Deliver SCA with 3DS for a competitive advantage

Banks (and issuers of payment cards) are faced with a question that is both simple and complex: how can the requirements of strong customer authentication (SCA) best be met, while giving the user a journey they enjoy and avoiding cart abandonment and other issues that merchants hate? And is there a way to turn this journey into a competitive advantage for an issuer?

SCA lowers fraud

Industry watchers and insiders have known for years that SCA lowers card fraud, in particular for card-not-present (CNP) transactions. A recent report on payment fraud in the European Union and European Economic Area (EEA), published jointly by the European Central Bank and the European Banking Authority, explicitly states as much: “SCA-authenticated transactions displayed lower fraud rates than non-SCA transactions, especially for card payments. Furthermore, fraud rates for card payments were ten times higher when the counterpart was located outside the EEA, where the application of SCA is not legally required.”¹

Delving deeper into the report produces further insights. “Remotely initiated payments” accounted for 82% of card fraud by value (corresponding to 80% by volume of transactions) in the first half of 2023.²

A press release from the ECB on the profile of payment choices in the euro area is also illuminating. It points out that total non-cash payments in the first half of 2024 rose by 7.4%, with card payments accounting for 56%.³ Further, while remote transactions were only 18% of total card transactions in terms of number, their value was 28%.⁴ 

Yes, fraud is low in Europe. But, as card payments rise and CNP transactions grow, securing customers remains of the essence. Protecting the user was a driving force behind the second iteration of the EU’s second Payment Services Directive, or PSD2. The requirement for SCA in customer-initiated online transactions (which are by definition CNP, or remote) is laid out clearly within PSD2.⁵ Let’s consider how banks can protect the user, remain compliant, and provide a journey that suits everyone involved.

The issues before issuers

Among other questions, banks report these as significant challenges in the current environment: 

1. Compliance. Banking is a regulated industry, and with good reason. Yet compliance can be onerous, and certainly expensive to maintain, as the requirements can be dynamic.
2. Technology. The threat landscape changes constantly, and the ways of dealing with all of the threats evolves just as quickly. Staying on top of all that technology can be daunting.
3. Competition is fierce. Acquisition of new users is difficult and expensive. Additionally, fintechs and neobanks are digital-first in their DNA, and are perhaps better placed to cope with a new environment than established or legacy banks are. 

Recognizing what a customer wants, and then delivering it, is clearly non-negotiable. “Banks want to prevent fraud,” noted Martina Forster, Portfolio Owner Payment & Identity at G+D Netcetera. “They also want to retain their customers and adapt to what they want so they can remain relevant in a quickly changing environment.” 

Squaring these commercial and regulatory imperatives is a challenge. But it is one that banks have to contend with in Europe.

Stand out with 3DS

PSD2’s requirements can be a challenge. But every issuer has to deal with them. How you deal with them provides the point of difference that can help your organization stand out to customers. 

Keep in mind that PSD2 doesn’t lay out how SCA has to be implemented. It stipulates that when a customer initiates a payment, banks and other payment service providers must ask the user for at least two of the following three elements: 

• Knowledge: something only the user knows, e.g. a password or a PIN code
• Possession: something only the user possesses, e.g. a mobile phone, and
• Inherence: something the user is, e.g. the use of a fingerprint or voice recognition.⁶  

Of the many solutions out there, one that meets a bank’s needs best would ideally have the following success factors: 

1. It should be flexible and configurable. The solution can adapt to whichever protocol or platform the bank chooses, whether over the bank’s own authenticator app with a TAN (transaction authentication number), a passkey, an OTP (one-time password), or similar. 
2. It should work with a bank’s own system.

A three-domain secure (3D-Secure or 3DS) solution meets these requirements. An issuer solution from a responsible vendor that incorporates the 3DS technical standard can go a long way toward answering the questions that are raised in the present environment. Crucially, the 3DS protocol is compliant under PSD2.

Some friction is a good thing

“When your phone goes ‘ping’ in your pocket, you know you’re being protected,” Forster pointed out. “As a customer, being asked to verify a transaction is reassuring.” In other words, PSD2 may have set out to protect customers by adding a mandatory layer of authentication, but in so doing it ensured that customers stayed involved in their payment journey. 

There is a further benefit to a 3DS journey of this sort, she stated: it reinforces the customer’s relationship with their bank. As users spend less time face-to-face with representatives, being reminded of your issuer’s presence at your side – and in your wallet – can be invaluable. 

Finding the right measure of friction in the user’s journey is key. Just enough to make them feel secure, but not enough to make them want to abandon their carts. A 3DS solution that can help deliver that carefully calibrated journey can really help a bank stand out in an increasingly crowded field.

Work with the right partner

What that looks like in practice is a 3DS solution that works with the best access control server (ACS).G+D Netcetera were brought on board by Erste Bank, a leading European financial service provider, in 2019. While Erste Bank had been aware of the benefits of 3DS, the adoption they were seeing up to that point didn’t meet the required standards, and there were challenges in the onboarding process that they wanted streamlined. One of the biggest benefits they isolated at Netcetera was its proprietary ACS.  

Using risk-based authentication (RBA) – which takes in established patterns of customer behavior, device parameters, and transaction data – and machine learning, the ACS quickly evaluates whether a transaction requires further authentication or gets an outright rejection. Out-of-band (OOB) challenges were successfully integrated into Erste Bank’s flow, including through its own authenticator app. In these ways, the ACS was seamlessly placed within Erste Bank’s systems and its users’ journeys. 

When PSD2 became a requirement in 2021, Erste Bank was already well ahead of the curve. Indeed, it reports a 3DS abandonment under 10%. Its success in delivering a seamless and frictionless experience to its customers through the 3DS authentication protocol is a test case in securing everyone involved, without sacrificing the comfort and ease of the user journey in CNP transactions. 

This feeling of security and ease that a bank’s customers enjoy is a precious commodity, and it can really help an issuer stand out in a very crowded field.

Published: 20/01/2026