Safe online payments with Strong Customer Authentication

On 14 September 2019, new requirements for authenticating online payments were introduced in Europe as part of the second Payment Services Directive (PSD2). More specifically, this was Strong Customer Authentication (SCA).

Strong Customer Authentication (SCA) is a new European regulatory requirement that helps to reduce fraud and make online payments more secure. Payment Services Directive (PSD2) requires that SCA is applied to all electronic payments, including proximity, remote, and m-payments, all within the European Economic Area (EEA).

To accept payments and meet SCA requirements, businesses need to build additional authentication into their checkout flow.

MiFinity’s security features

In order to adhere to this new regulatory requirement, we put all our measures in place effectively and efficiently to become SCA compliant. This means that all our clients can rest assured that their payments are safe and secure, no matter what. It’s also especially important now, during these strange times, as online payments increase in usage. In fact, there is a huge emphasis on digital payments during a pandemic and online payments are really playing a part in helping the world navigate through this time.

What exactly is Strong Customer Authentication (SCA)?

Wondering what SCA is and why it matters? Well, SCA is an extra security measure that has been added, requiring that the payer is authenticated by a PSP through at least two factors, each of which must be from a different category as below:

SCA requires authentication to use at least two of the following three elements:

  • Something the customer knows (like a password or PIN)
  • Something the customer has (like a phone or hardware token)
  • Something the customer is (like a fingerprint or face recognition)

Another important factor to mention is that these elements must all be independent of one another so that the breach of one does not compromise the reliability of the others. This is designed in such a way to protect the confidentiality of the authentication data. It should also be noted that the choice of factors to use is a decision for individual PSPs.

The benefits of having SCA in place

With the general global shift towards online services both during this pandemic and the future of technology, there is a greater need to authenticate the identity of users during transactions and banking activities, in order to:

  • Reduce the cost of processing fraudulent transactions
  • Reduce the potential for online fraud
  • Comply with international regulations such as PCI-DSS and of course PSD2
  • Increase cardholder confidence in using online services

What about the user’s experience?

The SCA mandate is complemented by some limited exemptions that support a frictionless customer experience when the transaction risk is low. Regulated PSPs are responsible for the application of SCA and of the exemptions and in the case of card payments, these PSPs are Issuers (the payer’s PSP) or Acquirers (the payee’s PSP).

As Strong Customer Authentication applies to customer-initiated online payments within Europe, most card payments and all bank transfers require SCA. Recurring direct debits, on the other hand, are considered to be merchant-initiated and don’t require strong authentication. With the exception of contactless payments, in-person card payments are also not impacted by the new regulation, which doesn’t directly affect the customer’s current experience.

For online card payments, the requirements apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA).

Even more layers of security

Currently, the most common way of authenticating an online card payment relies on 3D Secure authentication standard, which is supported by the vast majority of European cards. Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment such as a one-time code sent to their mobile phone or fingerprint authentication through their mobile banking app.

3D Secure 2 is the new version of the authentication protocol that was rolled out in 2019. This is now the main method for authenticating online card payments and meeting the new SCA requirements. This new version introduces a better user experience that will help minimise some of the friction that authentication adds into the checkout flow.

3DS2 adapts to SCA by using MFA (multi-factor authentication) which includes OTPs, biometric authentication such as fingerprints or facial recognition, and QR codes than can be scanned.

Other card-based payment methods such as Apple Pay or Google Pay already support payment flows with a built-in layer of authentication, offering a great way for businesses to provide a frictionless checkout experience while meeting the new requirements.

With the new Payment Services Directive, banks and other financial institutions will have to successfully comply with the SCA regulations.

We will keep living up to our slogan “Payments Without Borders” to ensure we keep processing payments for our customers and merchants at all times, without borders, but with the safety and security measures required.