What is strong customer authentication (SCA) under PSD2?
A look at the upcoming EU directive that aims to harmonise online payment protection
Strong Customer Authentication (SCA) represents a new effort by the European Union (EU) to standardise the level of security offered to financial services customers across all member states and as a result boost competition between competing banks.
The mechanism forms part of an upcoming EU directive, the Second Payment Services Directive (PSD2), which is set to come into force on 14 September 2019. This directive will demand that businesses offering payment services within the European Economic Area (EEA) would have to deploy additional security measures on payments on more than 30. This chiefly arises as variants of multifactor authentication (MFA) on electronic transfers.
After this date, all 'customer-initiated' transfers, such as single card payments and bank transfers, will be subject to SCA safeguards. Those payments considered to be initiated by merchants, such as a direct debit, will sit outside this directive and will continue to operate as they do today.
The aim is to reduce the number of fraudulent payments by forcing users to confirm their identity using another verification method, namely a PIN number or biometric data - something only the customer will be able to produce on request. Customers who access their online bank account, send online payments, or engage in a remote channel that could carry a risk of fraud, will be subject to SCA.
The changes also mean that, as of later this month, any qualifying payments that have not gone through additional layers of protection will likely be rejected by a bank.
The rise of tech in banking
There's been an explosion of people in the UK using mobile devices to access financial services and make payments in the last few years. This feeds into a wider trend that has also seen the use of cash fall dramatically, with debit card payments eclipsing cash transactions for the first time in 2017.
According to the British Retail Consortium, meanwhile, card payments account for more than three-quarters of all retail sales last year. Modern card transactions are already covered by something of an equivalent to SCA through the Chip and Pin mechanism, but this has yet to extend to online payments.
There has also been a growth in digital banks like Monzo, which don't have any physical branches and instead run exclusively online. Approximately one in ten in the UK are estimated to have an account with a digital-only bank, with a quarter of the population projected to have one by 2023.
Keeping money safe
Paying with cash means it's easy to prove the money belongs to us; given we hand this over physically. But digital payments makes things complicated by making payments more abstract, and it's a little more difficult to tether the payment to either party without a physical transaction being made.
It isn't surprising that while new methods of payment are more convenient than legacy methods, they have also led to an explosion of fraud. Losses on cards issued in the UK exceeded 671 million last year, according to UK Finance, which represented a 19% increase on the previous year.
SCA, a key plank of PSD2, has been designed to combat this very trend, and dramatically reduce the volume of fraudulent payments. The directive itself covers a wide scope around payments and will make key changes in the way digital transactions occur. One key thing to point out is that it's expected to apply in the UK regardless of the outcome of Brexit, principally because the biggest financial institutions will want to remain aligned with customers across the continent.
The biggest change rendered when SCA is introduced from 14 September will be the need for MFA when making payments above the 30 threshold. This second factor for verification will demand two out of three different types of authentication to be used for every payment. This could include a piece of knowledge like a PIN number combined with something we would have physical access to like a credit card or mobile phone - or even biometric data, like a fingerprint scan.
Don't we already have this in place?
MFA, currently, exists in the form of 3D Secure (3DS), used mainly for credit card transactions, but is only deployed in cases where there's an obvious risk of fraud. When making online purchases, for instance, a second action window may open and ask for further details. This can often be frustrating when in-browser and while browsing on a mobile device due to poor configuration. A revised version allows for biometrics (fingerprint or face), which is more amenable to phone users.
3DS also offers the ability for the seller to opt-out of the second verification factor, making transactions smoother, but reducing the security element and potentially putting buyers at risk.
PSD2 abides by a different set of regulations, with transactions under 30 passing without the SCA's MFA requirement, but beyond that, the rules dictate there will be a mandatory request for another form of verification.
The likelihood of a second factor being needed is based on the fraud rate of the acquiring bank and the issuer. The less fraud a bank experiences, the more you can spend before a second factor is required. Crucially, the merchant no longer has a say in whether they require MFA from their users or not. Moreover, every fifth transaction below that 30 threshold will be challenged, as well as when the combined value of transactions exceed 100.
How to secure payments under SCA
An updated version of 3DS, dubbed 3D Secure 2 (3DS 2), is set to roll out this year to coincide for the SCA coming into force. The newer standard aims to reduce some of the added frictions that MFA could bring without compromising on necessary security.
3DS 2 functions by allowing more information to be sent from a provider to the customer's bank. This may include details specific to the payment, like the shipping address, as well as drawing on contextual information like device data, transaction history, server information, and even the time zone. All these details feed into a risk assessment run by the customer's bank as part to determine whether additional authentication checks are needed.
By default, any payment process that already uses MFA will be compliant under the SCA directive, like the swathe of digital banks that require biometric verification, or services like Apple Pay.
There are a host of exemptions to the SCA directive, however. For services that rely on recurring payments or subscriptions, MFA will only be needed on the first customer-initiated payment.
It's important to remember that the cardholder's bank decides whether MFA is required, and whether an exemption from SCA is valid.
What does this mean for everyday banking?
SCA aims to harmonise user protections and reduce fraud - which has to be good for both us as consumers and employees, but for banks and merchants too. Sellers might also switch to banks that have lower fraud rates, so as to minimise the need for MFA and reduce payments friction. This might lead banks to be sharper at reducing fraud, which is, again, a very good outcome for the industry as a whole.