The European Union introduced new requirements for the authentication of online payments on September 14, 2019. It was a part of PSD2 – the second Payment Services Directive. These new requirements are expected to be enforced throughout 2020 and 2021. That means the European banks will need to follow the SCA under PSD2.
These new requirements are known as the SCA – Strong Customer Authentication. If you are new to the topic, you are in the right place because we will be discussing everything you need to know about SCA and how these new requirements and PSD2 affect you.
It will include the type of payments they impact, the exemption that can be used for low-risk transactions and more.
So, without further ado, let’s jump right into it.
What is PSD2 and why EU Banks must Comply?
PSD2 SCA compliance is the second iteration of the PSD, which is an EU directive first introduced in 2007. It was established to regulate payment services and services providers.
The introduction of the Payment Services Directive allowed for better pan-European participation and competition in the online payments industry, where it foretells to break the monopoly of the banking industry in facilitating secure online payments.
While many are concerned about the involvement of SCA under PDS2, they need to adapt to SCA under the second iteration of PSD.
What is SCA?
SCA or Strong Customer Authentication is the latest EU regulatory requirement that is introduced to reduce fraudulent activities and make online transactions more secure. In order to meet the new SCA requirements and accept payments, you are required to create an additional authentication into your checkout flow.
Under the new SCA guidelines, it requires any two of the following three authentication elements:
- Something the user knows – PIN or Password
- Something the user has – Hardware Token or Phone
- Something the user is – Face Recognition or Fingerprint
In other words, Strong Customer Authentication is an authentication that is based on two or more authentication elements, which are categorised as inherence (something the customer is), possession (something the customer has), and knowledge (some the customer knows).
These must be independent of one another in a way that if there is a breach in any single element, it doesn’t compromise the reliability of others.
These new terms are designed and crafted to safeguard the confidentiality of the authentication data.
Financial institutions will start declining payments that need Strong Customer Authentication and don’t meet these criteria.
With the payments industry leaning towards online banking and transactions, it has become extremely important to authenticate the user identity during banking activities and transitions. This will help in:
- Increasing the cardholder confidence in using online banking services
- Complying with the international banking regulations such as PSD2 and even PCI-DSS
- Reducing the potential for online scam and fraud
- Reducing the cost of processing fraudulent and malicious transactions
When is SCA Required?
SCA applies to user-initiated online transactions within the EU. Therefore, all bank transfers and the majority of card payments require Strong Customer Authentication. On the other hand, recurring direct debits are considered vendor-initiated, and therefore, doesn’t require SCA.
Most importantly, in-person card transactions are not influenced by the new SCA regulations, except for contactless payments. In the case of online card transactions, the new SCA regulations apply where both the user and the vendor’s bank are located in the EEA (European Economic Area).
Authenticating a Payment
In the present scenario, the most trusted and commonly used authentication system on online card transactions is 3D Secure PIN. This authentication system is supported by the majority of cards in Europe.
A 3D Secure PIN provides extra protection by including an additional step after the checkout. In this, the user is prompted by their financial institution to provide additional information to proceed and complete the transaction. The 3D Secure PIN may include a 6-digit code sent to their phone or even fingerprint authentication.
Introduction to 3D Secure 2
It is the latest version of the authentication protocol that adapts to Strong Customer Authentication using Multi-Factor Authentication (MFA). PSD2 and 3D Secure 2, together can ensure secure and safe online transactions.
MFA includes biometric authentication like facial recognition, fingerprints, OTPs, and QR codes. With PSD2, financial institutions and banks will have to comply with the latest SCA regulations.
The new version brings in better user experience that will ultimately minimise the friction caused by the authentication process during the checkout flow.
Google Pay and Apple Pay, among other card-based payment methods, are already supporting payment flows with an in-built-layer of authentication, like password and biometric.
This is a great way for vendors to offer a seamless checkout experience while abiding by the latest SCA requirements.
With SCA optimisation, you can take benefit of the SCA exemptions for delivering a positive checkout experience.