What is Secure Customer Authentication under PSD2? (June 2020)

Secure Customer Authentication is often used in place of Strong Customer Authentication (SCA) when discussing the EU’s new payment authentication requirements.

Secure Customer Authentication is intended to increase the security of online payments – to reduce fraud. It means that customers cannot make online payments by just providing their credit card number and card expiry date. Customers instead need to provide an extra form of authentication such as a One-Time-PIN  sent to their mobile or fingerprint authentication through their mobile phone.

Secure Customer Authentication requirements were introduced in the European Union’s Revised Directive on Payment Services (PSD2).

The cases in which Secure Customer Authentication (referred to as Strong Customer Authentication in the directive) are required are listed in Article 97(1) of the directive as where a payer:

  1. accesses its payment account online;
  2. initiates an electronic payment transaction;
  3. carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

To authenticate a payment so as to meet  Secure Customer Authentication standards, the customer will need to demonstrate their identity using two or more elements of the following three types of authentication:

  1. Inherence – something the customer is (like their fingerprint or FaceID)
  2. Knowledge – something the customer knows (like a PIN)
  3. Possession – something the customer has (like their mobile phone – which can be proven by sending the customer a one-time-pin SMS).

The authentication forms used should be independent – so that if a fraudster got one item (for example the person’s PIN or mobile phone, they would still not be able to impersonate the customer as they would fail to pass the second form of authentication asked for to make the payment).

Secure Customer Authentication requirements apply to payments being made by European Economic Area (EEA)  based merchants and where the customer’s bank is also in the EEA. Secure Customer Authentication generally applies to payments that are initiated by the customer.

There are some exceptions, where Secure Customer Authentication is not required – mainly where the risk of fraud is considered to be low – for example for some low value transactions.

Secure Customer Authentication is being enforced from different start dates in different countries within the EEA. Most countries are expected to start enforcing Secure Customer Authentication from some point in 2020, with some countries delaying the start of their enforcement to some point in 2021. COVID-19 has resulted in some countries’ regulators issuing guidance that they will be delaying when they will start enforcing Secure Customer Authentication.

A potential risk of PSD2 is that it increases the amount of work required by consumers to make online purchases – which is a cost for consumers and also could result in lower sales by merchants. An alternative argument is that by increasing online payment security, consumers will feel more confident shopping online and this will ultimately increase online sales.