The introduction of strong customer authentication (SCA, for short) is mandatory under the revised Payment Services Directive (PSD2) in Europe. SCA is meant to strengthen security for online payments. Under the directive, banks are required to use this form of authentication (i.e. two-factor authentication) for users making payments with their credit cards or through their bank apps. It is already common throughout the EU but some of us still lack the knowledge of what these things are and how they work.
First things first – what exactly is PSD2 and how does it work?
PSD2 was created by the European Union to establish a single set of rules for payment services within the EU. The primary idea of it was to encourage mobile payments through secure, open standards and to prevent the market from stagnating.
The Second iteration of the directive aims to make sure that banks are more open to non-bank providers (e.g. FinTech companies). They can deliver innovative online financial services to customers without falling into entry barriers or other artificial obstacles, imposed by monopolies or oligopoly markets. PSD2 also includes an important rule about strong customer authentication. More about that, later on.
SCA or strong customer authentication – how to understand it?
What is PSD2 strong customer authentication and why should we care?
You don’t want anyone to have easy access to your financial information and secret passwords that might allow them to steal your money?
The SCA element of PSD2 strengthens the security of online payments made by credit cards, directly from banks or through third-party services. SCA will require users to enter a second form of identification when making payments digitally.
SCA distinguishes three different authentication factors – inheritance, possession and knowledge.
Inheritance is something that a user has inherited (e.g. biometric data).
Possession means that the user needs to prove they have access to some information or object associated with their identity, such as your mobile phone number.
Knowledge authentication requires users to provide unique knowledge credentials like PIN codes, passwords.
Does SCA really improve digital security?
PSD2 was criticized in its early stages for not requiring two-factor authentication to access the account and not having any sort of strong mechanism that would be able to ensure the authenticity of any given request or transaction. Experts called it a security risk and a threat.
The original version of PSD2 only required strong customer authentication when payment services were initiated.
After several months of discussion and negotiations between regulators, banks, and lobby groups, PSD2 was equipped with what you can call a compromise – SCA. This measure will be required when users access their financial information, transfer money or initiate payment transactions. PSD2 will strengthen the security of online payments and help build people’s trust in digital services because they will be aware of the process and feel in control of the financial operation.
The Security Technical Implementation Guidelines (STIG) and the Strong Customer Authentication (SCA) requirements (Article 98 PSD2) provide detail on exactly how PSD2 is to be implemented in each country and the exact rules that need to be followed. Directive (EU) 2015/2366 ensures PSD2 compliance with regards to security and confidentiality.
PSD2, in essence does not broaden the scope of its predecessor, the first Payment Services Directive or create any new regulations. This directive simply provides a legislative framework to allow for standardization and interoperability in an ever-evolving financial marketplace.