What is strong customer authentication (SCA)?
Strong Customer Authentication (SCA) is a part the Regulatory Technical Standards (RTS) under the revised PSD2 in European Economic Area (EEA) and will require all online transactions to pass an additional layer of security, completely changing the way how online payments of European customers are handled.
The new regulations should have come into force on 14 September 2019, however, with the approval of the European Banking Authority the final implementation deadline was set for 31 December 2020. While the UK’s regulator Financial Conduct Authority (FCA) delayed the implementation for the 18-month period until March 2021 for online banking, and additionally prolonged the deadline until 14 September 2021 for online shopping.
Impact of strong customer authentication on banks
To protect the customer, PSD 2 requires banks to implement multi-factor authentication for all transactions conducted online via two of the following elements:
- Something customer knows (knowledge): e.g. a PIN, password.
- Something customer has (possession): e.g. card, smartphone.
- Something customer is (inherence): e.g. fingerprint, facial features.
To ensure smooth user experience, PSD 2 requires banks, payment services providers, and electronic money institutions to apply these additional security measures in line with the risk level involved and find the balance between security and user convenience. The Regulatory Technical Standards (RTS) on SCA lists several situations in which payment service providers (PSPs) are not required to perform additional authentication such as low-value payments, repetitive transactions, and transactions to the known beneficiaries.
3-D Secure 2.0 itself can be used to request exemptions from Strong Customer Authentication to avoid low-risk payment authentications. Payments which require SCA will need to go through the so-called “challenge flow”, while exempted payment can be sent through the “frictionless flow” without additional authentication.
Impact of strong customer authentication on third-party providers
Moreover, revised PSD 2 regulates Third-Party Providers (TPP’s) that are granted access or aggregate accounts and initiate payment services. Open banking under PSD2 lowers the barriers for the challenger banks and other fintech companies, as it requires incumbent banks to share their account and transactional details with third parties through APIs.
Open Banking APIs were recognised as the most appropriate way to grant access to third-party providers. These APIs should be developed by banks and implemented by application developers. To provide seamless user experience, banks and financial institutions will also have to work in a joint effort to define a common approach. Industry-led standards and workgroups have started naturally emerging to ensure interoperability and standardisation in the development of such Open Banking APIs. Open banking is expected to improve collaboration between traditional financial institutions and new players in the payments space.
Impact of SCA on average consumers
It is expected that new Strong Customer Authentication regulations will affect over 400 million consumers in Europe alone. 3D Secure 2.0 is anticipated to speed up the process of authentication as it lets the merchants provide much more information to the card issuers. This information comprises of shipping/billing/IP addresses, email, browser data, merchant risk factor indicators, etc. The better and more data shared between merchants and issuers, the better the fraud evaluation and rate of false declines are predicted to be. Authenticating on the previous version of 3D Secure meant typing in a password in a pop-up window which did not work well on mobile devices. The updated version entirely depends on biometric authenticators like a fingerprint, facial recognition, or one-time passwords, which in turn will speed up transactions.
In online banking, consumers are expected to get used to two-factor authentication by the end of 2020. However, at first, it could lead to some frustration, especially for the elder clientele. Mainly because at first customers have to register the smartphones/authentication devices with the bank/payment provider/e-money institution so that they can complete the second security step. By introducing additional steps into the mobile/web application login process, there is a risk of customers just accidentally blocking the access.
In online shopping, even though online sellers are leaning towards neglecting customer authentication to secure high payment acceptance rates, they will not be able to avoid it altogether. If payment is not allowed for an exemption, or if the issuer doesn’t authorise an exemption, then the customer will have to go through the complete process of authentication through 3D Secure. Even though 3D Secure 2.0 underwent enhancement compared to the previous version, there are some indications that it may still cause hardship for average consumers.
How can PSP Lab help you?
If you wish to learn more about Strong Customer Authentication (SCA), implement and comply with the Regulatory Technical Standards (RTS) on SCA you can reach out to us. At PSP Lab we know how to streamline the processes in order to remain compliant while easing the hassle and customer journey.