Overview

• What Is Strong Customer Authentication?
“Customer authentication” is a process that allows a device to verify the identity of someone who connects to a network resource. As per the latest regulatory requirements in Europe it has now become mandatory for the banks and other financial institutions to make their ‘Customer Authentication’ more secure and risk proof. Strong Customer Authentication known as SCA is a new mandatory requirement for authenticating online payments that will go live in Europe on September 14, 2019. This regulation will apply to online payments within the European Economic Area (EEA) where the cardholder’s bank and the business’s payment provider are both in the EEA.

• What is the Strong Customer Authentication requirement?
SCA will require payments to be authenticated using at least two of the following three elements:
1) Something that the customer knows (e.g., password or security question)
2) Something the customer has (e.g., phone or hardware token)
3) Something the customer is (e.g., fingerprint or face ID)

• How Strong Customer Authentication (SCA) fits into PSD2?
The European Payment Service Directive (PSD2) regulations came into force in January 2018 for achieving increased competitiveness, accelerating innovation, protecting consumer rights, strengthening security and harmonizing payments across European payments industry. As part of PSD2, new Regulatory Technical Standards (RTS) have been created for enhancing security protection levels and reducing the increasing number of financial fraud that is occurring. A key element of these security standards is the requirement for Strong Customer Authentication (SCA) to be performed for electronic payments.

• Which payments will be covered under SCA?
Strong Customer Authentication will apply to customer-initiated online payments within Europe. Most card payments and all credit transfers will require Strong Customer Authentication. Recurring direct debits are considered merchant-initiated and will not require SCA. A card payment will be in scope of the regulation if the cardholder’s bank and the business’s payment provider are both located in the European Economic Area (EEA).

• What is dynamic linking?
The “dynamic linking” aspect in SCA means that the authentication code should dynamically fail if a middleman tries to use it for the wrong payee or amount. The inclusion of such dynamic linking elements in SCA features a well encompassed additional authentication layer beyond the two-factor authentication required under SCA.

• What are the requirements of dynamic linking element of SCA?
First, it requires a payer to authenticate a financial transaction by calculating an authentication code over certain transaction data (at least the amount and some information identifying the beneficiary), so that the authentication code is linked to this data. Second, the confidentiality and integrity of the transaction data should be protected throughout the authentication process. Third, the online banking user should be aware of the transaction data that they authenticate.

• What are the challenges for SCA?
The first challenge facing SCA is the unilateral application by banks across accounts, regardless of whether they’re PSD2 regulated or the type of activity requiring access to the account. While it may seem transparent and secure to apply SCA across accounts, if these standards are applied to all read-only access to savings, individual savings accounts (ISAs), and loans, customers may soon experience significant friction across their banking journeys. The second challenge will be for consumers as SCA regulations mean that consumers must be present for each point of data access, regardless of whether they’ve previously given authorization or not.

• What are the key drivers of SCA?
Technological advances in areas such as cloud and mobile applications have opened up the banking sector for new competitors. These TPPs are offering new ways for customers to access their bank accounts to make payments. Another major change has been the continuing rise in online shopping. Unfortunately, the rise in e-commerce has resulted in a concomitant rise in cybercrime; both in data breaches and online credit card fraud which makes SCA a necessity

• What are the regulatory technical standards?
These standards provide detailed specifications to achieve the strict security requirements for payment service providers in the EU. The standards make reference to the PSD2 directive as well as other mechanisms for ensuring transactional security like eIDAS and trust services.

• What are the implications of SCA?
One of the most important implication of Strong Customer Authentication (SCA) is that it will drive acquirers and other entities in the payment processing ecosystem to improve their fraud rate as that would mean they could offer frictionless flow at higher thresholds which will mean improved security in the payments space but it can also have an negative impact as its implementation can hinder customer experience and place additional burdens on merchants and Payment Service Providers (PSPs).