What is Strong Customer Authentication (SCA) under PSD2?
An in-depth look at the EU directive that aims to harmonise online payment protection
Strong Customer Authentication (SCA) is a mechansim introduced by the European Union (EU) requiring financial services companies in the European Economic Area (EEA) to employ additional security measures on customer payments of more than £30.
SCA forms part of the EU’s Second Payment Services Directive (PSD2) and came into force on 14 September 2019. The measure, now being actively enforced by regulators, was implemented to ensure financial services are embedded with adequate and standardised levels of security. It guarantees that customers are protected, regardless of which company they bank with, and that all financial services firms adhere to the same standards.
This additional layer of security comes in the form of multifactor authentication (MFA) when making transfers online, although banks can use a variety of derivatives of this technology at their discretion. Natwest, for example, announced in 2020 that it would replace passwords with behavioural biometrics to comply with SCA. This technology analyses how a customer interacts with their device when making a purchase, and then uses this to confirm the identity of the payee and ensure the cardholder is authorising the payment.
From 14 March 2020, the UK’s Financial Conduct Authority (FCA) began enforcing SCA under PSD2 for online and mobile banking. COVID-19 forced the deadline for enforcement to be extended, with all e-commerce transactions subject to the regulation from 14 March 2022. Direct debit payments and other transactions initiated by merchants and vendors aren’t subject to the regulation and will continue as they previously have done.
Implementing and enforcing SCA under PSD2 aims to reduce the levels of fraud by forcing users to confirm their identity using more than one method, such as a PIN code or through biometric information. All customers who access their bank accounts online, send money through the internet or engage in any activity that might be subject to a risk of fraud will be subject to SCA. The changes also mean that any payments that don’t go through these additional security requirements are likely to be rejected.
What need is there for SCA under PSD2?
There's been an explosion of people in the UK using mobile devices to access financial services and make payments in the last few years. This feeds into a wider trend that has also seen the use of cash fall dramatically, with debit card payments eclipsing cash transactions for the first time in 2017.
According to the British Retail Consortium, card payments account for more than three-quarters of all retail sales last year, and further research predicts that cash will account for just 9% of purchases from 2028.
Modern card transactions are already covered by something equivalent to SCA through the Chip and Pin mechanism, but this has yet to extend to online payments.
There has also been a growth in digital banks like Monzo, which don't have any physical branches and instead run exclusively online. Approximately one in ten in the UK are estimated to have an account with a digital-only bank, with a quarter of the population projected to have one by 2023.
How does this regulation keep money safe?
Paying with cash means it's easy to prove the money belongs to us; given we hand this over physically. But digital payments makes things complicated by making payments more abstract, and it's a little more difficult to tether the payment to either party without a physical transaction being made.
It isn't surprising that while new methods of payment are more convenient than legacy methods, they have also led to an explosion of fraud. Losses on cards issued in the UK exceeded 671 million in 2018, according to UK Finance, which represented a 19% increase on the previous year.
SCA, a key aspect of PSD2, has been designed with this in mind and looks to dramatically reduce the volume of fraudulent payments. The directive itself covers a wide scope around payments and will make key changes in the way digital transactions occur. One key thing to point out is that it's expected to apply in the UK regardless of the outcome of Brexit, principally because the biggest financial institutions will want to remain aligned with customers across the continent.
The biggest change SCA will introduce is a requirement for MFA to be used for any payment over £30. This second factor for verification will demand two out of three different types of authentication to be used for every payment; a PIN number combined with something we would have physical access to like a credit card or mobile phone - or even biometric data, like a fingerprint scan.
Don't we already have MFA for banking in place?
MFA, currently, exists in the form of 3D Secure (3DS), used mainly for credit card transactions, but is only deployed in cases where there's an obvious risk of fraud. When making online purchases, for instance, a second action window may open and ask for further details. This can often be frustrating when in-browser and while browsing on a mobile device due to poor configuration. A revised version allows for biometrics (fingerprint or face), which is more amenable to phone users.
3DS also offers the ability for the seller to opt-out of the second verification factor, making transactions smoother, but reducing the security element and potentially putting buyers at risk.
PSD2 abides by a different set of regulations, with transactions under 30 passing without the SCA's MFA requirement, but beyond that, the rules dictate there will be a mandatory request for another form of verification.
The likelihood of a second factor being needed is based on the fraud rate of the acquiring bank and the issuer. The less fraud a bank experiences, the more you can spend before a second factor is required. Crucially, the merchant no longer has a say in whether they require MFA from their users or not. Moreover, every fifth transaction below that £30 threshold will be challenged, as well as when the combined value of transactions exceeds £100.
How to secure payments under SCA
An updated version of 3DS, dubbed 3D Secure 2 (3DS 2), arrived in 2019. This newer standard aims to reduce some of the added frictions that MFA could bring without compromising on necessary security.
3DS 2 functions by allowing more information to be sent from a provider to the customer's bank. This may include details specific to the payment, like the shipping address, as well as drawing on contextual information like device data, transaction history, server information, and even the time zone. All these details feed into a risk assessment run by the customer's bank as part to determine whether additional authentication checks are needed.
By default, any payment process that already uses MFA will be compliant under the SCA directive, like the swathe of digital banks that require biometric verification, or services like Apple Pay.
There are a host of exemptions to the SCA directive, however. For services that rely on recurring payments or subscriptions, MFA will only be needed on the first customer-initiated payment.
It's important to remember that the cardholder's bank decides whether MFA is required and whether an exemption from SCA is valid.
What does SCA under PSD2 mean for everyday banking?
SCA aims to harmonise user protections and reduce fraud - which is a good thing for us as consumers and employees, but also for banks and merchants too. Sellers might also switch to banks that have lower fraud rates, so as to minimise the need for MFA and reduce payments friction. This might lead banks to be sharper at reducing fraud, which is, again, a very good outcome for the industry as a whole.