What are the legal requirements for strong customer authentication (SCA) in online transactions?

Introduction
Strong Customer Authentication (SCA) is a regulatory standard designed to reduce fraud and enhance the security of electronic payments. SCA mandates that online transactions must be authenticated using multiple factors that ensure the user’s identity. These factors must be independent, secure, and tamper-resistant, ensuring that even if one is compromised, the others remain uncompromised. Legal requirements around SCA vary across jurisdictions, but the concept has become globally significant due to the rise in cybercrime, identity theft, and unauthorized digital payments.

This in-depth analysis explains what SCA means, its legal basis in India and globally, its requirements, exceptions, implementation methods, and compliance practices across sectors like banking, fintech, and e-commerce.

1. What Is Strong Customer Authentication (SCA)?
Strong Customer Authentication refers to a multi-factor authentication (MFA) process that uses at least two out of the following three elements:

  • Something the user knows (e.g., password, PIN)

  • Something the user has (e.g., mobile phone, smart card, OTP device)

  • Something the user is (e.g., fingerprint, facial recognition, retina scan)

These factors must be independent so that the breach of one does not compromise the others. SCA typically applies when accessing payment accounts online, initiating electronic payments, or performing actions that could pose a risk of fraud.

2. Global Legal Standards for SCA
Globally, different regions have adopted their own legal frameworks to enforce SCA.

  • European Union (EU): Under PSD2 (Revised Payment Services Directive), SCA is mandatory for all electronic payments. It became enforceable from January 1, 2021.

  • United Kingdom: Post-Brexit, the UK continues to enforce SCA through the Financial Conduct Authority (FCA).

  • United States: There is no direct SCA law, but agencies like FFIEC, PCI DSS, and NIST recommend multi-factor authentication for secure online payments.

  • India: The Reserve Bank of India (RBI) has mandated two-factor authentication (2FA) for card-not-present (CNP) transactions, mobile banking, and other forms of digital payments.

While the terminology varies, the principles of SCA—secure, layered, and customer-specific authentication—are widely accepted.

3. Legal Framework for SCA in India
India has taken a proactive approach to payment security through regulations enforced by the RBI and supported by other authorities like NPCI and SEBI.

a. Two-Factor Authentication (2FA)

  • RBI’s 2009 directive requires mandatory two-factor authentication for all domestic card-not-present transactions (e.g., online purchases).

  • This generally includes card details (factor 1) and a One-Time Password (OTP) sent to the registered mobile number or email (factor 2).

  • The RBI circulars emphasize that this is non-negotiable for Indian transactions, regardless of card brand.

b. Authentication for UPI and Mobile Payments

  • UPI uses a mobile device (factor 1) and a UPI PIN (factor 2) as authentication.

  • UPI apps also require device binding and secure login credentials.

  • NPCI mandates that UPI apps integrate secure onboarding, OTP-based verification, and PIN entry for every transaction.

c. e-Mandates and Auto-Debits

  • In 2021, RBI introduced new rules for recurring transactions. It requires OTP-based approval for e-mandates above ₹15,000 and prior notifications for users 24 hours before deduction.

  • Additional authentication must be performed for any change in mandate details.

d. Biometric Authentication and Aadhaar

  • Aadhaar-enabled payment systems (AEPS) rely on biometrics (factor 3) and device-generated tokens, often combined with OTP or device-level authentication.

e. Digital Lending and Fintech Platforms

  • RBI guidelines on digital lending mandate that all lending transactions through apps must have consent-based, auditable, and securely authenticated digital trails.

  • Authentication must comply with digital KYC norms and use secure API-based integrations for identity and payment validation.

4. Key Legal Requirements of SCA in Online Transactions
To meet SCA compliance under Indian and global frameworks, businesses must adhere to these core legal principles:

  • Multi-Factor Authentication: At least two independent factors from the categories mentioned above must be used.

  • Dynamic Linking: Each authentication must be dynamically linked to the transaction amount and recipient to prevent misuse.

  • Unique and Non-Reusable Authentication: OTPs, digital signatures, or biometric tokens must be unique and non-reusable.

  • Consent and Transparency: Customers must be informed about the authentication steps and any data used during the process.

  • Transaction Monitoring: Institutions must detect anomalies and flag high-risk transactions using behavioral analytics.

  • Fallback and Exception Management: If one method fails, secure fallback mechanisms must be available without weakening the overall protection.

5. Exceptions and Exemptions to SCA
Certain transactions may be exempted from SCA under specific conditions. These exemptions are often allowed to improve user experience without compromising security.

  • Low-Value Transactions: RBI allows banks to waive second-factor authentication for transactions below ₹2,000, though this is discretionary.

  • Trusted Beneficiaries: Merchants or beneficiaries pre-approved by the user can sometimes be exempted from repeated SCA.

  • Corporate Payments: Transactions initiated by regulated corporate entities via secure channels (e.g., host-to-host integration) may be exempted.

  • Recurring Payments: As per RBI rules, recurring debits with user consent and prior OTP-based mandate registration may not require repeated SCA.

  • Contactless Payments: Payments using NFC-enabled cards or devices below ₹5,000 may be exempt from PIN-based authentication.

Note: These exemptions are subject to risk analysis, transaction history, and regulatory approval and cannot be applied indiscriminately.

6. Role of Technology in Implementing SCA
Modern authentication solutions integrate legal requirements using advanced technology:

  • OTP-based Authentication: Sent via SMS/email or generated via mobile apps or hardware tokens.

  • Biometric Authentication: Facial recognition, fingerprint, and iris scan via Aadhaar or mobile devices.

  • Tokenization: Card details are replaced with unique tokens to ensure secure, dynamic authentication.

  • Device Binding: Ties the user’s account to a specific mobile device using cryptographic keys.

  • Secure APIs and SDKs: Ensure compliance with standards like ISO/IEC 27001, PCI DSS, and FIDO2.

  • Behavioral Analytics: AI-driven risk analysis systems detect anomalies in user behavior (location, device, transaction size).

These tools are integrated into banking apps, wallets, and payment gateways to fulfill both legal and operational SCA requirements.

7. Compliance Enforcement and Penalties
Regulators strictly monitor compliance with SCA mandates:

  • RBI Penalties: Banks and payment gateways failing to implement required authentication protocols can face monetary penalties, restrictions, or operational audits.

  • Data Protection Regulations: Under India’s Digital Personal Data Protection Act (DPDPA), 2023, authentication data is categorized as personal data and must be processed with informed consent and security safeguards.

  • Consumer Complaints and Grievance Redressal: In case of fraud, customers must be compensated if the fault lies with the institution’s failure to implement proper SCA.

For instance, if a user’s OTP is intercepted due to a platform’s insecure delivery channel, the platform may be liable for the resulting unauthorized transaction.

8. Sectoral Guidelines on SCA
Beyond RBI, other Indian regulators have issued SCA-related mandates:

  • SEBI: For investment and trading accounts, broker platforms must ensure 2FA for login and transactions.

  • IRDAI: Insurance providers must implement SCA when processing online premium payments, KYC, or policy issuance.

  • NPCI: Oversees SCA integration in UPI, AEPS, IMPS, and RuPay transactions with mandatory PIN or biometric validation.

Cross-sectoral integration ensures that SCA compliance becomes a uniform security standard for all financial and digital services.

9. International Trends and Lessons for India
The PSD2 regulation in Europe introduced dynamic linking—where the authentication must be tied to specific transaction details (amount, recipient), a feature not yet mandatory in India. Similarly, FIDO2-based passwordless authentication, now popular in the U.S. and EU, is gaining ground in India through biometric and device-level credentials. These global standards suggest that SCA is evolving toward passwordless, biometric, and AI-powered systems that combine usability with stringent legal compliance.

Conclusion
Strong Customer Authentication (SCA) is a cornerstone of digital payment security and consumer trust. In India, SCA is legally mandated by the RBI and supported by frameworks across banking, fintech, insurance, and securities sectors. The legal requirements focus on multi-factor authentication, transaction security, customer consent, and exemption management. As the digital economy expands, institutions must continually upgrade their authentication infrastructure to meet evolving threats and remain compliant. By blending regulatory mandates with innovative technologies, SCA ensures a safer, more trustworthy ecosystem for online transactions in India and beyond.

Priya Mehta

Posts