11 Jun DIGITAL PAYMENTS AND PSD2: STRONG CUSTOMER AUTHENTICATION BECOMES MANDATORY

Strong Customer Authentication (SCA) is one of the major implications of PSD2, the latest EU Digital Payment Services Directive (2015/2366) which has come into force on 13 January 2018.

Also known as Two Factor Authentication (2FA), SCA consists in the verification of at least two different components to ascertain the identity of a payment service user or the validity of the use of a specific payment tool: factors required for authentication are dynamically combined by linking each transaction to a specific amount and beneficiary, thus certifying its uniqueness.

This is an effective security measure that has become essential in light of the global boom in internet and mobile payments. According to PwC’s Global Economic Crime and Fraud Survey 2018, cybercrime is more than twice as likely than any other fraud to be identified as the most disruptive and serious economic crime expected to impact organisations in the next two years. [1]

Security and user protection are at the core of European regulations on digital payments: the Payment Services Directive (PSD) of 2009, which marked the beginning of a revolution for the banking sector, and its latest revision PSD2. With the latter, a new phase opens up in the evolution of the European payments market, which moves towards a more open and collaborative financial ecosystem.

With Open Banking, secure digital payments become essential to foster a stable and reliable environment for e-commerce, able to support and protect all parties involved.

Here comes the need for Strong Customer Authentication, which will soon have to be implemented by all players involved in the financial and payment processes covered by the PSD2 regulation: the deadline by which these must comply with the Technical Standards (RTS – Regulatory Technical Standards) of the most recent European directive is September 14, 2019.

How does SCA work? When is it applied?

Strong Customer Authentication factors

SCA is based on two or more authentication factors of different types among the following options:

• Knowledge – Something that only the user knows (eg: PIN or password);
• Inherence – Something the user “is” (eg: biometrics, behavioral models, voice recognition);
• Possession – Something that only the user has (for example, a mobile phone or a token).

These elements must be mutually independent (the violation of one must not compromise the reliability of the other) and belong to different categories (it will not be possible to use two inherence elements or only two possession elements).

SCA: when it is required

Strong Customer Authentication (SCA) must be implemented:

•       When customers access their online payment account;
•       When customers make an electronic payment;
•       When customers perform an action remotely which may imply a risk of fraud.

Exemptions to Strong Customer Authentication

Specific types of payment may be exempted from SCA, including:

•       Recurring transactions – same amount, same beneficiary;
•       Low-value transactions – payments not exceeding € 30,00 or cumulative amount not exceeding € 100,00;
•       Whitelisted Beneficiaries– beneficiary included in the whitelist of trusted payees;
•       Transaction Risk Analysis (TRA) – transactions up to € 500,00

It is ultimately the Account Servicing Payment Service Providers (ASPSP) implementing SCA to decide whether or not to apply an exemption.

Two Factor Authentication is key to securing our online accounts and transactions: it is currently the most effective measure when it comes to digital payments.

Identity Verification techniques based on Two Factor Authentication and secure online operations have been essential features of MyBank e-payment solution since its launch.

MyBank e-authorisation processes are based on a SCA architecture and on up-to-date secure web standards and protocols. As an Open Banking pioneer, MyBank has been an early adopter of the Two Factor Authentication.

Conclusions

Strong Customer Authentication is a necessary adoption for all players involved in payment services as it will become mandatory as of 14 September 2019.

An increased application of SCA will certainly enhance consumer protection and tackle the most common causes of cyber security breaches.

Early SCA adopter MyBank offers a fully PSD2 compliant solution and supports a secure digital environment, ensuring stress-free transactions.

[1] https://www.pwc.com/gx/en/forensics/global-economic-crime-and-fraud-survey-2018.pdf