Strong customer authentication (SCA) are new requirements under the Payment Services Directive (PSD2) intended to further enhance the security of payments and limit fraud. It mandates that electronic payments are made using multi-factor authentication which are measures that confirm the identity of the cardholder.
Banks and payment services providers use authentication as a process to verify your identity. Authentication aims to ensure that the person requesting access to your account, or trying to make a payment, is either you or someone to whom you have given consent.
What elements constitute authentication?
There are three different types of authentication. In order to satisfy the requirements of SCA, two of the following three measures must be met and provided by the customer in order to complete their payment:
1. Knowledge — something only the customer knows, for example, a PIN, password, passphrase, or secret answer
2. Possession — something only the customer possesses’, such as their mobile phone or smartwatch
3. Inherence — something the customer is, for example, a fingerprint or facial recognition
SCA adds an extra layer of security when customers make a payment online.
It’s worth noting that SCA is not always applicable. If a merchant is exempt, it may complete the authentication with one factor only or with the device data only.
Why is SCA coming into force?
The aim of SCA is to improve and bolster the security of online transactions and reduce fraud. The European Central Bank (ECB) recorded a 66% increase in card-not-present fraud between 2011-2016 so one of the aims of SCA is to make it more difficult for fraud to be committed.
What countries will SCA apply to?
SCA shall be required where the merchant’s payment services provider and the customer’s bank or card provider are located in the European Economic Area (EEA). If either is located outside the EEA, the payment services provider is required to use its ‘best efforts’ to apply SCA.
In the UK, the Financial Conduct Authority (FCA) has expressed a firm desire for the SCA to continue to apply after Brexit, regardless of the timing or outcome of Brexit, and other European regulators have expressed the same sentiments.
When does SCA come into force?
The original deadline for implementation was 14 September 2019. On 16 October 2019, the European Banking Authority (EBA) extended the deadline until 31 December 2020.
The UK is working to a slightly different timetable. In August 2019 the FCA confirmed that implementation of SCA would be phased over 18 months, and expected to be completed by March 2021.
On 30 April this deadline was pushed back by six months in response to COVID-19, resulting in the new deadline of September 2021. Whilst the FCA has stated that, though no enforcement action will be taken against business until after the new deadline, businesses shall be required to demonstrate they are making progress towards their new obligations.
Who pays if SCA is ignored?
Payment providers and banks are the ones legally required to enforce SCA, and so they will be liable for any fines. In extreme cases, their licenses could be revoked. But businesses that make online sales aren’t off the hook. Failure to comply with SCA requirements will see more transactions declined, lost sales, and frustrated customers.
Does SCA apply to all online transactions?
No. There are a number of exemptions. We explain these in this follow-up article.
What’s the best way to become compliant?
The most common way of authenticating online transactions has been ‘3D Secure’. Visa created
the three-domain secure protocol in 1999, and launched it under the name ‘Verified by Visa’. Mastercard followed shortly after with ‘Mastercard SecureCode.
But, 3Ds1 is non-compliant as it does not support 2-factor authentication. It only supports one factor — either knowledge or possession.
3D Secure 2 (3DS2) is a new and improved version. 3DS created a level of friction to the customer causing a relatively high number of abandonments, 3DS2 promises to minimize this friction and deliver a smoother, faster checkout experience via a frictionless flow or a biometrics request.
What does 3DS2 change?
As well as improving the payment experience for customers, 3DS2 — a collaboration between American Express, Discover, JCB, Mastercard, UnionPay and Visa — creates a standard across all e-commerce channels, which paves the way for global interoperability and devices that can be easily adopted by PSPs.
The main feature improvements of 3DS2 cover one-time passwords (OTP), biometric authentication such as fingerprints or facial recognition, and QR codes for mobile applications. But really, the big step-change is about the amount of data available to perform an authentication. 3DS2 protocol facilitates the exchange of over 100 data points between the merchant and the payer’s card issuer, to assess the probability that the transaction is genuine. This ‘risk-based authentication’ allows the card issuer to authenticate the payer without the need for additional information. Only when a transaction raises an alarm is the payer prompted for further verification.
How does 3DS2 impact chargebacks?
3DS2 authentication shifts liability away from the merchant but it also encourages merchants to be more diligent with fraud detection and share liability where the cardholder experience is more important than the liability shift.
It also offers a layer of protection for both merchants and issuers against the fraudulent use of accounts. PSPs and banks now guarantee merchants payment for certain successful online transactions that have been authenticated with 3DS2. More importantly, 3DS2 is an opportunity to share more data and help issuers with risk-based authentication provide better experiences at the checkout.