass SCA via merchant-of-record offshoring without strict scope and PSP cooperation — issuers will still decline non-SCA transactions.