# Strong Customer Authentication (SCA) **Understanding Strong Customer Authentication (SCA) for Payments** In today's digital age, ensuring the security of online transactions is crucial for businesses and customers. Strong Customer Authentication (SCA) is a regulatory requirement designed to add an extra layer of security to online payments, making them more secure and less prone to fraud. It helps verify the customer's identity, ensuring they are the rightful payment method owner. #### **What is Strong Customer Authentication (SCA)?** Strong Customer Authentication is a set of requirements to reduce fraud and enhance online payment security. It is part of the Payment Services Directive 2 (PSD2) regulations enforced in the European Union. SCA requires online transactions using multi-factor authentication (MFA) to ensure legitimate customers make payments. #### **Key Components of SCA** To comply with SCA, businesses must use at least two of the following three authentication factors: 1. **Something the customer knows** (e.g., a password or PIN) 2. **Something the customer has** (e.g., a mobile phone or hardware token) 3. **Something the customer is** (e.g., a fingerprint or facial recognition) #### **Multi-Factor Authentication (MFA) Using Username/Password and Authenticator Code** One of the most common methods of meeting SCA requirements is through Multi-Factor Authentication (MFA). MFA enhances security by combining two of the three authentication factors. For example, when making an online payment, a customer might first enter their username and password (something they know). Once these details are verified, the customer is prompted to enter a code generated by an authenticator app on their mobile phone (something they have). This code is typically time-sensitive, adding an extra layer of security, as it becomes invalid after a short period. {% hint style="danger" %} As part of SCA, the users of Bird Pay must set MFA using an authenticator to access. {% endhint %} #### **5-Minute Session Timeout** Another critical aspect of SCA is the implementation of session timeouts to prevent unauthorized access. A session timeout is a security feature that automatically logs a user out of their account after a certain period of inactivity. Under SCA guidelines, online payment sessions are recommended to have a timeout period of 5 minutes. If a customer is inactive for over 5 minutes, they must re-authenticate themselves by re-entering their credentials and authenticator code. This helps protect sensitive information and reduces the risk of unauthorized transactions. {% hint style="warning" %} With the setup of Bird Pay, a 5-minute session timeout automatically kicks in. {% endhint %} #### **Dynamic Linking** Dynamic linking is a key component of SCA that ensures the authenticity of a transaction by linking the payment authorization to the specific amount and the payee. This means that the customer is shown the transaction details they authorise during the authentication process, including the amount and the recipient's name. If any changes are made to these details, the authentication is invalidated, and the customer must approve the transaction again. This prevents potential fraudsters from altering transaction details after the customer consents, ensuring that payments are secure and authorized by the rightful owner. #### **Why is SCA Important?** SCA is essential because it helps protect customers from online payment fraud and enhances trust in digital transactions. SCA significantly reduces the likelihood of unauthorized payments and fraudulent activity by requiring multi-factor authentication, session timeouts, and dynamic linking. For businesses, complying with SCA means adhering to regulatory requirements and providing a secure payment experience for customers. This not only helps in reducing fraud but also boosts customer confidence and loyalty. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bird.com/applications/payments/bird-pay-beta/concepts/strong-customer-authentication-sca.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.