Why open banking bakes in SCA, and cards bolt it on

Open banking embeds Strong Customer Authentication at its core. By contrast, card payments bolt on layers - CVVs, PINs, 3-D Secure, caps - because SCA is not inherent. That difference matters for fraud, trust and the future of payments.

Why open banking bakes in SCA, and cards bolt it on

What is SCA?

Strong Customer Authentication (SCA) means authenticating with two independent factors from knowledge, possession, and inherence. In UK and EU law (PSRs/PSD2), it applies to electronic payments unless an exemption is used.[1][2] In practice, open banking payment initiation (PIS) hands the user back to their bank (ASPSP) to approve the payment using the same login and device/app biometrics they already trust - typically possession (the registered device/app) plus inherence (Face/Touch ID).[3][4]

“Open banking starts from the bank’s own trust anchor. The customer re-authenticates with their bank, not with an intermediary. That is why SCA is baked in, not bolted on.”
John Blackmore, Head of Technology, Asima

Why card rails grew a forest of add-ons

Card networks were never designed around multi-factor customer authentication at source, especially for remote commerce. Over three decades, the industry added layers to approximate SCA or offset its absence:

  • Signature strips and CVMs in early card-present flows (weak assurance).
  • CVV/CVC for card-not-present, a static secret printed on the card.[5]
  • 3-D Secure 2 to deliver SCA for e-commerce (often via an OTP or app push).[6]
  • Dynamic CVV concepts to rotate the card security code and blunt data theft.[7]
  • Tokenisation (network tokens) to hide PANs and reduce replay/compromise risk.[8][9]

These measures work, but they are compensating controls. They exist because SCA is not inherent to the card itself in many contexts.

Contactless is an exemption, not authentication

“Tap and go” without PIN is explicitly treated in regulation as a low-value exemption from SCA. Historically in the EU this meant counters like €50 per transaction and €150 cumulative or 5 taps before SCA (PIN) must be reapplied.[10][11] The UK set its own parameters post-Brexit, raising the single-tap cap to £100 and now consulting on removing the regulatory cap so issuers can set limits with risk controls.[12][13] The FCA notes contactless card fraud remains circa 1.3p per £100 of spend and that firms must refund unauthorised use.[12:1]

By contrast, wallet taps with CDCVM (phone/watch + biometric) do perform a cardholder verification method that satisfies SCA, which is why mobile wallet contactless does not need the same fixed cap.[14][15]

“Caps, counters and risk flags on contactless exist because ‘no-CVM’ is an exemption from SCA. When you add CDCVM on a phone, you’ve actually done SCA, so the cap can be policy-driven rather than regulatory.”
John Blackmore, Head of Technology, Asima

Open banking payments make SCA the default path

In open banking PIS, the default journey is SCA at the ASPSP. The user is redirected or decoupled to their banking app to approve, often with possession + inherence. Standards explicitly support these flows so customers authenticate the same way with a PISP as they do directly with their bank.[3:1][4:1]

There are well-defined variations:

  • VRP sweeping can use an SCA exemption after an SCA-authorised consent, allowing subsequent movements within tight consent parameters without fresh SCA each time.[16][17]
  • VRP with delegated SCA allows an ASPSP to let a PISP perform SCA, still grounded in the SCA rule set and liability framework.[18][19]

The common thread is that SCA is foundational in the model, with exemptions on top, not the other way round.

What this means for product, risk and user experience

  1. Security anchor, then UX: Open banking aligns assurance with familiarity - customers use their bank’s app and biometrics. That gives high assurance without teaching new rituals.
  2. Less patchwork: Card flows will keep improving (tokens, risk scoring, delegated authentication), but the control surface is broader: issuer, scheme, acquirer, merchant, wallet, risk engines. PIS narrows the critical path to payer ↔ bank.
  3. Policy clarity: The FCA’s contactless consultation will likely produce issuer-set limits with monitoring, but it does not change the underlying truth: no-CVM contactless rides on an exemption. Open banking PIS does not.[12:2][13:1]
“For merchants deciding between rails, the question is simple: do you prefer authentication that is inherent to the rail, or controls that are layered around it? We build for the former.”
John Blackmore, Head of Technology, Asima

Bottom line

SCA is part of the architecture for open banking payments and an overlay for cards. That is why card payments accumulated caps, counters, CVVs, OTPs, 3-DS, dynamic CVVs and tokens. As contactless limits evolve, the strategic takeaway for risk teams is unchanged: flows with inherent SCA reduce the need for compensating controls and, done right, deliver higher trust with lower friction.

Footnotes

  1. FCA, Strong Customer Authentication (overview and scope). Link ↩︎
  2. EBA, Opinion on the elements of strong customer authentication under PSD2 (definition and factors). Link ↩︎
  3. Open Banking UK (standards), Authentication methods – redirection & decoupled (PSU authenticates using accustomed ASPSP methods). Link ↩︎ ↩︎
  4. Open Banking UK, Customer Experience Guidelines v3.1.x (PISP redirects to ASPSP for authentication; use of bank app biometrics). PDF ↩︎ ↩︎
  5. Wikipedia, Card security code (CVV/CVC) — purpose and card-not-present usage. Link ↩︎
  6. ACI Worldwide, A primer on SCA, PSD2 & 3-D Secure (3DS as an SCA mechanism for e-commerce). Link ↩︎
  7. Pismo, How dynamic CVV works and improves security (explainer). Link ↩︎
  8. EMVCo, EMV payment tokenisation — what, why and how. Link ↩︎
  9. Mastercard, What is tokenization? (consumer-facing explainer). Link ↩︎
  10. EBA Single Rulebook Q&A, Low-value contactless exemption — five taps/€150 cumulative. Link ↩︎
  11. EBA Single Rulebook Q&A, Clarifications on contactless exemption limits. Link ↩︎
  12. FCA press release, Proposed contactless changes could increase convenience for consumers (consultation, fraud statistic, refund obligations). Link ↩︎ ↩︎ ↩︎
  13. FCA, CP25/24 Quarterly Consultation Paper (proposal to amend/remove SCA-RTS Article 11 limits). PDF ↩︎ ↩︎
  14. EMVCo, CDCVM: promoting security, reliability and convenience (biometric device verification as CVM). Link ↩︎
  15. The Guardian, UK contactless payments could go above £100 or become unlimited (notes that smartphone wallet payments aren’t restricted by the cap). Link ↩︎
  16. Open Banking UK, VRP payments with an SCA exemption (consent with SCA; subsequent payments under exemption). Link ↩︎
  17. Open Banking UK, VRP & sweeping: phase 2 feedback summary (use of exemptions such as payment-to-self). PDF ↩︎
  18. Open Banking UK, VRP payments with delegated SCA (PISP performs SCA by agreement). Link ↩︎
  19. UK Finance, The future development of Open Banking Payments (VRP SCA models: exemption vs delegated). PDF ↩︎

John Blackmore

Recent posts