What is Strong Customer Authentication (SCA) under PSD2?

Online payment

Strong Customer Authentication (SCA) is a mechanism introduced by the European Union (EU) requiring financial services companies in the European Economic Area (EEA) to employ additional security measures on customer payments of more than £30.

SCA, which falls under the EU's Second Payment Services Directive (PSD2), originally came into force on 14 September 2019 with a fairly limited scope, only to be steadily extended over the following years. The goal of the directive is to increase the cyber resilience of financial services, forcing them to adopt standardised security practices and tools and ensure customers receive the same degree of protection regardless of where they choose to do their banking or which services they use for e-commerce.

The directive requires financial services to adopt additional layers of security for online transfers, mainly in the form of multifactor authentication (MFA), although companies can adopt derivatives of this technology provided they offer robust protection. For example, companies are allowed to deploy biometric technology, as is the case with Natwest, which analyses how customers typically interact with their devices when making purchases and uses this data to confirm their identity.

The Financial Conduct Authority (FCA) started to enforce SCA in the UK from 14 March 2020, although this initially only covered online and mobile banking. It wouldn't be until 14 March 2022, once the effects of the pandemic had subsided, that the full scope of the directive would come into force, covering e-commerce transactions for the first time. This was originally due to happen on 14 September 2021.

Direct debit payments, and similar transactions initiated by merchants and vendors, do not fall under the scope of SCA and are otherwise unaffected.

RELATED RESOURCE

Decoding Customer IAM (CIAM) vs. IAM

What’s the difference between CIAM and IAM?

FREE DOWNLOAD

It's hoped that the SCA changes around additional layers of security will significantly reduce instances of fraud, mainly by forcing users to confirm their identity through a variety of verification checks, whether that be token-based, biometric, or an equivalent technology. Fundamentally, any customer who buys goods online, sends money over the Internet, accesses their bank account online, or otherwise engages in an activity likely to create a risk of fraud, should be protected under SCA.

The upshot is that if a customer deals with a financial service provider that has failed to introduce additional layers of security, transfers are likely to be rejected.

What need is there for SCA under PSD2?

There's been an explosion of people in the UK using mobile devices to access financial services and make payments in the last few years. This feeds into a wider trend that has also seen the use of cash fall dramatically, with debit card payments eclipsing cash transactions for the first time in 2017.

According to the British Retail Consortium, card payments account for more than three-quarters of all retail sales last year, and further research predicts that cash will account for just 9% of purchases from 2028.

Modern card transactions are already covered by something equivalent to SCA through the Chip and Pin mechanism, but this has yet to extend to online payments.

There has also been a growth in digital banks like Monzo, which don't have any physical branches and instead run exclusively online. Approximately one in ten in the UK are estimated to have an account with a digital-only bank, with a quarter of the population projected to have one by 2023.

How does this regulation keep money safe?

Using banknotes has always been straightforward, from a verification point of view, given we physically hand these over to merchants or service providers when paying for goods and services. The digitising of cash has added complexity to this process, however, and it’s becoming harder to ascertain the legitimacy of payments when they’re increasingly being made over the internet.

Although digital payments are much easier for many consumers than traditional forms of payments, the level of fraud has also risen substantially. According to UK Finance, losses on UK bank cards exceeded £671 million - equivalent to a 19% increase from 2017.

This regulation specifically aims to address the rising spectre of fraud, with SCA under PSD2 affecting many aspects of digital payments and transactions when it comes into force across the whole payments industry. The directive also applies in the UK regardless of Brexit, mainly because the country’s biggest financial institutions have sought to remain aligned with the EU under any circumstances for fear of losing business.

SCA introduces the need for MFA to be used on any payment totalling more than £30, with the second factor used to verify the transaction is legitimate. This is perhaps the most significant change in the regulation. This process can entail a PIN number being used in combination with a mobile phone or credit card, but verification could even come in the form of something like a fingerprint scan.

Don't we already have MFA for banking in place?

MFA, currently, exists in the form of 3D Secure (3DS), used mainly for credit card transactions, but is only deployed in cases where there's an obvious risk of fraud. When making online purchases, for instance, a second action window may open and ask for further details. This can often be frustrating when in-browser and while browsing on a mobile device due to poor configuration. A revised version allows for biometrics (fingerprint or face), which is more amenable to phone users.

3DS also offers the ability for the seller to opt-out of the second verification factor, making transactions smoother, but reducing the security element and potentially putting buyers at risk.

PSD2 abides by a different set of regulations, with transactions under £30 passing without the SCA's MFA requirement, but beyond that, the rules dictate there should be a mandatory request for another form of verification.

The likelihood of a second factor being needed is based on the fraud rate of the acquiring bank and the issuer. The less fraud a bank experiences, the more you can spend before a second factor is required. Crucially, the merchant no longer has a say in whether they require MFA from their users or not. Moreover, every fifth transaction below that £30 threshold will be challenged, as well as when the combined value of transactions exceeds £100.

How to secure payments under SCA

An updated version of 3DS, dubbed 3D Secure 2 (3DS 2), arrived in 2019. This newer standard aims to reduce some of the added frictions that MFA could bring without compromising on necessary security.

3DS 2 functions by allowing more information to be sent from a provider to the customer's bank. This may include details specific to the payment, like the shipping address, as well as drawing on contextual information like device data, transaction history, server information, and even the time zone. All these details feed into a risk assessment run by the customer's bank as part to determine whether additional authentication checks are needed.

By default, any payment process that already uses MFA should be compliant under the SCA directive, like the swathe of digital banks that require biometric verification, or services like Apple Pay.

There are a host of exemptions to the SCA directive, however. For services that rely on recurring payments or subscriptions, MFA only needs to be applied to the first customer-initiated payment.

It's important to remember that the cardholder's bank decides whether MFA is required and whether an exemption from SCA is valid.

What does SCA under PSD2 mean for everyday banking?

SCA aims to harmonise user protections and reduce fraud, which is a good thing for both consumers and employees, but also for banks and merchants too.

Sellers might also want to switch to banks that have lower fraud rates, so as to minimise the need for MFA and reduce payments friction. This might lead banks to be sharper at reducing fraud, which is, again, a very good outcome for the industry as a whole.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.