What is Strong Customer Authentication (SCA) under PSD2?
An in-depth look at the EU directive that aims to harmonise online payment protection
Strong Customer Authentication (SCA) is a mechansim introduced by the European Union (EU) requiring financial services companies in the European Economic Area (EEA) to employ additional security measures on customer payments of more than £30.
SCA forms part of the EU’s Second Payment Services Directive (PSD2) and came into force on 14 September 2019. The measure, now being actively enforced by regulators, was implemented to ensure financial services are embedded with adequate and standardised levels of security. It guarantees that customers are protected, regardless of which company they bank with, and that all financial services firms adhere to the same standards.
This additional layer of security comes in the form of multifactor authentication (MFA) when making transfers online, although banks can use a variety of derivatives of this technology at their discretion. Natwest, for example, announced in 2020 that it would replace passwords with behavioural biometrics to comply with SCA. This technology analyses how a customer interacts with their device when making a purchase, and then uses this to confirm the identity of the payee and ensure the cardholder is authorising the payment.
From 14 March 2020, the UK’s Financial Conduct Authority (FCA) began enforcing SCA under PSD2 for online and mobile banking. COVID-19 forced the deadline for enforcement to be extended, with all e-commerce transactions subject to the regulation from 14 March 2022. This deadline had previously been 14 September 2021. Direct debit payments and other transactions initiated by merchants and vendors aren’t subject to the regulation and will continue as they previously have done.
Implementing and enforcing SCA under PSD2 aims to reduce the levels of fraud by forcing users to confirm their identity using more than one method, such as a PIN code or through biometric information. All customers who access their bank accounts online, send money through the internet or engage in any activity that might be subject to a risk of fraud will be subject to SCA. The changes also mean that any payments that don’t go through these additional security requirements are likely to be rejected.
What need is there for SCA under PSD2?
There's been an explosion of people in the UK using mobile devices to access financial services and make payments in the last few years. This feeds into a wider trend that has also seen the use of cash fall dramatically, with debit card payments eclipsing cash transactions for the first time in 2017.
Three-step guide to modern customer experience
Support the critical role CX plays in your businessFree download
According to the British Retail Consortium, card payments account for more than three-quarters of all retail sales last year, and further research predicts that cash will account for just 9% of purchases from 2028.
Modern card transactions are already covered by something equivalent to SCA through the Chip and Pin mechanism, but this has yet to extend to online payments.
There has also been a growth in digital banks like Monzo, which don't have any physical branches and instead run exclusively online. Approximately one in ten in the UK are estimated to have an account with a digital-only bank, with a quarter of the population projected to have one by 2023.
How does this regulation keep money safe?
Using banknotes has always been straightforward, from a verification point of view, given we physically hand these over to merchants or service providers when paying for goods and services. The digitising of cash has added complexity to this process, however, and it’s becoming harder to ascertain the legitimacy of payments when they’re increasingly being made over the internet.
Although digital payments are much easier for many consumers than traditional forms of payments, the level of fraud has also risen substantially. According to UK Finance, losses on UK bank cards exceeded £671 million - equivalent to a 19% increase from 2017.
This regulation specifically aims to address the rising spectre of fraud, with SCA under PSD2 affecting many aspects of digital payments and transactions when it comes into force across the whole payments industry. The directive will also apply in the UK regardless of Brexit, mainly because the country’s biggest financial institutions have sought to remain aligned with the EU under any circumstances for fear of losing business.
SCA will introduce the need for MFA to be used on any payment totalling more than £30, with the second factor used to verify the transaction is legitimate. This is perhaps the most significant change that the regulation coming into force will make. This process can entail a PIN number being used in combination with a mobile phone or credit card, but verification could even come in the form of something like a fingerprint scan.
Don't we already have MFA for banking in place?
MFA, currently, exists in the form of 3D Secure (3DS), used mainly for credit card transactions, but is only deployed in cases where there's an obvious risk of fraud. When making online purchases, for instance, a second action window may open and ask for further details. This can often be frustrating when in-browser and while browsing on a mobile device due to poor configuration. A revised version allows for biometrics (fingerprint or face), which is more amenable to phone users.
3DS also offers the ability for the seller to opt-out of the second verification factor, making transactions smoother, but reducing the security element and potentially putting buyers at risk.
PSD2 abides by a different set of regulations, with transactions under 30 passing without the SCA's MFA requirement, but beyond that, the rules dictate there will be a mandatory request for another form of verification.
The likelihood of a second factor being needed is based on the fraud rate of the acquiring bank and the issuer. The less fraud a bank experiences, the more you can spend before a second factor is required. Crucially, the merchant no longer has a say in whether they require MFA from their users or not. Moreover, every fifth transaction below that £30 threshold will be challenged, as well as when the combined value of transactions exceeds £100.
How to secure payments under SCA
An updated version of 3DS, dubbed 3D Secure 2 (3DS 2), arrived in 2019. This newer standard aims to reduce some of the added frictions that MFA could bring without compromising on necessary security.
3DS 2 functions by allowing more information to be sent from a provider to the customer's bank. This may include details specific to the payment, like the shipping address, as well as drawing on contextual information like device data, transaction history, server information, and even the time zone. All these details feed into a risk assessment run by the customer's bank as part to determine whether additional authentication checks are needed.
By default, any payment process that already uses MFA will be compliant under the SCA directive, like the swathe of digital banks that require biometric verification, or services like Apple Pay.
There are a host of exemptions to the SCA directive, however. For services that rely on recurring payments or subscriptions, MFA will only be needed on the first customer-initiated payment.
It's important to remember that the cardholder's bank decides whether MFA is required and whether an exemption from SCA is valid.
What does SCA under PSD2 mean for everyday banking?
SCA aims to harmonise user protections and reduce fraud - which is a good thing for us as consumers and employees, but also for banks and merchants too. Sellers might also switch to banks that have lower fraud rates, so as to minimise the need for MFA and reduce payments friction. This might lead banks to be sharper at reducing fraud, which is, again, a very good outcome for the industry as a whole.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download