Strong Customer Authentication is one of the core regulations payment services must abide by under the new European Revised Payment Service Directive, PSD2.
With the rise of open banking and online payments, governments implemented SCA to reduce fraud, to help secure the transaction of digital payments, and to protect consumers across digital channels.
It requires customers to verify their identity before payment transfers can occur online, whether with an institution, financial service, or third-party business.
Authentication provides an extra layer of security for customers and payment service providers alike. Since PSD2 simplified payments systems along electronic channels, it opened up banking platforms into a single market.
To combat the potential fraud found with online services, SCA forces banks to uphold a standard of security by verifying users before any payments are authorized.
You can expect SCA to enter into enforcement throughout 2021. To help you prepare, we will tell you everything you need to know to get SCA compliant, what that means for your business or service, and how you can leverage SCA to your advantage.
What is Strong Customer Authentication?
SCA requires that all banks or financial services collect at least two out of three verification factors:
1. Possession
A unique item that only the user has or owns.
- Phone
- Hardware Token
- Smart Watch
- Smart Card
2. Knowledge
Something that the customer knows, or knowledge only they are privy to.
- Passwords
- Pin Numbers
- Security Questions
- Passphrases
3. Inherence
Something that the customer is and uniquely identifies their physical state.
- Finger Scan
- Voice Recognition
- Facial Recognition
- DNA or Iris Format
Under SCA regulations, these authentication conditions must integrate within your checkout flow before you can accept or conduct payment transactions for your customers.
If a user does not meet the criteria, your service or bank must decline all initiated payment requests. Of note, the two factors you select as authenticators must be from different categories in case of a breach (i.e. a phone is stolen).
Regulation of Strong Customer Authentication (SCA): Key Laws and Normative Documents
Secure customer authentication is a requirement for online European payments when the cardholder’s bank and the business are located in Europe. SCA compliance applies to online transactions in the European Economic Area, the UK, and Morocco. It requires online customers to run an extra authentication level upon checkout.
SCA and its Role in Reducing Fraud
The implementation of Strong Customer Authentication (SCA) in Europe occurred through PSD2 (Payment Services Directivto) to reduce fraud and ensure higher security of online and contactless payments. The European Commission has acknowledged the effectiveness of PSD2 and the introduction of SCA in diminishing fraud.
PSD3/PSR, the updated version of the Payment Services Directive, seeks to enhance SCA. It clarifies core definitions and further defines exemptions for low-risk transactions. It also makes progress in balancing security with creating innovative, user-friendly, and accessible payment tools.
These new rules may also provide the possibility for further exemptions, depending on the risk of a transaction and being in line with technological improvements. Below, you'll see some of the primary clarifications, exemptions, and liability requirements introduced by the third PSD iteration.
Clarifications around the SCA application
MIT Merchant-initiated transactions (MITs) only require applying SCA at the setup of the mandate. MITs are now introduced to an eight-week unconditional refund right.
MOTO For Mail Order Telephone Order (MOTO) transactions, only initiating a payment transaction must be non-digital to be exempt from SCA.
Dynamic Linking SCA elements that dynamically connect the transaction to a specific amount and payee refer to electronic transactions. The payer places the payment via proximity technology (e.g., near-field communication — NFC) and when the SCA application requires an Internet connection on the payer’s device.
Account Information Services For PSPs that provide account information services under open banking, SCA is only necessary for the first data access. However, SCA is also required when customers access aggregated account data on the service provider’s domain every 180 days minimum.
Tokenization Tokenization requires an SCA application if a cardholder actively participates in tokenization (for example, when enrolling a card in a card-on-file solution).
2FA and SCA exemptions
Transaction Monitoring The European Banking Authority (EBA) will issue Regulatory Technical Standards for transaction monitoring by payment service providers. That includes environmental and behavioral characteristics (e.g., customer location or spending habits).
SCA Exemptions The EBA should also develop further Regulatory Technical Standards on SCA requirements and exemptions, considering a risk-based approach and the use of technology.
2FA The new rules propose that the factors used for two-factor authentication (2FA) under SCA don’t have to belong to different categories if their independence is completely preserved. Therefore, customers can authenticate using two passwords (or a fingerprint and face ID).
Accessibility PSPs have to offer different ways of executing SCA, such as SMS, that don’t require the possession of a smart device.
Outsourcing and liability requirements
Liability for TSPs Technical service providers (TSPs) and payment scheme operators are liable if they fail to support the application of SCA. That’s necessary to ensure closer cooperation among all players performing SCA.
Outsourcing Payment service providers relying on TSPs to bring and verify SCA elements must enter into outsourcing agreements with them. The EBA will set out the requirements for such outsourcing agreements.
Benefits of Using SCA
Having such strict verification methods helps keep customer data safe and secure while meeting all privacy guidelines expected from governing regulators.
Even though SCA creates user-end friction and adds additional complexity to online payment systems, it does present a series of benefits for both the merchant and the customer.
Benefits for the Merchant
1. Reduce The Cost of Inaccurate Processing
SCA ensures that each client is making an active and conscious request when initiating a money transfer. Overall limits to the number of transactions can lower total transfer expenditures, and it also significantly lowers the number of incorrect payment requests.
Considering that reports state that “friendly fraud” could have cost banks $50 billion in 2020, a reduction in accidental transfers is a huge boon.
2. Deter Fraudulent Attempts By Bad Actors
Large digital firms saw an increase of fraudulent attacks by 39.48% in 2020. For every dollar of fraud, financial services pay $3.78 in average costs.
Determining the validity of all users and each transaction is a critical step in the fight against fraudulent bad actors. SCA infrastructure may create upfront overhead, but its ability to protect against illegitimate claims will be good in the long run.
3. Additional compliance with PCI-DSS
SCA coincides with PCI-DSS, regulations that govern the use of credit card data. A large majority of digital payments (i.e. online wallets or contactless purchases) still transfer through credit card company systems, so SCA helps keep you compliant under several required directives.
Benefits for the User
Confidence In Online Services
73% of respondents in an Accenture study stated they would be comfortable sharing personal information if the bank was transparent about how the data would be used. Consumers are willing to engage with financial services electronically if they know they can rely on their service to remain safe and secure. Login credentials and authenticators provide a level of security that boosts user confidence.
Better Protection From Fraud
It is not just banks that pay from fraudulent attacks. Over half of customers surveyed in a KPMG study reported that they received less than 25% of their fraud losses.
Client engagement will go down, and as fintech services become ubiquitous, fraudulent scenarios can ruin long-held business-to-customer relationships.
Flexible authentication Can Lower User Friction
It may seem counterintuitive, but safe logins offer better user experiences than unsecured ones across time. While limits to payments systems always add traction to the UX design of an interface, the long-term results from secure transactions outweigh the cost of long login credential times.
Consistent services and secure transactions across multiple payment gateways retain high-priority clients.
How To Implement Strong Customer Authentication
At the moment, the simplest way to create SCA conditions is with 3D Secure or 3D Secure 2.
It is an authentication standard found in most European credit cards or financial services. It applies an additional step at a point of sale processor, such as requiring a finger or facial scan from a smartphone.
Authenticators have moved on beyond the standard password, text and email verifications. Here are some of the newest and strongest authenticators you can utilize when you select your two-factor verifications:
One-Time Passwords
Users can request a randomized password for a single session. One-Time Passwords presents a high level of security because each login requires a new algorithmically designed password string in order to gain access. The continual code updates create additional user friction and require two devices (e.g. a computer and smartphone) to implement, but particular applications may prefer this newest level of security.
Security Tokens
By incorporating a third party authenticator, you can store numerous unique passwords into singular "buckets." Each password is accessible by a master password, while the data string remains secured, preventing fraud. Hold a different password for each bucket to protect individual services from a breach, all while creating a generally frictionless user experience.
2FA Apps
Several apps have built authenticators based on the zero trust model (everything is a threat till verified). While secure, it introduces immense login friction.
For example, two-factor authentication requires validation from your primary network access as well as out-of-band (timed codes delivered to a smartphone) verification to identify the user.
No matter which two conditions you choose, make sure that each of your authenticators are dynamically linked. For example, an ATM card transaction only works with the physical card and a pin that are used simultaneously.
Other commonly linked authenticators are when a one-time security code is texted to a smartphone to help verify a desktop login. At a high level on the back end, dynamic linking sends authentication tokens to both the payment services and the payee that will expire if the transaction does not proceed as planned.
Exemptions To SCA
For those worried about the extent of verification rules, you do not need to apply SCA in every instance.
Strong Customer Authentication is only required when the transaction is customer-initiated, which means you can take advantage of several exemptions:
Low-Risk Transactions
Services are allowed to make real-time calculations about the level of risk each transaction has.
If the issuer's Transaction Risk Analysis and Fraud Rate meets a certain threshold compared to the transfer size, the SCA requirement can be waived. Businesses can request an exemption at any time, but the issuer has the right to refuse or grant that exemption.
Low Cost
Transactions that are below 30 Euros qualify for an exemption. This exemption comes with some stipulations — the bank must track the amount and the frequency of payments made.
If a customer makes five consecutive transactions with a combined value of more than 100 Euros, SCA applies. The purpose of the rules helps limit fraudulent transactions of low value accomplished at set intervals in hopes of raising undue attention.
Recurring Subscriptions
Recurring, subscription, or fixed payments of an exact amount from a consistent vendor only require SCA once. Once the transfer amount fluctuates, then each new transaction must include Secure Customer Authentication.
For merchants who employ sliding scale or adjustable pay periods, you may still be exempt since merchant initiated transactions are not regulated under SCA.
Business-to-Business Transactions
Transfers made between two corporations that initiate requests between a secure payment system do not need to apply SCA. For example, a business may have a lodged card or virtual number that employees can use for expense accounts.
These transactions do not require SCA. Additionally, some corporations can assign or “white list” other services as trusted beneficiaries. Those who are whitelisted do not need 3Dsecure or Secure Customer Authentication for each transaction.
TOP 3 AI-Powered Solutions for Strong Customer Authentication (SCA)
Now that you have all the aspects of Strong Customer Authentication explained, let's see how you can implement it. The first thing you have to do is pick a robust, high-quality tool that meets your needs and business goals. And you might want to opt for AI-powered ones.
Artificial intelligence has now become crucial for Strong Customer Authentication. The AI-powered algorithms analyze and detect suspicious behavior like unusual login locations or multiple account access attempts. That said, this technology has become a powerful security booster regarding SCA.
Below, we'll share the three best AI-powered Strong Customer Authentication solutions you can try and compare to make an informed decision.
BioCatch
The company uses behavioral biometric intelligence to detect and prevent impersonation fraud and protect SCA payments. This approach reduces the possible reimbursement liabilities suggested by the UK's Payment Systems Regulators. It also prepares you for the PSD3 proposals, which consider the SCA exemptions and the insights provided by the PSR.
Thanks to BioCatch's Inherence SCA analytics, it’s possible to incorporate an extra security layer that assesses how users input sensitive information like one-time passwords or passcodes. Thus, you can detect whether it's a typical behavioral pattern or a hacker is attempting an entry.
NudData Security
Nudata uses a passive biometrics technology that minimizes the need for further verification to facilitate the authentication experience.
The AI-powered passive biometrics algorithms integrated into the service build user profiles based on inherent behaviors like the way users hold a device, type a message, or move a mouse. There's no need for any extra end-user action.
Moreover, the technology fulfills the requirement for inherence authentication. Inherent behavior is more challenging for hackers to imitate. Thanks to that, the device detects whether the appropriate person is behind it, so there's no need for extra authentication.
OneSpan
OneSpan utilizes Intelligent Adaptive Authentication that delivers a high level of security for each unique customer interaction. Thus, it provides a better user experience.
This AI-powered technology secures trust in untrusted mobile environments and makes your apps more resistant to hacker attacks. It also integrates leading biometrics and authentication innovations.
OneSpan's server solutions provide all the tools you may need to manage your complete authentication lifecycle. The service simplifies the lifecycle management with automation through policies, rules, workflows, and APIs that ensure full customization.
Conclusion
While Secure Customer Authenticators are now required, there is still freedom for each business or financial service to select the verification methods that work best.
Your applications may not require biometric scanning as a login credential — employing that as a verification method will only cause more hassle for users who are trying to access your product (not to mention the undue expense).
The ideal scenario is a combination of linked authenticators that keep you compliant but also maintains a balance with user experience. For example, Privat Bank implemented a QR-code based authenticator that achieved compliance but also improved customer access.
Some companies only require basic SMS and text two-factor control to stay secure while offering ease of use. Choose the combination that fits your business best, and keep it simple.
If you struggle with deciding between all the verification options available, or if you need more details about how to incorporate SCA, S-PRO can help you integrate a wide range of solutions. Discover the most optimal authenticators for your service, and implement two-factor methods with minimal hassle.
Contact us here for the right Secure Customer Authentication strategy.