Strong Customer Authentication
For many businesses, effective customer authentication procedures are a smart business strategy; you want to know that the person you’re dealing with is who they say they are. When it comes to businesses operating under PSD2 regulations in Europe, Strong Customer Authentication (SCA) will be a requirement as of September 14, 2019. For those entities, it’s not only a smart risk-mitigation strategy, it’s imperative for compliance to research, test, implement and optimize their SCA workflows well before that deadline.
PSD2 is the EU’s Revised Payment Services Directive designed to open up access to customer bank accounts, allowing third-party providers to access customer information via APIs (application program interface). This signifies the dawn of open banking, where a whole new host of financial products and services can be built on top of the existing bank infrastructure and data. The objective of the Directive is to enhance competition, facilitate innovation, protect consumers, increase security and contribute to a single digital EU market.
While PSD2 came into effect January 12, 2018, the specific security measures for SCA and common and secure communication (CSC) had to wait until the passing of the Regulatory Technical Standards (RTS), which occurred on March 13. From then, affected entities have 18 months to ensure that communications with other relevant actors is secure, effective and meets the RTS.
SCA comes into play when electronic payment actions take place such as a payment or an account viewing. There are exceptions, including:
- Low value online or mobile payments (less than €30)
- Contactless card payments (less than €50)
- Unattended transportation payment terminals
- Online transaction with trusted party
- Corporate payments
These exceptions have specific number of transaction/ total value thresholds defined to avoid the use of multiple transactions to bypass the intent of the Directive.
There’s also the concept of ‘frictionless flow’, wherein merchants can request certain transactions not require SCA. This is dependent on the value of the transaction and the fraud rate of the acquirer; for example, if the acquirer’s fraud rate is less than 0.01% transactions up to €500 can qualify (although there are threshold limits).
With SCA, the customer’s identity has to be verified, using at least two of the following independent elements:
- Knowledge (something only the user knows, e.g. password or PIN)
- Possession (something only the user possesses, e.g. mobile phone or ID card)
- Inherence (something the user is, e.g. fingerprint or facial recognition)
The SCA has very strict rules about securing this information, the exact nature of acceptable data for each item, and the independence of each information item.
When the transaction is remote, such as a mobile or online payment, an additional security element is required. This security element is a dynamically generated, authentication code that connects the transaction to the amount and payee. The RTS recommends using “solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled.”
As SCA is about protecting transactions and money, security is a primary concern. In one survey regarding SCA, 44 percent said they would switch banks if their current bank experienced a security breach. While people expect security, they have come to love the ease and convenience of remote transactions. Identity verification needs to be simultaneously secure and seamless.
According to a PYMNTS article about PSD2, general counsel at Ethoca Corey Levin says there are significant industry concerns with PSD2 and SCA. The article goes on to say that multifactor authentication does introduce new frictions that could make purchasing goods online less desirable.
One technology that promises to smooth the way for SCA is Mobile ID. By simply having their phone — which is de rigueur these days — consumers have already met the possession requirement.
The consumer could then enter an account password and satisfy the knowledge requirement and meet the SCA standard of two independent identity elements. Or, consumers could use a biometric to satisfy the inherence requirement and therefore meet the SCA standard that way. Consumer acceptance on fingerprint scanning and other mobile biometric systems is high as they appreciate the ease and convenience.
Another method would be through the use a one-time password (OTP) or push notification sent via two-factor authentication (2FA) such as a SMS. Combining this knowledge requirement with a possession requirement, such as authenticating they possess the credit card, is another path to SCA.
Of course, not all consumers have phones or will be comfortable with using biometrics. For these situations, perhaps it’ll come down to possession of ID and answering knowledge-based questions. This system has worked for many years and will continue to work under SCA as long as the authenticity of the ID and strength of questions is strong enough.
While SCA is still over a year away at this point, implementing effective authentication techniques —especially for high-value transactions— is already a smart fraud reduction strategy. Ensuring that transaction and account handling processes are secure, user-friendly and scalable doesn’t need to wait.