EUDI Wallet, SCA & fraud: How can merchants prepare?

Digital identity wallets are hailed as providing the holy grail of convenience, privacy, and security.

A type of personal ID in digital wallet form, the EUDI Wallet was introduced by the European Union – a recognized innovator in the digital space – to improve several online processes. Use cases include Know Your Customer (KYC) and help in adhering to the PSD2 requirement for SCA (Strong Customer Authentication).

Timelines for the adoption across Member States are tight, with private sector support required by the end of 2027. Merchants are expected to become a central pillar of the EUDI Wallet ecosystem – with payments, customer onboarding and verification all impacted.

How are merchants serving customers in the EU and beyond going to be affected, and how should they prepare?

What is the EUDI Wallet?

Short for EU Digital Identity Wallet, the EUDI Wallet is a mobile identity wallet that seeks to standardize identity-related processes in the European Union – primarily, the digital identification of EU citizens.

Member States are obliged to offer such an option by late 2026.

Main functions of the EUDI Wallet

The EUDI Wallet remit aims to provide a secure and easy method for proving your identity when accessing digital services and performing online transactions. The wallets will also be able to store and share important digital documents.

The core functions of an EUDI Wallet are authenticate, share, store, and sign.

Capabilities include the following, amongst others:

• Verify an individual’s identity as part of a KYC process to open a bank account

• Authorize payments

• Support cross-border transactions

• Enable retail, B2B, B2C, and B2G payment acceptance and other transactions

• Store visas, passports, and travel documents

• Store digital travel credentials

• Check into flights and hotels

• Store and present tickets

eIDAS and the EUDI Wallet – a history

Verified digital identity is at the heart of accessing online services and making payments. To standardize identity-related processes, the EU has been working on frameworks and regulations for over a decade.

In 2014, the EU published a regulation to kickstart the digital identification of citizens known as eIDAS – “electronic identification and trust services for electronic transactions in the internal market.” eIDAS provides a framework for Member States to notify other states of their national electronic identification schemes. However, while eIDAS became mandatory in 2018, there was no obligation for any EU Member State to develop an electronic national identity. The result was a mismatch of non-interoperable identity systems.

Prior attempts to rectify this were unsuccessful, but in May 2024, the EU Digital Identity Framework Regulation (EU) No 910/2014 was introduced. The regulation specifies that Member States must offer at least one EU Digital Identity (EUDI) Wallet to all citizens and residents by November 2026. Private sector support for EUDI Wallets is required by November 2027. To meet this requirement, several large-scale projects have been working on architectures and wallets to test potential use cases and identify user journeys and technical issues.

However, building the rails to utilize these wallets and prevent wallet fraud is not without its challenges. The digital wallet landscape is a complex one, with an ecosystem of established incumbent wallets, such as Google Pay and Apple Pay – which come with their own complexities around payment dispute liability.

Many emerging identity wallets tick the decentralized checkbox and are used for a multitude of use cases, from apartment rental checks to in-store QR code payments to age estimation. The EUDI Wallet is a pan-European solution that is positioned as offering interoperable identity and payments that can work within and across borders in the EU.

At the time of writing, the latest version of the architecture and reference framework for the EUDI Wallet ecosystem is 2.7.3, shared on 12 November 2025 for public consultation.

How does the EUDI Wallet impact merchants?

By 2027, merchants who serve EU based customers will have to accept EUDI Wallets as a way of authenticating customers. The EUDI Wallet can be used for onboarding and KYC of customers as well as handling payments and regulations, such as the PSD2 (and now PSD3) requirement of SCA.

However, quality data sharing is a must-have to ensure friction is reduced and security is appropriate; customers should not be required to change their behavior to ensure that security is upheld.

EUDI and Secure Customer Authentication (SCA)

A merchant's use of EUDI Wallets is one of the core technology use cases, with customer verification, anti-fraud, and strong payment authentication (SCA) taking center stage. Indeed, merchants will be expected to handle robust authentication performed using an EUDI Wallet, as per Article 5f(2) of the regulation.

Payment authorization using an EUDI Wallet has the potential to streamline the entire process.

EUDI Wallets are designed to reduce friction, including the type of friction associated with robust authentication as required by the SCA rule under PSD2. By law, any regulated industry that must adhere to the SCA will be required to support authentication using an EUDI Wallet by November 2027. EUDI Wallet support is expected to create a more seamless user experience when required to meet SCA requirements.

EUDI Wallets and SCA – concerns

Consortiums comprising industry, academia, and government bodies are working to align the EUDI Wallets with everyday use cases in preparation for the regulation deadlines. For example, the WE BUILD Consortium focuses on business and payment use cases to streamline processes across the supply chain, including B2B, B2C and B2G (Business-to-Government) interactions, as well as ensure seamless and secure payments.

However, research from the Smart Payment Association and the Secure Identity Alliance concludes that onboarding and KYC of customers has the lowest bar to entry, but SCA-dependent transactions are far more complex. This view is also held by the Dutch Payment Association.

A recent paper by the group on EU Digital Identity Wallet use in payments, identifies a “gap between the intended scope of acceptance and the practical challenges of meeting the SCA requirements laid down in PSD2.” One of the issues identified in the paper is a lack of dynamic linking capability in EUDIWs, which is a requirement for SCA. Dynamic linking utilizes authentication tokens to associate the authentication process with the specific payee and transaction amount.

The Smart Payment Association study concludes that the EUDIW must not attempt to create its own payment rails. Instead, existing payment instruments and solutions should be integrated into the wallet to ensure compliant payments – including payment methods used by merchants.

Notably, for merchants and others, eIDAS and EUDI Wallets are fully aligned to GDPR, with consent an implicit aspect in the transaction and storage of personal data.

Relying parties – including merchants – that intend to utilize EUDI Wallets for public or private services will be required to register on Member States’ national registers of wallet-relying parties. Registrants receive an access certificate.

Merchant questions on EUDI Wallets

Understandably, merchants have many questions on how to handle and optimize the use of EUDIWs.

Does this apply to all merchants serving EEA (European Economic Area) customers, or only to EEA merchants?

EUDIW support applies to both EEA merchants and EEA customers. The EU requires that all citizens and residents in the EU must have access to a wallet. Any regulated business that must support SCA and robust customer verification must support EUDI Wallets. Merchants that are covered must support EUDI Wallets by November 2027.

Should merchants continue to support alternative authentication options for accessing services?

Yes, merchants should offer access to other authentication options, such as 3D Secure, as well as EUDIW.

Will merchants need to make any changes to their checkouts/payment systems?

EUDI Wallets are based on industry-standard APIs and protocols allowing for easier integration. Merchants should check with their existing integration flows and test the use of digital wallets within their current user journeys.

Are there exceptions/exemptions to supporting EUDIW?

Exemptions exist for micro and small enterprises. The EU defines these as companies with fewer than 50 employees and annual turnover of less than 10 million euros. Also, any use cases that do not require SCA are exempt – for example, low-value transactions, which are exempt under PSD2.

Are there any penalties for not accepting an EUDI Wallet as a form of online identification?

Penalties for non-compliance are expected to be up to 500,000 euros or 1% of global annual turnover – whichever is higher – in line with eIDAS. The legal systems of each member state must be taken into account. The legislation states that “Member States shall lay down the rules on penalties applicable to infringements of this Regulation. The penalties shall be effective, proportionate and dissuasive.” More information about penalties is expected to become available closer to the implementation deadline.

Is EUDI fraud a risk?

The era of static ID checks and authentication is no longer an option, and one of the core remits of the EUDI Wallet is to enable trust by reducing fraud risk. However, concerns have been raised about the security of the wallet. A EUDIW contains verified credentials that represent an individual and present a trustworthy source of data, and this static source of verified credentials presents a potential single point of vulnerability to cybercrime.

EUDI Wallets are designed to store verified credentials, such as identity documents, place of residence, age, and so on. Having access to these verified credentials allows an organization to carry out KYC and anti-money laundering (AML) checks. Trusted issuers cryptographically sign the verified credentials as they are generated. This affords a high level of assurance.

The verified credentials that represent an individual and present a trustworthy source of data could become the wallet’s Achilles’ heel. This static source of verified credentials presents a potential single point of vulnerability to fraud risk. A false sense of security could quickly become a trust issue unless proof of nontampering of a wallet is evident.

These risks may be compounded by poor implementation at the country level. Notably, the use of verified credentials is not trackable, in order to preserve privacy. And this untrackable use of credentials could potentially be exploited by cybercriminals.

Eurosmart highlights the risks of an EUDIW, urging the EU cybersecurity agency, ENISA, to include them in its annual threat landscape report. It’s a balancing act between privacy and security, of the type we often see with new developments in online processes.

Trust vs risk

The use of fraudulent EUDIW via PID (Person Identification Data) cloning, where citizens can become victims of impersonation attacks and wallet hijacking. Account takeover fraud in the age of EUDI is still an omnipresent threat – and can get even worse because of the high level of reliability of the individual on EUDIW.

Cloned PIDs that are high assurance will allow access to victims’ bank accounts, from which criminals can steal money and spend it however they please.

The EU and general cybersecurity best practices require that the wallet and the device upon which it resides must be stringently protected using phishing-resistant authentication. However, further transaction-level checks must be part of a comprehensive security approach.

The fact is that regulators must be smart about failsafes to the EUDI Wallet or any similar systems, providing solutions to questions around what happens when someone steals your identity and uses it to buy something. However uncommon, this would be a life-changing experience for the EUDI Wallet owner, and has to be mitigated against.

The ability to request a chargeback helps solidify trust in card-not-present payments and minimizes bad outcomes for victims of fraud. There needs to be an equivalent for the EUDI Wallet, so you can dispute illegitimate use of this wallet that belongs to you. This is a challenging process.

How to prevent EUDI Wallet fraud

Achieving trust for merchants is as much about offering great customer experiences as it is about secure transactions. Robust authentication is central to a secure checkout process, helping to reduce fraud and meet regulatory compliance. However, friction can result from the level of robust authentication required to achieve SCA. Merchants must minimize friction while maintaining security. Security measures, such as step-up authentication and machine learning for fraud prevention, are integral to establishing trust for online transactions.

The technology layers needed to achieve trust, while retaining the convenience and privacy of the wallets, include the following:

• Link analysis: Graph database link analysis is used to provide insights into relationships and identify signals of fraud. Unique data points, such as emails, phone numbers, device IDs, and payment methods, can be used by machine learning as well as human analysts to identify fraud signals from fraud rings, multi-accounting, ATO, suspicious new accounts, and other emerging fraud and scams.

• AI-first fraud detection: Two-factor/multi-factor authentication (2FA/MFA), often used by merchants, is no longer a silver bullet as MFA bypass attacks are a reality: 2FA can instill a false sense of security. Instead, machine learning and behavioral analysis offer a means to deliver adaptive authentication that modifies the rules of access and authorization, identifying fraud signals and emerging attack patterns.

• Adaptive authentication: Adaptive step-up authentication strikes a balance between friction and security, providing the framework for regulatory compliance while ensuring customers experience seamless transactions. Adaptive authentication also provides the balance needed to reduce the friction associated with the complex security requirements of PSD2 and SCA. The enforcement of adaptive authentication, driven by machine learning, can be used to ensure that an EUDI Wallet becomes a seamless way to pay.

• EUDI-specific failsafes: EUDI Wallet failsafes include registration and certification of relying parties and a robust decentralized architecture. Regulation and legislation provide an overarching legal framework. At the individual and merchant level, however, liability for a SCA-compliant transaction ultimately rests with the relying party. Failsafes will rely on existing payment standards as well as additional layers of capability provided by orchestration and anti-fraud vendors. As always, the devil is in the detail and implementation complexities must be ironed out as the time for implementation draws closer.

Better shopping journeys – for those prepared

The European “Path to the Digital Decade” has set a target of 80% of EU citizens using digital ID by 2030. EU regulators understand the importance of key insights from high-quality data and are working towards guidance that includes the use of anti-fraud technologies to enhance the convenience and privacy of these decentralized wallets.

EUDI Wallets offer a promise of a secure, standards-based, interoperable infrastructure and ultimately better shopping journeys. However, the input of quality data and AI-enabled analytics is critical to prevent fraudulent transactions, account takeover and impersonation attacks.

Merchants, speak to your partners and keep an eye on developments. Preparing for the digital infrastructure of the future can give you a competitive edge.

Related Content

• Video: Navigating Authentication: Status, Challenges, and Mastercard’s 2030 Vision (Mastercard at RavCon 25)
• SCA transaction optimization guide & differences between out-of-scope, TRA and other exemptions
• Online payment fraud solution
• Ravelin 3D Secure Server & SDKs
• What does fraud look like on digital wallets?
• Link analysis for fraud detection – a guide