Skip to main content

GLOSSARY

SCA

Strong Customer Authentication — the European requirement that online card payments be verified by two independent factors.

Strong Customer Authentication (SCA) is a regulatory requirement under the EU’s revised Payment Services Directive (PSD2). For most online card payments inside the EEA, the customer must authenticate using at least two of three factors:

  • Something they know (password, PIN)
  • Something they have (phone, hardware token)
  • Something they are (fingerprint, face)

In practice this usually means a 3D Secure 2 challenge: the customer’s bank prompts them via app or SMS to confirm the payment. Properly implemented, the challenge is invisible for low-risk transactions (frictionless flow) and only surfaces when the bank’s risk engine wants extra confirmation.

Kotao’s payments stack handles SCA automatically — both the 3DS challenge flow and the exemptions (low-value transactions, trusted-beneficiary lists, recurring transactions) that let the customer skip the challenge when it’s safe to. You don’t manage the protocol; you just see whether the payment succeeded.

All terms