Strong Customer Authentication (SCA) – PSD2

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) in PSD2 is a new security standard under PSD2 (read about PSD2 here at our PSD2 overview).

What is the rationale behind Strong Customer Authentication?

Strong Customer Authentication  is intended to improve security in making online payments – particularly to reduce the risk of fraud.

At a high level, it requires at least two independent  forms of authentication by the customer.

This is to reduce the risk that if a fraudster obtains one form of authentication (such as a password or digital security device), they are able to make a fraudulent transaction.

How does Strong Customer Authentication work?

To authenticate a transaction using SCA, the customer needs to use at least two of three below forms of authentication:

  1. Possession: Something the customer has – like a security device or mobile phone.
  2. Knowledge: Something the customer knows – like a password or PIN.
  3. Inference: Something the customer is – like voice identification or a fingerprint.

In what circumstances does a payment service provider need to use Strong Customer Authentication?

Payment service providers need to use Strong customer authentication when payers:

  1. Access their accounts online,
  2. Initiate payment transactions, and
  3. Carry out any action through a remote channel which might imply. Risk of payment fraud or other abuses.

Which article of the revised payment services directive (PSD2) outlines the Strong customer authentication requirements?

Article 97 of the directive (“Authentication”) outlines the Strong customer authentication requirements under PSD2.

Strong Customer Authentication (SCA)  Exemptions

There are some exemptions for needing to use SCA – including for certain low value transactions.

The exemptions include:

  • Low value online payments under 30 Euros.
  • In person payments under 50 Euros.
  • Payees that the customer has “whitelisted” to request future transactions without needing the two-factor authentication in SCA.
  • Recurring payments to the same payee for a recurring fixed amount.
  • Certain transactions deemed “low risk”.
  • Business payments from a business through “secure virtual payments” such as virtual cards.

Who sets out the regulatory technical standards in relation to Strong Customer Authentication?

The European Banking Authority (EBA) sets out the regulatory technical standards in relation to Strong customer authentication.

When does the Strong Customer Authentication requirement come into force?

For online payments, Strong Customer Authentication requirements are already in force.

For online payments, it is currently being rolled out by banks. The deadline was 14th September 2019, but as much of the industry needed more time, this has effectively been pushed by to the 31st December 2020 (except for the UK for which it is March 2021).