The Revised Payment Services Directive (PSD2) in Europe requires that electronic payments and access to payment accounts be protected by Strong Customer Authentication (SCA). In practice, that usually means two-factor authentication: something the user knows (e.g. PIN), something they have (e.g. phone or token), or something they are (e.g. biometric). If you’re building an open banking or payment product—in the EU, UK, or in jurisdictions that follow similar rules—your flows need to work with SCA, not around it.
When is SCA required?
SCA is required when the user (1) accesses payment account information online, (2) initiates an electronic payment, or (3) carries out any action that might imply a risk of fraud. So when your app asks the bank for account data or initiates a payment, the bank will typically require SCA before releasing data or executing the payment. The user is redirected to the bank (or the bank’s embedded flow), completes SCA there, and is sent back to your app with an auth code. Your backend then exchanges that code for an access token. That’s the flow we implement when we build open banking auth for clients.
Exemptions
PSD2 allows exemptions in certain cases: low-value transactions (e.g. under €30), trusted beneficiaries, recurring payments, and others. Banks and regulators may apply them differently. If your product relies on an exemption, you need to understand the local rules and the bank’s policy. Even with exemptions, the trend is toward more consistent SCA, so designing your consent and redirect flow with SCA in mind is safer long term.
What it means for your product
Your product doesn’t perform SCA itself—the bank does. Your job is to (1) get the user to the bank’s auth page with the right parameters (e.g. consent ID, redirect URI), (2) receive the callback with the auth code, and (3) exchange the code for a token and store it securely. The user experience is: “Click to connect your bank” → redirect → bank login/OTP/biometric → redirect back to your app. We build this redirect and token-exchange flow so that your app stays compliant and your users get a smooth, secure experience. We’ve done it for clients like Meras and Infinipi and can do it for your product in Pakistan or elsewhere.
Beyond Europe
Many countries are adopting similar concepts: secure authentication before sharing account data or initiating payments. Pakistan and other markets may have their own rules or bank practices. When we build open banking or TPP systems for you, we design for SCA-style flows and local requirements so you’re ready for both current and future regulation.
Need the auth flow and SCA integration built for your product? We build it for you.
← Back to Blog