What is strong customer authentication?

Why am I recently being asked for more info every time I pay for something online?

As of September 2019, it is estimated that 95% of cardholder not present transactions require a step-up in security. The reason why is because of something called the Strong Customer Authentication (SCA) which is part of a set of laws governing payment of services. The end goal, which the UK authorities have committed to is that all transactions over €30 will require two independent sources of validation by March 2021.

What are two independent sources of validation? Simply put, it is either:

  • Something you know, (e.g. PIN)
  • Something you have (e.g. card/phone)
  • Something you are (e.g. fingerprint)


So, in person your card and your PIN will suffice. If buying something online, your details from your card will need to be accompanied by a second factor authentication, normally a code sent by text or email to you.


Why do some sites ask for a code now and others are the same as ever? The answer to this is simply that some organizations are quicker in complying with the new rules than others and the deadline is still 18 months away.


Is there are scam related to this that I should look out for? Fraudsters love using any innovation or change to try and catch us all out, and funnily enough this is no different. There are several large-scale spam campaigns already there with fake emails purporting to be from major banks trying to fool victims into clicking on a link to provide personal details with the claim that it is essential because of the new SCA rules. Please read our recent Scam Alert to learn more.

In summary, we see the SCA as a positive because it makes life harder for fraudsters and as another form of 2-factor authentication it is a good thing. However, fraudsters will try to exploit any changes or uncertainty and so we all need to stay vigilant.