What is strong customer authentication (SCA) under PSD2?
An in-depth look at the EU directive that aims to harmonise online payment protection
Strong Customer Authentication (SCA) represents a new effort by the European Union (EU) to standardise the level of security offered to financial services customers across all member states and as a result boost competition between competing banks.
The mechanism, which came into force on 14 September 2019, forms part of the EU's Second Payment Services Directive (PSD2), and it will be enforced by regulators over the course of 2020 and 2021. The regulation will require businesses offering payment services within the European Economic Area (EEA) to deploy additional security measures on payments on more than £30.
This chiefly arises as variants of multifactor authentication (MFA) on electronic transfers. Natwest, for example, has announced plans to use behavioural biometrics - technology that analyses the unique ways a customer interacts with their device - for the authentication of online payments,
After this date, all 'customer-initiated' transfers, such as single card payments and bank transfers, will be subject to SCA safeguards. Those payments considered to be initiated by merchants, such as a direct debit, will sit outside this directive and will continue to operate as they do today.
The aim is to reduce the number of fraudulent payments by forcing users to confirm their identity using another verification method such as a PIN number or biometric data - something only the customer will be able to produce on request. Customers who access their online bank account, send online payments, or engage in a remote channel that could carry a risk of fraud, will be subject to SCA.
The changes also mean that, as of later this month, any qualifying payments that have not gone through additional layers of protection will likely be rejected by a bank.
The rise of tech in banking
There's been an explosion of people in the UK using mobile devices to access financial services and make payments in the last few years. This feeds into a wider trend that has also seen the use of cash fall dramatically, with debit card payments eclipsing cash transactions for the first time in 2017.
According to the British Retail Consortium, card payments account for more than three-quarters of all retail sales last year, and further research predicts that cash will account for just 9% of purchases from 2028.
Modern card transactions are already covered by something of an equivalent to SCA through the Chip and Pin mechanism, but this has yet to extend to online payments.
There has also been a growth in digital banks like Monzo, which don't have any physical branches and instead run exclusively online. Approximately one in ten in the UK are estimated to have an account with a digital-only bank, with a quarter of the population projected to have one by 2023.
Keeping money safe
Paying with cash means it's easy to prove the money belongs to us; given we hand this over physically. But digital payments makes things complicated by making payments more abstract, and it's a little more difficult to tether the payment to either party without a physical transaction being made.
It isn't surprising that while new methods of payment are more convenient than legacy methods, they have also led to an explosion of fraud. Losses on cards issued in the UK exceeded 671 million in 2018, according to UK Finance, which represented a 19% increase on the previous year.
SCA, a key aspect of PSD2, has been designed with this in mind and looks to dramatically reduce the volume of fraudulent payments. The directive itself covers a wide scope around payments and will make key changes in the way digital transactions occur. One key thing to point out is that it's expected to apply in the UK regardless of the outcome of Brexit, principally because the biggest financial institutions will want to remain aligned with customers across the continent.
The biggest change SCA will introduce is a requirement for MFA to be used for any payment over £30. This second factor for verification will demand two out of three different types of authentication to be used for every payment; a PIN number combined with something we would have physical access to like a credit card or mobile phone - or even biometric data, like a fingerprint scan.
Don't we already have this in place?
MFA, currently, exists in the form of 3D Secure (3DS), used mainly for credit card transactions, but is only deployed in cases where there's an obvious risk of fraud. When making online purchases, for instance, a second action window may open and ask for further details. This can often be frustrating when in-browser and while browsing on a mobile device due to poor configuration. A revised version allows for biometrics (fingerprint or face), which is more amenable to phone users.
3DS also offers the ability for the seller to opt-out of the second verification factor, making transactions smoother, but reducing the security element and potentially putting buyers at risk.
PSD2 abides by a different set of regulations, with transactions under 30 passing without the SCA's MFA requirement, but beyond that, the rules dictate there will be a mandatory request for another form of verification.
The likelihood of a second factor being needed is based on the fraud rate of the acquiring bank and the issuer. The less fraud a bank experiences, the more you can spend before a second factor is required. Crucially, the merchant no longer has a say in whether they require MFA from their users or not. Moreover, every fifth transaction below that £30 threshold will be challenged, as well as when the combined value of transactions exceed £100.
How to secure payments under SCA
An updated version of 3DS, dubbed 3D Secure 2 (3DS 2), arrived in 2019. This newer standard aims to reduce some of the added frictions that MFA could bring without compromising on necessary security.
3DS 2 functions by allowing more information to be sent from a provider to the customer's bank. This may include details specific to the payment, like the shipping address, as well as drawing on contextual information like device data, transaction history, server information, and even the time zone. All these details feed into a risk assessment run by the customer's bank as part to determine whether additional authentication checks are needed.
By default, any payment process that already uses MFA will be compliant under the SCA directive, like the swathe of digital banks that require biometric verification, or services like Apple Pay.
There are a host of exemptions to the SCA directive, however. For services that rely on recurring payments or subscriptions, MFA will only be needed on the first customer-initiated payment.
It's important to remember that the cardholder's bank decides whether MFA is required and whether an exemption from SCA is valid.
What does this mean for everyday banking?
SCA aims to harmonise user protections and reduce fraud - which is a good thing for us as consumers and employees, but also for banks and merchants too. Sellers might also switch to banks that have lower fraud rates, so as to minimise the need for MFA and reduce payments friction. This might lead banks to be sharper at reducing fraud, which is, again, a very good outcome for the industry as a whole.
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now
Simplify cluster security at scale
Centralised secrets management across hybrid, multi-cloud environmentsDownload now
The endpoint as a key element of your security infrastructure
Threats to endpoints in a world of remote workingDownload now
2021 state of IT asset management report
The role of IT asset management for maximising technology investmentsDownload now