Strong Customer Authentication: A European standard for secure payments

New requirements for the authentication of online payments came into effect in September 2019 for the European Union and other countries in the European Economic Area (EEA). They’re a part of the second Payment Services Directive, which is also known as PSD2. The implementation of all of the requirements likely won’t be completed until later in 2021. An important part of the PSD2 is Strong Customer Authentication (also known as SCA or PSD2 SCA).

For now, US-based businesses are usually not subject to the SCA regulations, thanks to the so-called “one leg out” exception. For transactions in which one of the parties - either merchant or purchaser - are based outside the EEA, Strong Customer Authentication is not necessary. This means that even if you are selling to a customer in the EEA, as a US business you are generally not required to carry out SCA.

However, it’s nonetheless advisable to familiarize yourself with PSD2 SCA. For e-commerce companies that do a lot of business in the EU, there are advantages to already implementing the SCA regulations. And there are many people who think that it’s just a matter of time until the US takes the lead from Europe and adopts the regulations as well.

So, what is the SCA regulation and what does it mean for payments in the future? Which payments are affected by it and what are the exceptions? Keep reading to find out the answers to these questions and more.

Strong Customer Authentication is a part of the new EU regulations that are meant to make online payments more secure by reducing possibilities for fraud. Its main feature is adding an additional authentication step before a payment is confirmed.

According to PSD2 SCA guidelines, a transaction will only count as authenticated if two of the three following criteria are fulfilled:

1. Knowledge: The user enters a password or PIN that is only known to them.
2. Possession: The user makes the payment using a device that only they own (e.g. a smartphone, laptop, smartwatch, chip card, or hardware token).
3. Inherence: The user identifies themself using, e.g., a fingerprint, face scan, or voice recognition.

Strong Customer Authentication is thus a type of two-factor authentication that provides extra assurance that the user really is who they say they are.

The idea is already an integral part of many areas of digital life, but until now it wasn’t required to implement this extra layer of security for online transactions. Up to this point, it’s been possible for the customer to simply enter their payment information and confirm their purchase. Some companies have been using two-factor authentication for a while, and now it’s become a legal requirement for every company in the EEA.

The revised Payment Services Directive was introduced back in September 2019 (and gives online merchants until 2021 to fully implement its requirements). However, the story of Strong Customer Authentication goes even further back than this.

The SCA regulation is based on three key areas from 2007 EU legislation. Then as now, the most important considerations were:

1. Strengthening consumers’ rights in payment transactions.
2. Creating equal conditions of competition with the regulation of third-party access to account information.
3. Improving security for all parties involved.

These considerations were implemented in the first version of the Payment Services Directive. Since then, payment technology has developed at an astounding pace, and there’s been an increase in the number of online payment gateways and third-party providers (TPP). These providers offer consumers new possibilities for quickly and easily making payments but also open possibilities for vendors to access customers’ account information.

Access to consumer accounts was thus more or less open, leading to increased security risks. The EU’s reaction came relatively quickly in the form of clear regulations on the ways that TPPs and online payment gateways can gain access to customer accounts.

Strong Customer Authentication is the next step in reducing fraud in online transactions. Its application to merchants outside the European Economic Area is complex and depends heavily on where a business and its subsidiaries are headquartered. Businesses based outside the EEA should carefully check whether they are subject to SCA regulations.

A European law that potentially affects parties outside the EEA - this is one of the aspects that makes the new SCA regulations so complex in their implementation. Therefore, payment service providers have requested postponement of the deadlines for implementing PSD2 SCA. And indeed, a binding deadline has yet to be set.

3D Secure is the most used authentication protocol for online payments. It’s supported by most European debit and credit cards and thus used most frequently. Right before the payment process is completed, the user is asked to give more information. This can take the form of a transaction number or a fingerprint entered in a banking app.

For compliance with PSD2 SCA, the new version 3D Secure 2 is being released, which makes the authentication protocol the main method for authenticating online credit/debit card payments. The improvements in the new version mostly have to do with user experience, so that online payments can be completed quickly and easily despite the additional authentication step.

Apple Pay and Google Pay already handle online payments with an integrated authentication step. Both services have implemented biometric and password-protected steps, without compromising on a smooth user experience - great examples for the technology behind PSD2 SCA.

PSD2 SCA applies whenever a customer in the European Economic Area transfers money or wants to access their bank account. This means that Strong Customer Authentication is required when:

1. A customer accesses their bank account online.
2. A customer initiates an electronic payment process.
3. A customer is exposed to a risk of fraud in an online payment transaction.

As with every law, there are possible exceptions to Strong Customer Authentication. For example, when it comes to subscription payments, strong authentication is only required for the initial purchase of the subscription. Other potential exceptions include low-risk payments, for which Strong Customer Authentication is simply not necessary and may even be bothersome.

There is also an exception for transfers of small amounts of money: Transactions with a value of 30 euros or less are not subject to the rules of PSD2 SCA. To prevent the accumulation of smaller cases of fraud, there are additional rules for small transactions:

1. Banks have to carry out Strong Customer Authentication for transactions made with a card that’s been used five times without a new authentication, even if the transaction would normally be subject to an exception.
2. If the value of the exception transactions exceeds 100 euros, the SCA regulations will apply to the next transaction regardless of its value.

These exceptions will especially come in handy for small businesses. It’s important to keep in mind, though, that the customer’s bank has the last word on whether these exceptions apply or not. To avoid losing customers, it’s a good idea to offer several possibilities for payment which already comply with PSD2 SCA.