Strong customer authentication (SCA) plays a key role in the implementation of the second Payment Services Directive (PSD2) in the European Union. PSD2 was introduced in order to harmonise the payments market in Europe and protect customers by making payments more secure.
The commissioner responsible for financial stability, financial services and capital markets union at the time, Jonathan Hill, called the proposals for PSD2 “a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow.”
PSD2 came into effect in September 2019 and, although SCA is cited as a major element in securing electronic payments, member states were given additional time to implement strong customer authentication requirements within their borders by the European Banking Authority (EBA).
What is Strong Customer Authentication?
SCA is a way of incorporating additional levels of security into the electronic payment process. This creates a requirement for banks and payment providers to ask for more than one form of identification when customers perform a transaction with a card face-to-face or online. Under SCA regulations, there are three different elements of identity verification, and payment firms must ask for a combination of at least two of them. The three elements are:
POSSESSION – Something only you have
INHERENCE – Something only you are
KNOWLEDGE – Something only you know
Which Countries Does it Apply to?
SCA is an EU initiative, covering the European Economic Area (EEA) as part of PSD2, which has also been onshored into UK law post-Brexit. It is not yet a requirement in the US, but many commentators believe that SCA will be likely to make its way across the Atlantic, too.
Which Types of Organisations Does it Affect?
The strong customer authentication requirements affect banks, payment providers and all businesses that process payments online. PSD2 states in Article 97 that organisations must ensure SCA measures are in place when a payer:
- Accesses a payment account online
- Initiates a transaction involving electronic payments
- Carries out any remote transaction where there is a risk of payment fraud and other abuses.
The focus will be mainly on card payments and bank transfers, where the money is intended to move instantly. In these cases, it is essential to be satisfied immediately that the customer is who they say they are in order to stop fraud from happening.
What does this mean for businesses?
Customers need to supply their bank with at least two forms of identification from at least two of the above three categories for their face-to-face or online card payments. If they do not provide this, their transactions may be declined.
Businesses should make sure their card terminals for face-to-face payments are compliant. For example, Chip and PIN is a compliant method of paying under SCA. For online payments, the process at checkout should ask customers for two-factor authentication.
When is the Deadline to Implement SCA?
The EBA set a date of 31st December 2020 for full implementation of the SCA requirements in the EEA. However, each member state has set its own timeline for compliance. For example, Denmark entered full enforcement on 12th January 2021, whilst Belgium migrated to the new rules in May 2021. Other EU nations are planning on implementing the rules in full over the next year.
In the UK, online banking enforced SCA in March 2020, with a deadline of 14th September for the e-commerce transactions, set by the Financial Conduct Authority (FCA).
The SCA Requirements Explained
According to the regulatory technical standards (RTS), the primary requirement of SCA is the following:
“Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions.”
This essentially means that they should have procedures for performing the required multi-factor authentication when processing payments in order to be sure that the person making the transaction is who they say they are.
In addition, payment providers should also be able to monitor transactions to take into account certain potential risk factors. These include:
- Cross-referencing against lists of compromised or stolen authentication elements
- Assessing the size of the transaction in terms of the likelihood that it is being made fraudulently
- Understanding common traits of frauds
- Recognising the signs of malware at any point in the authentication process
- Logging the use and potential misuse of access devices and software insured by the payment provider
Other requirements include:
- When carrying out the authentication on the transaction, the provision of two of the three different SCA elements (inherence, knowledge and possession) generates an authentication code, which can only be used once.
- To meet dynamic linking requirements, the code should be specific to the payer and the transaction amount. If the amount changes, you need to generate a new code.
- The payer should be made aware of the transaction value during authentication.
- It should not be possible to forge the authentication code.
- The process should allow the user and their security credentials to remain confidential through encryption.
There are some exemptions to SCA, mainly related to the low-risk nature of some transactions. These are:
Where the cost of the transaction at the point of sale is below €50 and the cumulative amount of transactions paid using contactless since the last use of SCA is less than €150. There must also have been five or fewer contactless payments via the same method since the last use of SCA.
Unattended transport payment points
When you pay at a machine for parking or transport costs, your transaction does not need to undergo SCA.
Once a payer creates a list of trusted payees, future transactions with these entities will not have to use SCA.
Although you need to undergo SCA when you set up a recurring payment, the subsequent payments are not subject to it.
Transfers between accounts held by the same entity
When you make a transfer between accounts held by the same natural or legal person, there is no need to use SCA.
You do not need SCA when you make remote transactions worth less than €30, as long as you haven’t accumulated remote transactions worth €100 cumulatively or made five such transactions since the last time SCA was applied on that payment method.
Secure corporate payment processes and protocols
Legal persons can avoid SCA by making secure payments using processes that are not available to consumers. This can happen when the relevant competent authorities in that nation have deemed the legal person meets the required levels of security.
Low-risk transaction assessment
Payment providers and merchants can conduct their own analysis of transactions to assess the risk of fraud. Using this, they can request from banks to cancel SCA for specific transactions. The bank can then accept or decline.
What should your organisation do now?
You should ensure that your payment processes are compliant with SCA. If they are operated by a third party, you should consult with them for assurances that they have the mechanisms in place to achieve compliance.
It is worth informing customers about the potential changes to the way they perform transactions. This could be in advance or it might involve a note or comment during the additional step of authentication to help them understand what has changed and why.
Is 3DS the same as SCA?
3D Secure is a payment system that requires an additional level of security before processing a transaction, thus making it a solution for complying with SCA. 3DS will be phased out in 2022 and replaced by 3DS2, which offers a smoother transaction for customers, whilst continuing to require two forms of identification from at least two of the elements of SCA.
Which transactions does SCA apply to?
SCA applies to all payments at online retailers and mobile electronic payment transactions across the EEA and UK unless they form part of the exemptions.
Strong customer authentication is essential for complying with the requirements of PSD2 and your organisation should be taking steps to implement the right processes. The rules apply to a wide range of digital transactions, as well as when customers log into accounts.
One solution for a compliant identity verification tool is ID Connect, which allows customers to log in using an authenticated electronic ID (eID), rather than a username and password. This consists of one-time full identification per SCA standards, helping you meet the requirements. Contact our sales team to find out more.