How Will Strong Customer Authentication Impact the Security of Electronic Payments?

September 12, 2019
| |
3 min read

Rapid changes in the payments industry, the meteoric rise of e-commerce and the constant threat of fraud have led the European Union (EU) to update its Payment Services Directive (PSD), which has regulated the electronic payment services industry since 2007.

The EU’s new PSD2 directive (2015/2366/EU), a revision of the PSD, is about to take effect. One of the most relevant changes relates to the security of electronic payments through a new technical standard that regulates strong customer authentication (SCA), which will have tangible effects on how we execute electronic payment transactions, both through e-banking sites and online stores.

What Is Strong Customer Authentication?

Effective Sept. 14, 2019, users must confirm their identity through strong customer authentication during a transaction. Authentication occurs by combining two or more factors between elements categorized as knowledge (something only the user knows, such as a password or PIN), possession (something only the user possesses, such as a mobile device or app) and inherence (something the user is, such as a fingerprint, facial scan or other biometric feature). The authentication factors must be mutually independent so that the breach of one does not compromise the reliability of the others.

Payment systems already rely on multifactor authentication (MFA). In some online payments, the username and password are not enough, and the bank or credit card company sends an SMS containing a one-time password that you must re-enter to confirm a transaction. Strong customer authentication extends this mechanism with the most recent and safest user verification methods, such as biometrics or a mobile authentication app, carefully chosen based on frauds observed in the past.

When Does SCA Apply?

Strong customer authentication applies when a user:

  • Accesses their payment account online;
  • Initiates an electronic payment transaction; or
  • Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.

The regulation applies to electronic payments in which both parties are within the European Economic Area (EEA), which is made up of the 28 EU states, plus Iceland, Liechtenstein and Norway.

Strong customer authentication has some well-defined exemptions based on risk, amount, periodicity and payment channel. For example, it does not apply when a user displays the account balance and recent transactions associated with their accounts, as long as sensitive payment data is not disclosed. However, recurring transactions of the same amount —such as for the payment of utilities — can be exempt from SCA, as long as payments to beneficiaries are saved as trustworthy and for which at least one strong authentication cycle has successfully occurred.

An important exemption scenario is around electronic payments managed by payment service providers that maintain a particularly low fraud rate. The amount of the exempt transaction depends directly on the institution’s fraud rate, reaching up to 500 euros in the case of electronic card-based payments where the payment service provider demonstrates a fraud rate of less than 0.01 percent. It is an ambitious goal, lower than the current average fraud rate in the Single Euro Payments Area (SEPA), which will undoubtedly lead to a virtuous acceleration of the security of the whole payment industry.

A Good Opportunity for Online Commerce

This is a real technological revolution, and it could catch many organizations off-guard and unprepared. Users who fail to heed the notices that all banks are providing these days risk finding themselves suddenly unable to authenticate, leading to an avalanche of cart abandonment. This is the stuff of nightmares for online stores. On the other hand, the PSD2 and SCA will attract an increasing number of buyers thanks to the growing trust in electronic payments.

One of the principles of the regulatory technical standards states that electronic remote payment transactions are subject to a higher risk of fraud. In fact, 73 percent of payment card fraud profits come from remote transactions, either online or via telephone, and, more generally, in card-not-present (CNP) payments, where the payment card is not physically shown at the time of the payment. It is in this area that strong customer authentication will bring the most valuable results.

In light of this revolution, it’s imperative for all the players in the electronic payment system to constantly improve their fraud rate, offer increasing thresholds of exemption and attract a growing number of customers due to the perception of a safer mode of transaction.

Pier Luigi Rotondo
Technical Enablment Specialist, IBM

Pier Luigi Rotondo works for the IBM Security Technical Enablement team, focusing on Identity and Access Management solutions. In the past, he has contribute...
read more