PSD2 Strong Customer Authentication

PSD2 Strong Customer Authentication

The EU Payment Services Directive 2 (PSD2, EU 2015/2366) introduced the Strong Customer Authentication (SCA) requirement for electronic payments. SCA mandates that payment authentication use at least two of three independent factors: knowledge (something the cardholder knows), possession (something the cardholder has), and inherence (something the cardholder is). Smart cards are the primary possession factor in both contact and contactless payment flows.

SCA Factor Mapping

An EMV chip transaction satisfies both possession (the Application Cryptogram generated by the card's secure element) and knowledge (PIN verification). Together they constitute SCA-compliant authentication without additional backend step-up.

Exemptions and Risk-Based Authentication

PSD2 Article 16 and the EBA Regulatory Technical Standards (RTS) define exemptions that allow issuers to skip SCA in low-risk scenarios:

Acquirers and issuers may apply TRA exemptions using real-time fraud scoring, but the issuer bears liability if a fraudulent transaction occurs under an applied exemption.

3-D Secure 2 (3DS2) Flow

For card-not-present (e-commerce) transactions, EMV 3-D Secure version 2 (EMVEMVApplicationGlobal chip payment card standard.Click to view → 3DS2) implements the SCA possession factor via a cryptographic challenge to the card issuer's authentication server:

Cardholder browser / merchant checkout
        │ 1. 3DS Method (device fingerprint)
        ▼
    3DS Server (merchant)
        │ 2. Authentication Request (AReq)
        ▼
    Directory Server (Visa/MC)
        │ 3. Route to issuer ACS
        ▼
    Access Control Server (Issuer)
        │ 4. Challenge (biometric / OTP / out-of-band)
        ▼
    Cardholder app / browser
        │ 5. Authentication Response (ARes) with cavv/eci
        ▼
    Authorisation (normal card network)

The CAVV (Cardholder Authentication Verification Value) proves to the issuer that SCA was completed. A 3DS2 frictionless flow — where the ACS approves without an explicit challenge — is permitted when the issuer's risk model is satisfied, but SCA must still have been performed (e.g., device binding at app installation).

Smart Card as Possession Factor in Remote Channels

Beyond contactless payments, smart cards serve as the SCA possession factor in:

• Online banking with card reader: The cardholder inserts their EMV card into a standalone CAP/DPA reader. The reader generates a one-time code by signing a nonce with the card's private key — equivalent to a hardware OTP token.

• Virtual card credentials: Tokenisation schemes (EMV Payment Tokenisation) bind a network token to a specific device's secure element (Host Card Emulation or embedded SE). The device holding the token constitutes the possession factor.

• PIVPIVIdentityUS federal identity card standard.Click to view →/CACCACIdentityUS DoD identification smart card.Click to view → for government portals: PIV cards authenticate to online services by signing a challenge with the card's authentication private key — a possession factor compliant with NIST SP 800-63B AAL3.

SCA and PSD2 Liability Shift

Compliance Checklist

• [ ] Confirm contactless low-value counters reset correctly after SCA
• [ ] Verify PIN bypass is disabled for transactions above €50 contactless
• [ ] Test 3DS2 challenge flow with issuer sandbox for all card product types
• [ ] Document TRA exemption logic and fraud rate monitoring
• [ ] Review SCA exemption liability clauses with acquirer contracts

See the PCI PTS Guide for terminal security requirements supporting SCA, and the GDPR and Smart Card Data Guide for data protection requirements around authentication logs.