by Mathilde Bonneau, Government Relations
In previous articles (here and here) we recommended that the approach to Strong Customer Authentication (SCA) under the EU’s Payment Services framework (PSD3/R) must evolve to allow payment providers to deploy modern authentication solutions in response to evolving fraud threats.
We highlighted passkeys as a phishing-resistant, state-of-the-art example of modern authentication, designed to replace traditional passwords. Passkeys enable users to sign into apps and websites through the same seamless and familiar experience that users unlock their device such as biometrics (fingerprint, face scan).
Failing to evolve regulatory design presents a significant risk. If the prescriptive approach in the current rules persists, authentication methods will remain outdated, while fraudsters adapt and find new ways to bypass static security measures. Meanwhile, payment providers will be unable to deploy more secure, modern solutions to counter these threats.
That is why PayPal urges policymakers to introduce an outcomes-based approach to SCA. By prioritizing security and enabling payment providers to implement more secure, modern solutions, this approach enhances the overall digital payments experience and fosters consumer trust and confidence.
The outcomes-based approach should be based on the following four principles:
- Strong authentication remains essential
- Security and convenience must coexist
- Authentication must be adaptive and dynamic, based on risk
- Accountability and transparency instead of prescriptive technological mandates
This article explores what these four principles look like in practice, ensuring that a future framework maintains high security while offering more convenient experiences for consumers participating in the digital economy.
Four Core Principles To Build An Effective Outcomes-Based Approach
An outcomes-based approach upholds the principle of Strong Authentication in a dynamic, adaptive way, aligned with the risk levels of the activity. It also enables payment providers to implement innovative authentication mechanisms that are as effective, or even more secure, than legacy solutions. Crucially, an outcomes-based approach does not mean exempting payment providers from authentication – this is not an exemption framework.
1. Strong Authentication Remains Essential
Payment providers currently implement multi-factor authentication solutions that are usually categorized into three types: knowledge, possession, and inherence.
It is crucial to recognize that not all factors are equal in strength. For example, an inherence factor typically provides stronger security assurance than a knowledge factor. Even within the same category, some factors offer better security guarantees than others. For instance, within the possession category, phishing resistant cryptographic keys generally offer stronger performance than one-time codes sent over SMS.
Therefore, what truly matters is not the category a factor falls into, but its strength and reliability.
Recommendation
The PSR’s approach to SCA should prioritize the overall strength of the solution, enabling payment providers to use multiple factors from the same category to meet SCA requirements. It should also ensure that providers document and assess the risk profiles of the factors they implement to demonstrate the solution's strength.
2. Security And Convenience Must Coexist
Effective fraud reduction is essential, but authentication must also be user-friendly for all customers. The best customer experiences strike a balance between security and convenience.
While fraud reduction is crucial for maintaining consumer trust, if an authentication solution is inconvenient or inaccessible, customers may abandon their purchases or switch to providers offering simpler (and potentially weaker) authentication methods.
Ensuring that authentication solutions are both secure and accessible will enhance overall customer experiences, foster greater trust in the digital economy, improve merchant conversion rates, and ultimately support economic growth and European competitiveness
Recommendation
The PSR should clearly define the objectives that authentication must achieve, namely fraud reduction and usability. Together, both will promote consumer trust, competitiveness, and innovation.
3. Authentication Must Be Adaptive And Dynamic, Based On Risk
Adaptive, "risk-based" authentication enables an authentication approach tailored to the context of the user and the risk profile of the authentication activity, rather than relying on a one-size-fits-all model.
This involves dynamically adjusting authentication factors based on multiple risk signals, such as transaction value, user behavior, device intelligence, and location. For example, low-risk activities or transactions (e.g., repeat purchases from a trusted device) may require fewer authentication steps, while high-risk activities (e.g., unusual locations or large payments) may trigger more stringent measures.
This approach enables payment providers to deploy authentication factors with levels of security that align with the transaction’s risk. It enhances security by enforcing stricter authentication when anomalies are detected, while ensuring a seamless user experience during low-risk conditions.
Recommendation
The PSR already mandates transaction risk monitoring under Article 83. It should go further to allow a true risk-based approach to SCA by enabling payment providers to determine, based on their own assessment, how and when SCA is applied, informed by the results of transaction risk monitoring, rather than prescribing specific risk categories or static thresholds.
4. Accountability And Transparency Instead Of Prescriptive Technological Mandates
Prescriptive guidelines ultimately undermine both security and the user experience by forcing payment service providers to rely on legacy, less-effective solutions instead of enabling the adoption of advanced, more secure alternatives. Rigid technological mandates stifle innovation and limit the flexibility needed for the evolution of authentication methods.
It’s important to recognize that every authentication method comes with its own set of trade-offs. Rather than focusing on strict compliance with outdated standards, regulatory design must focus on fostering continuous innovation that offers tangible benefits over legacy systems.
A shift towards transparent governance would allow payment providers the freedom to implement the most effective authentication solutions while ensuring accountability and security. This approach would promote a more adaptable, dynamic environment where both security and user experience are optimized in line with evolving threats and technological advancements.
Recommendation
The PSR should ensure that the mandate to the European Banking Authority (EBA) for technical standards on SCA does not focus on technological requirements. Instead, it should establish a transparent governance and reporting framework that keeps payment providers accountable with their Home State supervisors.
PayPal's recommendations for an outcomes-based approach to SCA were launched at FIDO Brussels Seminar: The Future of Identity & Authentication in Europe on 26 March 2025