RD Virtual Card
RD Virtual Card

What Is Strong Customer Authentication? Definition, Payment Flow, and Examples

Quick answer

Strong Customer Authentication (SCA) is a regulatory requirement in some regions to verify a payer with independent factor categories, with scope and exemptions varying by jurisdiction. This guide focuses on SCA's real role, boundaries, and common points of confusion.

Last updated: 2026-07-14 · RDVCC Payments Research

Key points

  • Definition: Strong Customer Authentication (SCA) is a regulatory requirement in some regions to verify a payer with independent factor categories, with scope and exemptions varying by jurisdiction.
  • Flow position: Where applicable, SCA requires multiple elements from independent categories and can require dynamic linking to the amount and payee.
  • Do not confuse: SCA / 3D Secure

How it fits into the payment flow

For SCA, the relevant process is as follows: Where applicable, SCA requires multiple elements from independent categories and can require dynamic linking to the amount and payee. An OTP is one possible authentication tool, while AVS compares address information; neither automatically equals complete SCA.

A practical review of SCA should account for this: whether SCA is required, whether an exemption applies, and which provider owns the obligation depend on jurisdiction, transaction initiation, and provider roles. Users should authenticate only in a trusted issuer interface.

Practical example

Where SCA applies, the customer authenticates with independent element categories and the result is linked to amount and payee. Exemptions depend on the regulation and provider responsibilities.

How it differs from related terms

TermDefinition
Strong Customer Authenticationis a regulatory requirement in some regions to verify a payer with independent factor categories, with scope and exemptions varying by jurisdiction
3D Secureis a cardholder-authentication framework for card-not-present payments that exchanges risk and authentication data across three domains
One-time Passwordis a code valid for one action or a short period and can be an authentication factor without automatically constituting complete SCA

SCA focuses on the fact that it is a regulatory requirement in some regions to verify a payer with independent factor categories, with scope and exemptions varying by jurisdiction. 3D Secure, by contrast, is a cardholder-authentication framework for card-not-present payments that exchanges risk and authentication data across three domains. They can appear in one transaction while answering different questions.

Use cases and limits

A key limit of SCA is the following: SMS codes can be phished, redirected, or obtained through social engineering, and an address match is only one signal. No single result is absolute proof against fraud.

Frequently asked questions

These answers address two common search questions about SCA.

Is it the same as 3D Secure?

No. Strong Customer Authentication (SCA) is a regulatory requirement in some regions to verify a payer with independent factor categories, with scope and exemptions varying by jurisdiction. 3D Secure (3DS) is a cardholder-authentication framework for card-not-present payments that exchanges risk and authentication data across three domains. Compare the object, processing stage, and responsible party.

Does a one-time password by itself always satisfy strong customer authentication?

For SCA, no. SCA generally involves multiple independent element categories and applicable dynamic-linking rules. One OTP does not automatically prove compliance of the full flow.

Related glossary terms
Primary sources

These primary sources support the definition and process for SCA. Current product, network, and local rules still control a real transaction.