Strong customer authentication
Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The SCA requirement comes into force from 14 September 2019. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement.
Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
The directive defines strong customer authentication in Article 4(30) as:
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
There are multiple ways a card provider can implement SCA, including:
- 3D Secure 2, such as the implementations by Mastercard (Mastercard Identity Check) and Visa.
- A dynamic card verification value.
On 31 January 2013, the European Central Bank (ECB) issued recommendations on Internet payment security, requiring strong customer authentication. The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission process to the ECB identified three solutions to strong customer authentication, two of which are based on reliance authentication, and the other being the new variant of 3-D Secure which incorporates one-time passwords.
Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2. PSD2 strong customer authentication will be a legal requirement for electronic payments and credit cards starting September 14, 2019.
- "EBA provides clarity to market participants for the implementation of the technical standards on strong customer authentication and common and secure communication under the PSD2". European Banking Authority. 2018-06-13. Retrieved 2019-04-17.
- "Payment Services Directive (PSD2): Regulatory Technical Standards (RTS) enabling consumers to benefit from safer and more innovative electronic payments". European Commission. 2017-11-27. Retrieved 2019-04-17.
- "Directive 2015/2366/EU". 25 November 2015.
on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC
- "Strong Customer Authentication and PSD2: How to adapt to new regulation in Europe" (PDF). Mastercard. 2018-08-17. Retrieved 2019-04-17.
- "Preparing for PSD2 SCA" (PDF). Visa. November 2018. Retrieved 2019-04-17.
- "ECB: ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services". Ecb.eu. Retrieved 2014-07-17.
- "ECB: Public consultation". Ecb.europa.eu. 2013-01-31. Retrieved 2014-07-17.
- Leyden, Josh (2016-11-27). "Visa cries foul over Euro regulator's stronger authentication demands". The Register. Retrieved 2019-04-17.
- "ACCC Releases Draft Determination Against Mandated Use Of 3D Secure For Online Payments".