As a matter of principle, all electronic means of payment are subject to strong customer authentication. However, exemptions to the principle of strong customer authentication (SCA) are possible, as it is not always necessary and convenient to request the same level of security from all payment transactions.
These exemptions have been defined by the European Banking Authority (EBA) and adopted by the European Commission, taking account of the risk involved, the value of transactions and the channels used for the payment.
Such exemptions include low value payments at the point of sale (to facilitate the use of mobile and contactless payments) and also for remote (online) transactions. The exemptions from strong customer authentication seek to avoid disrupting the ways consumers, merchants and payment service providers operate today. They are also based on the fact that there are alternative authentication mechanisms that are equally safe and secure.