About Us Solutions Business Type Contact Us Support

PSD2: What Is Strong Client Authentication

Boaz Gam

Boaz Gam

CEO

linkedin
01.09.2021
6 min
What Are PSD2 and SCA? Who Needs to Be Compliant with SCA? Is Strong Client Authentication Required for All Transactions?
How to Comply with SCA Requirements? Which Authentication Methods Are SCA-Compliant? How Payneteasy Can Help You Comply with PSD2 / SCA Requirements

The 14th of September 2019 was the day when Strong Customer Authentication (SCA) requirements for online payments entered into force as a part of the second Payment Services Directive (PSD2). These regulations drive change in online retail and payment security.

This guide has all the information you need to understand the nuances of SCA requirements and properly comply with them in your business activities.

What Are PSD2 and SCA?

PSD2, or the Second Payment Services Directive, is an official instruction regulating transactions where at least one of the payment service providers (PSPs) is located in the EEA. It aims to develop a unified payment industry that follows standardized guidelines and promotes accountability and fair competition.

PSD2 came into force in 2016 and has been redefining online trade ever since by introducing such changes as:

  • Payment provider licensing
  • Open banking
  • Secure Customer Authentication

SCA is a requirement of PSD2 that aims to make electronic and contactless offline payments more secure.

Traditional single-factor authentication requires a username and a password to perform a secure transaction online. However, this method is no longer enough, according to the SCA/PSD2 requirements - the purchases must now feature multi-factor authentication (MFA).

For the sake of fulfilling SCA requirements and accepting payments, you have to add extra authentication factors. They can be split into three categories:

  • Knowledge - what the customer knows
  • Possession - what the consumer owns
  • Inherence - what the client has from birth

According to SCA’s regulatory technical standards (RTS), at least two out of these criteria should be present within a transaction. These factors must be independent of one another so that if a breach occurs in one of them, the other would not be compromised.

Who Needs to Be Compliant with SCA?

The Strong Customer Authentication requirements apply to online trade activities in which both the client’s and the merchant’s banks are located within the following locations:

  • EEA countries
  • Andorra
  • Monaco
  • San Marino
  • Switzerland
  • United Kingdom

In other words, nowadays, all banks in the mentioned zones are required to verify the consumers’ identity before processing an online payment.

It is a must to update your payment processing system for an SCA-compliant one if all of the following criteria apply to your business:

  • It is based in the EEA, or you deal with payments on behalf of connected accounts based in the EEA
  • You interact with customers located in the EEA
  • You accept credit or debit cards

Despite the European Banking Authority’s mandate for the SCA to be fully enforced by January 1, 2021, multiple countries negotiated their own timelines. Nevertheless, 15 of the EEA member countries managed to get PSPs and banks fully operational under these regulations before the beginning of 2021.

Now that the official Strong Customer Authentication PSD2 enforcement date has already passed, it is highly advisable to make sure your business complies with these requirements.

Is Strong Client Authentication Required for All Transactions?

The consumer’s bank will determine when to apply multi-factor authentication, depending on the following transaction characteristics:

  • Risk level
  • Amount of funds
  • Recurrence
  • Payment channel

Therefore, additional authentication steps may not be required at all times. This is a way for PSPs to maintain a balance between payment convenience and fraud prevention.

However, even if your business is dealing with low-risk transactions that have the right to be exempt from the PSD2 authentication requirements, banks may still choose to request additional data for client identification. Thus, it is crucial that you update your integration so that your customers are able to complete the authentication process if such a situation occurs.

How to Comply with SCA Requirements?

The way your business will adapt to the SCA requirements depends on what types of transactions it processes.

Face-to-Face Payments

SCA is applicable to the majority of offline payments. While chip and PIN transactions are compliant, your clients may be asked to provide their PIN when performing contactless payments.

To be able to support these requirements, you might face the need to update your POS terminal.

Online Payments

When your clients are prompted to verify their identity during the checkout process using two-factor authentication, the 3D Secure technology will be helpful for your business. EMV 3DS, the latest mobile-friendly version of this tech, will ensure a smooth user experience throughout the payment process by reducing the chance of any extra authentication steps being requested.

Besides, there are e-commerce transactions that do not fall under the SCA regulations and those that could be exempt from it. Your bank or checkout provider may be able to “flag” the transactions that don’t require SCA compliance. This adds a code to some payments so that they can be authorized without any additional checks.

Which Authentication Methods Are SCA-Compliant?

For business owners working on optimizing their payment processes to fulfill the SCA requirements, it may be confusing which widely-used methods are already compliant and which need alteration.

Read ahead for some examples of the commonly encountered elements that match the Strong Consumer Authentication PSD2 introduced.

Knowledge:

  • PIN
  • Password
  • Knowledge-based security question
  • Memorized swiping path

Possession:

  • Possession of a device evidenced by a signature generated by hard or soft tokens
  • Card evidenced by a card reader
  • Device evidenced through a QR code scanned from another device
  • Card with possession evidenced by a dynamic card security code

Inherence:

  • Voice recognition
  • Keystroke dynamics
  • Fingerprint scanning
  • Hand and face geometry

The combination of two such elements fulfills SCA PSD2 minimum security requirements.

Non-Compliance Consequences

There is no way of avoiding the implementation of strong authentication that PSD2 introduced for the eligible payment service providers and banks. After all, it is a legal requirement, and those who fail to comply with it will suffer the consequences. Banks will be rejecting non-authenticated payments from online businesses that ignore the SCA regulation. Therefore, such service providers will experience the decline rates going up and the conversion rate falling.

The failure to adjust the business processes to SCA puts both the merchants and payment providers at risk of lower transaction volumes. Yet, the latter party will face more severe negative effects, such as fines and license revocation.

How Payneteasy Can Help You Comply with PSD2 / SCA Requirements

Are you still in search of an SCA solution to fulfill the new PSD2 requirements? Worry not - Payneteasy has got you covered. No matter if you focus on one-time or recurring payments, we have the perfect solution that will make your business SCA-compliant with minimum amendments required from your side.

Our checkout process is based on the new foundational payments API that uses the SCA logic to implement valid exemptions and apply 3D Secure when needed. Reach out to us for more details!

Commentaries 0

Commentaries are closed

Payneteasy uses cookies to improve its perfomance and enhance your user experience

More info