Everything About Strong Customer Authentication, Explained
Author: Gašper Grad
Source: Fintech Factory
The banking landscape has changed substantially in recent years. Today, banking services are accessible 24h a day, from the comfort of our homes. All we need is a personal computing device and Internet connection. New technologies have brought new amazing features for the customers as well as new opportunities for fraud. This is why new regulations were imposed, including the requirement of Strong Customer Authentication.
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication (SCA) is a regulation within the EU Payment Service Directive (PSD2). It aims to make online payments and banking more secure. In order to achieve that it sets new rules for authentication. According to SCA, the process must include elements from at least two out of the following three categories. Furthermore, the elements have to be independent of one another. The categories are:
Something that only the customer knows: Typical examples are a password and a PIN code. There are also other alternatives, however, there is an important detail. This element must be something that only the customer should know. That means that their email, date of birth or bank card details printed on cards do not fulfill the criteria. Furthermore, it mustn’t be confused with something that a customer has. For example, a password received by SMS or OTP generator isn’t something that only the customer knows, but rather something that anyone who would have stolen his or her cellular could know.
Something that only the customer has: Typical examples are mobile phones and hardware tokens. It may also be an app but only if the customer has a unique connection. Something that the customer has can be easily tested by sending him or her an SMS.
Something that only the customer is: Here comes the technology of biometrics. It began with recognizing fingerprints but now we have many alternatives, such as face scan, iris scan, retina scan, hand geometry scan, ear scan, voice recognition, heart rate recognition, etc. There are also some more extravagant ones, like recognizing a person by hemoglobin in veins, the way of typing, swiping and the angle of holding the device.
Including elements from at least two out of these three categories means that, for example, the combination of face recognition with a fingerprint is not sufficient because those are two biometrics and it fulfills only the criterion of something that the customer is. An example of SCA compliant authentication is one that includes face recognition and a PIN code.
When is SCA required?
Strong Customer Authentication is required whenever the customer:
accesses his or her payment account online;
initiates an electronic payment transaction;
carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Are there any exceptions?
There are some cases when customers can be exempted from SCA:
Low-risk transactions: If a payment service provider and a cardholder’s bank have lower fraud rates than specified by the regulator, they do not have to perform SCA. Those rates are 0.13% for transactions below 100€, 0.06% for transactions below 250€ and 0.01% for transactions below 500€.
Low amount payments: Customers can also be exempted from SCA when they pay the amount of 30€ or below in the form of remote electronic payment. Nevertheless, they have to do SCA after five sequential exemptions or after having spent 100€ since the last SCA.
Subscriptions: Another exemption is the payments of subscription of the same amount to the same business. In this case, only the first transaction requires SCA. Moreover, payers can select trusted beneficiaries for which they don’t have to do the two-factor authentication.
Other exceptions: Other exceptions include phone sales, payments to another account of the same physical or legal subject, self-service payments of public transport tickets or parking, and contactless payments at selling points.
For online card payments, SCA is required only when both the payer’s and the beneficiary’s banks are located in the European Economic Area.
How will SCA change the way we pay?
At the moment, the most common way of customer authentication is sending an SMS with a one-time password that has to be entered into the platform where the purchase is being executed. Many payment service providers were hoping that this method would fulfill the criteria of SCA, but that is not the case because it only fulfills the criterion of “something that a customer has.”
The simplest way to upgrade the system security is to provide customers with an additional PIN that has to be entered for SCA. That makes the SCA process compliant, however, PIN numbers still leave some space for fraud. The most secure element of authentication is biometrics. The idea of many service providers is to use the same authentication for entering the mobile bank and confirming online transactions.
Mastercard and Visa have introduced a system where the customer receives a mobile notification. There is a dynamic connection with the specified amount and beneficiary. The customer has to log into their mobile bank application and confirm the transaction by either using biometrics or a PIN code. This way, two out of three elements are included and the payment is SCA compliant. 3D Secure is the best-known payment service provider used by VISA, Mastercard and American Express. Their latest update, 3D Secure 2.0, offers the possibility to use SCA.
Why is implementing SCA important?
The first reason why banks and payment service providers should pay close attention to SCA is that potential penalties for non-compliance are relatively high varying from 12.500€ to 125.000€. Second, not being SCA compliant also means that in the case of fraud, the bank or payment service provider may be held responsible for the damage. Lastly, the untrustworthiness of your payment system can result in high opportunity costs of lost sales.
When is the deadline for the implementation?
The deadline for the SCA implementation was 14 September 2019. However, as many banks and payment service providers had not been ready, most of the countries (including Slovenia) postponed the deadline until the end of the year. The lobbying is still taking place, so there is a possibility that the final date for implementation might be postponed until the end of 2020.
Questions about SCA implementation? Contact us!
If you want us to help you implement SCA into your business in a way that doesn’t ruin the user experience we are here to help you! Send us an email at firstname.lastname@example.org and we'll be in touch soon.