����žž

Country

Requirements 

Exemptions 

European Union

(����žž update)

Directive (EU) 2015/2366 (PSD2) introduced the concept of strong customer authentication (SCA). According to Article 4, SCA refers to an authentication process based on the use of two or more elements:

• Knowledge – something only the user knows.
• Possession – something only the user possesses.
• Inherence – something the user is.

These elements must be independent, ensuring that the breach of one does not compromise the reliability of the others. They must also be designed to protect the confidentiality of the authentication data.

In accordance with Article 94, payment service providers are required to apply SCA when the payer:

• Accesses their payment account online.
• Initiates an electronic payment transaction.
• Carries out any action through a remote channel that may imply a risk of payment fraud or other abuses.

(����žž update) 

Commission Delegated Regulation (EU) 2018/389 sets out the regulatory technical standards (RTS) for strong customer authentication (SCA) and for common and secure open standards of communication.

Specifically, the RTS provides for the following:

• The application of SCA.
• Exemptions from the application of SCA.
• The protection of the confidentiality and integrity of payment service users’ personalised security credentials.
• The establishment of common and secure open standards for communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers.

(����žž update)

Article 98 of PSD2 provides that the European Banking Authority (EBA), in close cooperation with the European Central Bank (ECB), shall develop draft technical standards setting out, among others, the exemptions from the application of SCA.

(����žž update)

Commission Delegated Regulation (EU) 2018/389 provides for certain exemptions for the application of SCA. This includes:

Article 10 (Payment account information) – payment service providers are permitted to not apply SCA where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data:

• The balance of one or more designated payment accounts.
• The payment transactions executed in the last 90 days through one or more designated payment accounts.

Article 11 (Contactless payments at point of sale) – payment service providers are permitted to not apply SCA where the payer initiates a contactless electronic payment transaction provided that the following conditions are met:

• The amount of the transaction does not exceed €50.
• The cumulative amount of previous transactions initiated via a contactless functionality from the date of the last application of SCA does not exceed €150.
• The number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.

Article 12 (Unattended terminals for transport fares and parking fees).

Article 13 (Trusted beneficiaries).

Article 14 (Recurring transactions).

Article 15 (Credit transfers between accounts held by the same natural or legal person). 

Article 16 (Low-value transactions) – payment service providers are permitted to not apply SCA where the payer initiates a remote payment transaction provided that:

• The amount does not exceed €30.
• The cumulative amount of previous transactions since the last application of SCA does not exceed €100.
• The number of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not exceed five consecutive individual remote electronic payment transactions.

Article 17 (Secure corporate payment processes and protocols).

Article 18 (Transaction risk analysis) – payment service providers are permitted to not apply SCA where the payer initiates a remote electronic payment transaction identified by the payment service provider as posing a low level of risk according to the transaction monitoring mechanisms.

(����žž update)

Commission Delegated Regulation (EU) 2022/2360 amends the RTS set out in Delegated Regulation (EU) 2018/389 concerning the 90-day exemption for account access.

Article 10 of Delegated Regulation (EU) 2018/389 provides an exemption from the requirement to apply SCA when a payment service user is accessing the balance and recent transactions of a payment account without disclosure of sensitive payment data. In such cases, payment service providers may refrain from applying SCA for account access, provided that SCA was applied when the account information was first accessed, and at least every 90 days thereafter.

Delegated Regulation (EU) 2022/2360 amends Article 10 to clarify when the SCA exemption can be applied. It specifies that SCA is not required where a payment service user accesses their payment account online directly, provided that access is limited to one of the following without disclosure of sensitive payment data:

• The balance of one or more designated payment accounts.
• The payment transactions executed in the last 90 days through one or more designated payment accounts.

However, SCA is not exempted if any of the following conditions apply:

• The payment service user is accessing the specified information online for the first time.
• More than 180 days have elapsed since the last online access to the specified information where SCA was applied.

United Kingdom

(����žž update)

The Payment Services Regulations 2017 (PSR) directly transpose PSD2 in the United Kingdom. As a result, PSD2’s SCA requirements are directly applicable.

The Financial Conduct Authority’s (FCA) technical standards on SCA specify:

• The requirements that must be met by SCA.
• Exemptions from the requirement to apply SCA.
• The requirements with which security measures have to comply to protect the confidentiality and integrity of payment service users’ personalised security credentials.
• The requirements for common and secure open standards of communication for the purpose of identification, authentication, notification and information, as well as for the implementation of security measures, between account servicing payment service providers, account information service providers, payers, payees and other payment service providers.

(����žž update)

Section 106(a), in combination with Section 100(5), permits the FCA to draft technical standards setting out the exemptions to SCA.

Chapter 3 of the technical standards on SCA sets out exemptions. The exemptions include: 

Article 10 (Payment account information accessed directly by a payment service user) – payment service providers (PSPs) are permitted to not apply SCA where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data:

• The balance of one or more designated payment accounts.
• The payment transactions executed in the last 90 days through one or more designated accounts. 

However, this exemption does not apply where either of the following is met:

• The payment service user is accessing online the information specified above for the first time.
• More than 90 days have elapsed since the last time the payment service user accessed online the information and SCA was applied.

Article 10A (Payment account information accessed through an account information service provider) – PSPs are permitted to not apply SCA where a payment service user is limited to accessing either or both of the following without the disclosure of sensitive payment data:

• The balance of one or more designated payment accounts.
• The payment transactions executed in the last 90 days through one or more designated payment accounts.

Article 11 (Contactless payments at point of sale) – PSPs shall be allowed not to apply SCA where the payer initiates a contactless electronic payment transaction, provided that the following conditions are met:

• The individual amount of the contactless electronic payment transaction does not exceed £100.
• The cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of SCA does not exceed £300.
• The number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.

Article 12 (Unattended terminals for transport fares and parking fees).

Article 13 (Trusted beneficiaries).

Article 14 (Recurring transactions).

Article 15 (Credit transfers between accounts held by the same natural or legal person).

Article 16 (Low-value transactions) – PSPs are permitted to not apply SCA where the payer initiates a remote payment transaction, provided that:

• The amount of the remote electronic payment transaction does not exceed £25.
• The cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not exceed £85.
• The number of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not exceed five consecutive individual remote electronic payment transactions.

Article 17 (Secure corporate payment processes and protocols).

Article 18 (Transaction risk analysis) – PSPs are permitted to not apply SCA where the payer initiates a remote electronic payment transaction identified by the payment service provider as posing a low level of risk according to the transaction monitoring mechanisms.

(����žž Update)

On September 10, 2025, the Financial Conduct Authority (FCA) published CP25/24 which, among other proposals, seeks feedback on its proposal to scrap the current £100 limit for contactless electronic payments.

Currently, per Article 11 of the , there is a limit on the value and number of contactless payments that can be made before requiring authentication. The FCA is proposing to replace these limits with a new exemption.

Specifically, the exemption would allow PSPs to process contactless payments without asking the payer to authenticate the payment, where PSPs identify the risk of a transaction to be low. PSPs would also be able to set their own contactless limits.

France 

(����žž Update)

Ordinance No. 2017-1252 of August 9, 2017 transposed PSD2 into national legislation in France.

(����žž update)

On June 10, 2024, the French Observatory for the Security of Payment (OSP) launched an action plan to strengthen the security of remote card payments.

The action plan is based on issuing banks limiting remote payments without strong authentication made outside the 3DS protocol, and to promote the use of the most secure channels. Specifically, the plan caps payments identified as risky on the basis of the "velocity" measure:

• If a transaction exceeds the set velocity threshold, the cardholder's bank will reject the transaction and ask the merchant to use another payment channel.
• The velocity will be calculated separately for mail order/telephone order (MOTO) payments on the one hand, and for non-3DS internet payments on the other.

The velocity threshold was initially set at €500 when the plan started on June 10, 2024. It was then lowered to €250 at the start of the 2024 academic year, and then to €100 in the last quarter of 2024.

See above regarding European Union exemptions.

Iceland, Norway and Liechtenstein (European Free Trade Association Countries - EFTA)

Through an EEA Joint Committee Decision, the three EFTA countries — Iceland, Norway, and Liechtenstein — have adopted PSD2. Consequently, SCA is applicable in those nations.

See above regarding European Union exemptions.

India 

(����žž update)

The Reserve Bank of India (Digital Payment Security Controls) Directions 2021 provide an authentication framework consolidating several circulars issued by the Reserve Bank of India (RBI).

The directions require regulated entities (REs) to implement, except where explicitly permitted, multi-factor authentication (MFA) for payments through electronic modes and fund transfers, including cash withdrawals from ATMs, micro-ATMs, business correspondents and digital payment applications.

REs may also adopt adaptive authentication to select the appropriate authentication factors based on risk assessment, user risk profile and behaviour.

Furthermore:

• The implementation of suitable authentication methodologies should be based on an assessment of the risks posed by the RE’s digital payment products and services.
• An effective authentication method should consider customer acceptance, ease of use, reliable performance, scalability to accommodate growth, customer profile, location, transaction characteristics and interoperability with other systems.
• To enhance online processing security, MFA and alerts (e.g., SMS, email) should be applied for all payment transactions (including debits and credits), creation of new account linkages (addition, modification or deletion of beneficiaries), changes to account details or revisions to fund transfer limits.
• Alerts and OTPs received by the customer for online transactions must identify the merchant name, wherever applicable, rather than the payment aggregator facilitating the transaction.
• REs should implement appropriate measures to minimise exposure to man-in-the-middle (MITM), man-in-the-browser (MITB) or man-in-the-application attacks.
• An authenticated session, together with its encryption protocol, should remain intact throughout the interaction with the customer.

(����žž update)

Effective from April 1, 2026, these directions establish a framework setting out the principles that all participants in the payments chain must follow when using authentication.

Specifically, the directions require:

• A minimum of two authentication factors.
• At least one factor must be dynamic.
• The compromise of one factor must not affect the reliability of the other.
• All system providers and participants must ensure that authentication and tokenisation services are accessible to all application token requestors across use cases, channels and token storage mechanisms.

These requirements apply to all domestic digital payment transactions. Although the directions do not apply to cross-border digital payment transactions, card issuers are required, by October 1, 2026, to implement a mechanism to validate non-recurring cross-border card-not-present (CNP) transactions when authentication is requested by an overseas merchant or acquirer.

(����žž update)

The Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions 2025 provide for a consolidated list of exemptions from MFA in Annexure 1. The exemptions are:

• Small-value contactless card transactions.
• Recurring transactions (other than the first) under the e-mandate framework.
• Select prepaid instruments.
• National Electronic Toll Collection (NETC) transactions.
• Small-value digital payments in offline mode.

Small-value contactless card transactions

This directive from the RBI further specifies the small-value contactless card transaction exemption. Specifically, AFA may be exempted for individual transactions under ₹5,000 in contactless mode at points of sale (PoS) terminals. Transactions beyond this limit may utilise contactless interfaces, but with AFA.

Recurring transactions

This circular specifies that AFA is not mandatory for recurring transactions up to ₹15,000 where the first transaction was authenticated via AFA.

This circular clarifies that AFA is not mandatory for specific recurring transactions up to ₹100,000 where the first transaction was authentication via AFA. This only applies to:

• Subscriptions to mutual funds.
• Payments of insurance premiums.
• Credit card bill payments.

Select prepaid instruments

The directions provide that, for specific prepaid instruments, AFA may not be applied. Specifically, 2FA or AFA is not mandatory for prepaid payment instruments (PPIs) for mass transit systems (PPI-MTS) and gift PPIs where the value does not exceed ₹10,000.

National Electronic Toll Collection (NETC) transactions

The directive states that transactions in the NETC system can be performed without AFA. 

Small-value digital payments in offline mode

The directive states that an offline payment means a transaction which does not require internet or telecom connectivity to take effect. Such payments may be offered without AFA.

The upper limit of an offline payment transaction is ₹500. The total limit for offline transactions on a payment instrument is ₹2,000 at any point in time.

Travel booking involving Global Distribution System / IATA through commercial / corporate cards.

To the best of ����žž’s knowledge, the directive providing for this exemption has been .

Singapore 

(����žž update)

Pursuant to Section 4.6 of the Notice FSM-N06 Cyber Hygiene, entities must implement multi-factor authentication (MFA) for the following:

• All administrative accounts for any operating system, database, application, security appliance or network device classified as a critical system.
• All accounts on any system used by the entity to access customer information via the internet.

Singapore defines MFA as the use of two or more factors to verify an account holder’s claimed identity. Such factors include, but are not limited to:

• Something the account holder knows, such as a password or personal identification number.
• Something the account holder has, such as a cryptographic identification device or token.
• Something the account holder is, such as biometrics or behavioural characteristics.

(����žž update)

The E-Payments User Protection Guidelines require that an account user must, at a minimum, take the following steps when using a device to access a protected account:

• Download the financial institution’s mobile application from official sources.
• Update the device’s browser to the latest available version.
• Use strong passwords, such as a combination of letters, numbers and symbols, or employ strong authentication methods provided by the device, such as facial recognition or fingerprint authentication.
• Follow any other recommended security measures.

(����žž update)

The Technology Risk Management Guidelines mandate the use of multi-factor authentication (MFA), which must be deployed at login for online financial services to secure the customer authentication process.

MFA can be based on two or more of the following factors:

• What you know, such as a personal identification number (PIN) or password.
• What you have, such as a one-time password (OTP) generator.
• Who you are, such as biometric identifiers.

(����žž update)

On July 9, 2024, MAS, alongside the Association of Banks in Singapore (ABS), announced that major retail banks in Singapore will be progressively phasing out the use of one-time passwords (OTPs) for bank account login by customers who are digital token users.

(����žž update)

The guidelines specify that, aside for login and transaction-signing for high-risk activities, financial institutions may implement appropriate risk-based or adaptive authentication that presents customers with authentication options that are commensurate with the risk level of the transaction and sensitivity of the data.

(����žž update)

Although not explicitly related to authentication, the guidelines provide for an example for compliance with account holders’ preference: “if the account holder chooses not to receive pre-authorised, first person, or recurring transaction notifications, while the responsible FI should make the option to receive these notifications available to the account holder, the responsible FI may comply with the account holder’s instructions and not notify the account holder of such transactions.”

The guidelines further specify that an account holder of a protected account is not liable for any loss arising from an unauthorised transaction if the loss arises from any action or omission by the responsible institution.

Malaysia 

(����žž update)

The policy document is applicable to all financial institutions and mandates the use of robust authentication processes to ensure the authenticity of identities in use.

Authentication mechanisms shall be commensurate with the criticality of the functions and adopt at least one or more of the three basic authentication factors:

• Something the user knows (e.g., password, PIN)
• Something the user possesses (e.g., smart card, security device)
• Something the user is (e.g., biometric characteristics, such as a fingerprint or retinal pattern)

Further, institutions are encouraged to properly design and implement, especially in high-risk or “single sign-on” systems, multi-factor authentication (MFA) that is more reliable and provides stronger fraud deterrents.

Financial institutions must ensure that the security controls of MFA solutions include adherence to the following requirements:

1. The MFA solution is resistant to interception or manipulation by any third party throughout the authentication process.
2. The payer/sender must be made aware of and prompted to confirm the details of the identified beneficiary and the amount of the transaction.
3. The authentication code must be initiated and generated locally by the payer/sender using MFA.
4. The authentication code generated by the payer/sender must be specific to the confirmed beneficiary and amount.
5. Secure underlying technology must be established to ensure the authentication code accepted by the financial institution corresponds to the confirmed transaction details.
6. Notification must be provided to the payer/sender of the transaction.

For high-risk transactions or transactions above RM10,000, financial institutions must implement additional controls to authenticate devices and users, authorise transactions, and support non-repudiation and accountability. These measures must, at a minimum, include MFA.

Financial institutions must also deploy MFA solutions with stronger security controls for open third-party fund transfers and open payment transactions with a value of RM10,000 and above.

()

In January 2025, Bank Negara Malaysia (BNM), the country’s central bank, issued a policy document on electronic money (e-money).

E-money serves as a payment instrument that can be used to make payments for goods and services at merchants accepting e-money. E-money users may also send or receive funds to or from another user’s e-money or bank account through person-to-person (P2P) fund transfer services, provided the e-money issuer (EMI) is authorised to offer such services.

The policy document mandates the use of risk-based authentication for online payment transactions. Specifically:

• An EMI must authenticate its customers for online payment transactions using strong authentication methods, such as multi-factor authentication (MFA), to mitigate the risk of fraudulent transactions.
• Notwithstanding the above, an EMI may adopt risk-based authentication for low-risk online payment transactions. Low-risk transactions are defined as:
  • Online payments below RM250 per transaction.
  • Recurring card-on-file transactions below RM10,000 per transaction, where the EMI has authenticated its customer using strong customer authentication for the first time.

(����žž update)

On December 17, 2024, the BNM published a draft policy document on technology requirements for payment services regulatees (PSRs).

The draft outlines new requirements for managing technology risks by PSRs and aims to consolidate these requirements into a single policy document, primarily for approved issuers of electronic money (EMIs), registered merchant acquirers (MAs) and licensed money services businesses.

Specifically, the policy mandates PSRs to implement controls to authenticate devices and users, authorise transactions, and support non-repudiation and accountability for transactions performed via digital services. These measures must, at a minimum, include:

• Adopting a strong authentication method, such as multi-factor authentication (MFA), for financial and high-risk non-financial transactions. This includes registering an account as a “favourite” beneficiary and all subsequent fund transfers to that beneficiary. Authentication technology and channels, including MFA, must be more secure than unencrypted short messaging services.
• Requesting users to verify transaction details prior to execution.
• Providing timely notifications to customers that are sufficiently descriptive of the transaction.

Further, PSRs must ensure that the security controls of MFA solutions meet the following requirements:

• The MFA solution is resistant to interception or manipulation by any third party throughout the authentication process.
• The payer/sender must be made aware of, and prompted to confirm, the identified beneficiary and the transaction amount.
• The authentication code must be initiated and generated locally by the payer/sender using MFA.
• The authentication code generated by the payer/sender must be specific to the confirmed beneficiary and transaction amount.
• Secure underlying technology must ensure that the authentication code accepted by the PSR corresponds to the confirmed transaction details.
• Notification of the transaction must be provided to the payer/sender.

(����žž update)

For financial transactions below RM10,000, a financial institution may decide on proportionate controls and authentication methods for transactions assessed by the financial institution to be of low risk.

In undertaking the assessment, the financial institution must establish a set of criteria or factors that reflect the nature, size and characteristics of a financial transaction. Such criteria or factors must be consistent with the financial institution’s risk appetite and tolerance.

The financial institution must periodically review the risk assessment criteria to ensure its continued relevance, having regard to the latest developments in cybersecurity risks and authentication technologies, as well as fraud trends and incidents.

Where a financial institution decides not to adopt MFA for financial transactions that are assessed to be of low risk, the financial institution must nevertheless implement adequate safeguards for such transactions, which shall include at a minimum the following measures:

• Set appropriate limits on a per-transaction basis and on a cumulative basis.
• Provide convenient means for customers to reduce the limits or opt for MFA.
• Provide a convenient means for customers to temporarily suspend their account in the event of suspected fraud.
• Provide its customers with adequate notice of the above safeguards

() 

The policy document specifies that an EMI may adopt risk-based authentication for low-risk online payment transactions.

Low risk consists of:

• Online payment transactions below RM250 per transaction.
• Recurring or card-on-file transactions below RM10,000 per transaction, where an EMI has authenticated its customer using strong authentication for the first time.

When apply risk-based authentication for low-risk online payment transactions, EMIs are required to:

• Ensure the use of effective risk analysis tools and establish a set of criteria or factors that appropriately reflect the nature, size and characteristics of the online payment transactions. Such criteria or factors must be consistent with the EMI’s risk appetite and tolerance level.
• Periodically review the risk assessment criteria or factors to ensure its continued relevance, having regard to the latest developments in cybersecurity risks and authentication technologies, as well as fraud trends and incidents.

An EMI is encouraged to identify a tolerable aggregate amount of low-risk online payment transactions eligible for risk-based authentication to mitigate against high fraud losses.

Furthermore, an EMI must notify the BNM at least 14 days prior to first-time implementation of risk-based authentication for low-risk online payment transactions.

Japan

(����žž update)

The Japanese Consumer Credit Card Association (JCA), a voluntary industry association, introduced the credit card security guidelines in 2020.

The guidelines specify identity verification as a specific countermeasure for fraud. 

(����žž update)

Published in 2023, version 4.0 of the guidelines mandates credit card operators within the JCA to implement 3DS by March 2025.

In addition, credit card providers must adopt a risk-based approach to credit card verification by requiring merchants to supply credit card acquirers with data on the risk levels of different purchases from their stores and using information such as the customer’s device.

Although the JCA is not a regulator, as reported by ����žž, the list of JCA members reveals that every major credit card issuer in the country is a member. This means any merchant wishing to avail themselves of the services of these card issuers and acquirers must comply with these guidelines.

(����žž update)

Version 5.0 of the credit card security guidelines sets out new authentication requirements for all payments in Japan from April 1, 2025.

Specifically, the guidelines mandate the use of 3DS for all online payments. This includes acquirers, payment service providers and issuers. Transactions without 3DS authentication may therefore be declined.

(����žž update)

Version 5.0 of the guidelines state that all online payments must utilise 3DS authentication, whether there are domestic or international.

To the best of ����žž’s knowledge, specific exemptions to the requirement to implement 3DS are not addressed in the guidelines.