Rapid changes in the payments industry, the meteoric rise of e-commerce and the constant threat of fraud have led the European Union (EU) to update its Payment Services Directive (PSD), which has regulated the electronic payment services industry since 2007.

The EU’s new PSD2 directive (2015/2366/EU), a revision of the PSD, is about to take effect. One of the most relevant changes relates to the security of electronic payments through a new technical standard that regulates strong customer authentication (SCA), which will have tangible effects on how we execute electronic payment transactions, both through e-banking sites and online stores.

What Is Strong Customer Authentication?

Effective Sept. 14, 2019, users must confirm their identity through strong customer authentication during a transaction. Authentication occurs by combining two or more factors between elements categorized as knowledge (something only the user knows, such as a password or PIN), possession (something only the user possesses, such as a mobile device or app) and inherence (something the user is, such as a fingerprint, facial scan or other biometric feature). The authentication factors must be mutually independent so that the breach of one does not compromise the reliability of the others.

Payment systems already rely on multifactor authentication (MFA). In some online payments, the username and password are not enough, and the bank or credit card company sends an SMS containing a one-time password that you must re-enter to confirm a transaction. Strong customer authentication extends this mechanism with the most recent and safest user verification methods, such as biometrics or a mobile authentication app, carefully chosen based on frauds observed in the past.

When Does SCA Apply?

Strong customer authentication applies when a user:

  • Accesses their payment account online;
  • Initiates an electronic payment transaction; or
  • Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.

The regulation applies to electronic payments in which both parties are within the European Economic Area (EEA), which is made up of the 28 EU states, plus Iceland, Liechtenstein and Norway.

Strong customer authentication has some well-defined exemptions based on risk, amount, periodicity and payment channel. For example, it does not apply when a user displays the account balance and recent transactions associated with their accounts, as long as sensitive payment data is not disclosed. However, recurring transactions of the same amount —such as for the payment of utilities — can be exempt from SCA, as long as payments to beneficiaries are saved as trustworthy and for which at least one strong authentication cycle has successfully occurred.

An important exemption scenario is around electronic payments managed by payment service providers that maintain a particularly low fraud rate. The amount of the exempt transaction depends directly on the institution’s fraud rate, reaching up to 500 euros in the case of electronic card-based payments where the payment service provider demonstrates a fraud rate of less than 0.01 percent. It is an ambitious goal, lower than the current average fraud rate in the Single Euro Payments Area (SEPA), which will undoubtedly lead to a virtuous acceleration of the security of the whole payment industry.

A Good Opportunity for Online Commerce

This is a real technological revolution, and it could catch many organizations off-guard and unprepared. Users who fail to heed the notices that all banks are providing these days risk finding themselves suddenly unable to authenticate, leading to an avalanche of cart abandonment. This is the stuff of nightmares for online stores. On the other hand, the PSD2 and SCA will attract an increasing number of buyers thanks to the growing trust in electronic payments.

One of the principles of the regulatory technical standards states that electronic remote payment transactions are subject to a higher risk of fraud. In fact, 73 percent of payment card fraud profits come from remote transactions, either online or via telephone, and, more generally, in card-not-present (CNP) payments, where the payment card is not physically shown at the time of the payment. It is in this area that strong customer authentication will bring the most valuable results.

In light of this revolution, it’s imperative for all the players in the electronic payment system to constantly improve their fraud rate, offer increasing thresholds of exemption and attract a growing number of customers due to the perception of a safer mode of transaction.

More from Banking & Finance

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…

SEC Proposes New Cybersecurity Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity. On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.  The Importance of Cybersecurity in Finance The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…