TL;DR: Banks and payment providers approaching PSD2 Strong Customer Authentication face a trade-off between compliance and checkout friction, with 3DS2 and mobile intelligence presented as the practical path to higher approval rates, lower false declines, and better exemption outcomes, according to Prove Identity. The core issue is that authentication models built for static identity checks break down when transaction risk, device signals, and SIM swap behaviour must be evaluated in real time.
At a glance
What this is: This is an analysis of how PSD2 Strong Customer Authentication can be met with 3DS2 and phone-centric identity signals while reducing payment friction.
Why it matters: It matters because payment identity controls must now balance fraud reduction, exemption eligibility, and customer experience across authentication, risk scoring, and transaction approval flows.
By the numbers:
- According to Visa, the adoption of 3DS2 can reduce cart abandonment by 70% and reduce checkout time by 85%.
👉 Read Prove Identity's analysis of PSD2 SCA, 3DS2 and phone-centric identity
Context
PSD2 Strong Customer Authentication is a payment identity problem as much as a regulatory one. Banks and payment service providers have to prove that a transaction is both legitimate and low risk while keeping the checkout flow usable for customers who increasingly shop on mobile devices and across borders.
The article argues that the familiar approach of treating authentication as a single step-up decision is too blunt for this environment. 3DS2 and mobile-intelligence-based identity resolution are presented as the mechanism for separating low-risk transactions from those that genuinely need stronger challenge, especially where SIM swap fraud and stale phone records undermine confidence.
Key questions
Q: How should organisations implement strong customer authentication for PSD2?
A: Organisations should map transaction risk to authentication strength and prove that the factors used are independent and appropriate for the payment action. The control is not simply MFA at the login screen. It is assurance that the authenticated identity, device, and transaction context together satisfy the PSD2 requirement before payment execution.
Q: Why do SIM swap attacks matter for payment authentication?
A: SIM swap attacks undermine the assumption that a phone number reliably proves possession of the account holder's device. If the number is ported or taken over, OTPs and phone-based checks can be satisfied by the attacker. Payment teams should therefore combine carrier, device, and behavioural signals before trusting the phone as an identity factor.
Q: What breaks when transaction risk analysis is too weak?
A: Weak transaction risk analysis pushes more payments into challenge flows and increases false declines because issuers lose confidence in exemption decisions. That hurts conversion, customer experience, and the ability to keep fraud below regulatory thresholds. Stronger evidence collection is what keeps exemption logic usable.
Q: Who is accountable when SCA exemptions are applied incorrectly?
A: Issuing and acquiring banks remain accountable because PSD2 puts the burden of fraud analysis and exemption justification on the regulated participants in the payment chain. If the decision model is poor, the compliance and fraud consequences sit with the institution that approved the transaction logic.
Technical breakdown
How 3DS2 changes transaction-level authentication
3DS2 replaces the older 3DS1 model with a richer transaction context layer. It transports more data to issuers, supports in-app challenge flows, and lets the issuer evaluate risk before deciding whether a customer needs step-up authentication. That matters because the decision is no longer based only on a cardholder prompt. It is based on transaction context, device signals, merchant data, and fraud history. In PSD2 terms, this is what makes frictionless exemptions possible without abandoning stronger authentication when the risk is real.
Practical implication: banks and merchants should align fraud scoring and authentication routing so that 3DS2 data feeds the exemption decision, not just the challenge screen.
Why phone-centric identity matters in PSD2 SCA
Phone-centric identity uses mobile device and carrier data to raise confidence in the person and device behind a transaction. The article highlights SIM swap fraud as a key weakness because attackers can preserve the appearance of a legitimate phone number while taking over the line. That makes the phone a useful signal, but not a sufficient trust anchor on its own. The practical value comes from combining mobile intelligence, behavioural signals, and transaction context to identify when a payment request is likely to be fraudulent despite passing a basic authentication check.
Practical implication: teams should treat mobile number data as one identity signal inside a broader risk model, not as proof of ownership by itself.
How transaction risk analysis supports SCA exemptions
Transaction Risk Analysis under PSD2 is the control that allows issuers and acquirers to justify higher exemption thresholds when fraud rates remain low. The burden sits with the bank, which means evidence quality matters. If fraud rises, the exemption path narrows and more transactions fall back to step-up authentication, increasing friction and declines. That creates an identity governance problem for payment programmes: the organisation must continuously prove that its signals are strong enough to support exemption decisions and that its control environment can stand up to scrutiny.
Practical implication: payment teams should monitor fraud rate, challenge rate, and exemption usage together because they are linked measures of identity control quality.
Threat narrative
Attacker objective: The attacker aims to complete fraudulent payments while appearing legitimate enough to bypass stronger authentication or exploit low-friction paths.
- Entry occurs when attackers exploit weak mobile ownership assumptions, especially stale phone numbers or compromised SIMs that still appear legitimate in payment workflows.
- Escalation happens when SIM swap activity or account takeover gives the attacker enough identity confidence to pass step-up checks or exploit exemption logic.
- Impact follows as fraudulent transactions complete, false declines rise, and issuers lose the ability to keep SCA friction low without increasing fraud exposure.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
PSD2 SCA is really an identity confidence problem, not just an authentication problem. The article shows that strong authentication alone does not solve fraud when the identity signals behind a transaction are stale or easy to simulate. The control question is whether the bank can distinguish a genuine payment from a high-confidence impersonation before challenge logic is triggered. Practitioners should treat this as transaction identity governance, not just MFA enforcement.
Phone-centric identity introduces a useful trust signal, but it also creates a dependency on mobile data quality. If the banking record contains an outdated number, or if the number can be ported or swapped, the identity signal can become misleading fast. That makes phone intelligence valuable only when it is joined to behavioural and device context. Practitioners should not confuse possession of a phone number with durable identity assurance.
3DS2 operationalises risk-based authentication by moving more of the decision into the transaction layer. That is the right direction for payments because it lets issuers assess context rather than challenge every customer by default. The consequence is that identity teams must own the quality of the data feeding that decision. Practitioners should treat 3DS2 as a governance layer for payment trust, not just a protocol upgrade.
Transaction Risk Analysis becomes the real control plane for exemption eligibility. The article makes clear that lower fraud rates are what unlock better customer experience, not the other way around. That means fraud thresholds, challenge rates, and exemption policy are linked governance decisions. Practitioners should measure them together and understand which signals actually keep the programme below regulated thresholds.
Mobile fraud and payment authentication are converging into one governance domain. The growth of SIM swap and account takeover means identity, fraud, and payment operations can no longer be managed as separate silos. The named concept here is identity confidence at checkout: the practical measure of whether a transaction can be trusted without adding unnecessary friction. Practitioners should manage it as a shared control objective across risk, IAM, and payments teams.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Top 10 NHI Issues shows why over-privilege and poor lifecycle control remain the recurring failure pattern behind identity risk.
What this signals
Payment identity programmes are moving toward a more granular control model in which authentication, fraud, and exemption policy are evaluated together. Teams that still treat MFA as a single gate will keep absorbing decline friction that could have been avoided by better risk scoring and signal quality.
Identity confidence at checkout: this is the metric teams should care about when payment authentication must stay usable and defensible. If mobile and transaction signals are stale, the control may look compliant while producing more fraud or more customer abandonment.
The operational next step is to connect payment risk rules to broader identity governance, including device intelligence, account recovery, and change-of-number events. That is where payment identity becomes an enterprise control problem rather than a point solution.
For practitioners
- Tune exemption logic around transaction evidence Use 3DS2 data and fraud signals together so exemption decisions are based on transaction context, not just customer history or card status.
- Validate mobile number freshness before relying on it Check how often banking records contain stale phone numbers and how quickly those records are updated after a number change or porting event.
- Correlate SIM swap indicators with checkout decisions Feed carrier and device intelligence into the fraud model so SIM swap risk can suppress exemption eligibility before the payment is approved.
- Track challenge rates alongside approval rates Measure how often SCA challenges are triggered, how often customers abandon them, and whether lower friction is being bought at the cost of higher fraud.
Key takeaways
- PSD2 SCA implementation is a balance of fraud control, exemption governance, and checkout usability, not a simple MFA rollout.
- 3DS2 and phone-centric identity improve decision quality only when issuers combine transaction context, mobile intelligence, and risk analysis.
- Banks should measure approval rate, challenge rate, and fraud together because those three outcomes now move as one control system.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while PCI DSS v4.0 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | The article centres on authenticated access decisions for payments. |
| NIST SP 800-53 Rev 5 | IA-2 | SCA is an authentication control problem with transaction context. |
| PCI DSS v4.0 | Payment authentication and fraud controls directly affect card-not-present transactions. | |
| GDPR | Art.32 | Phone and behavioural identity data used in payment scoring can involve personal data protection. |
Map payment authentication logic to PR.AC-1 and verify identity evidence before approving high-risk transactions.
Key terms
- Strong Customer Authentication: A regulated authentication requirement that demands more than a single password or code. Under PSD2, it requires at least two factor types and must support the payment context, so the approval is tied to the specific transaction rather than a reusable login event.
- Transaction Risk: Transaction risk is the likelihood that a payment, deposit, withdrawal, or transfer is abusive, compromised, or inconsistent with normal behaviour. It is distinct from login risk because a legitimate session can still produce fraudulent or non-compliant financial activity.
- 3DS2: A payment authentication protocol that provides richer transaction data and supports in-app challenge flows. It helps issuers make more informed approve-or-challenge decisions, which is why it matters when organisations need both compliance and lower customer friction.
- Phone-centric identity: An identity approach that uses mobile device and carrier signals to improve confidence in a transaction or account event. It is useful in fraud decisioning, but it only works well when treated as one signal among several rather than as proof of identity by itself.
What's in the full article
Prove Identity's full article covers the operational detail this post intentionally leaves for the source:
- Practical guidance on balancing SCA compliance with transaction approval rates in payment workflows
- Specific discussion of 3DS2 challenge and frictionless flows for banks, merchants, and PSPs
- Mobile intelligence signals used to strengthen fraud scoring and reduce SIM swap exposure
- Context on exemption thresholds and why risk analysis quality changes customer experience
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org