Rapid changes in the payments industry, the meteoric rise of e-commerce and the constant threat of fraud have led the European Union (EU) to update its Payment Services Directive (PSD), which has regulated the electronic payment services industry since 2007.

The EU’s new PSD2 directive (2015/2366/EU), a revision of the PSD, is about to take effect. One of the most relevant changes relates to the security of electronic payments through a new technical standard that regulates strong customer authentication (SCA), which will have tangible effects on how we execute electronic payment transactions, both through e-banking sites and online stores.

What Is Strong Customer Authentication?

Effective Sept. 14, 2019, users must confirm their identity through strong customer authentication during a transaction. Authentication occurs by combining two or more factors between elements categorized as knowledge (something only the user knows, such as a password or PIN), possession (something only the user possesses, such as a mobile device or app) and inherence (something the user is, such as a fingerprint, facial scan or other biometric feature). The authentication factors must be mutually independent so that the breach of one does not compromise the reliability of the others.

Payment systems already rely on multifactor authentication (MFA). In some online payments, the username and password are not enough, and the bank or credit card company sends an SMS containing a one-time password that you must re-enter to confirm a transaction. Strong customer authentication extends this mechanism with the most recent and safest user verification methods, such as biometrics or a mobile authentication app, carefully chosen based on frauds observed in the past.

When Does SCA Apply?

Strong customer authentication applies when a user:

  • Accesses their payment account online;
  • Initiates an electronic payment transaction; or
  • Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.

The regulation applies to electronic payments in which both parties are within the European Economic Area (EEA), which is made up of the 28 EU states, plus Iceland, Liechtenstein and Norway.

Strong customer authentication has some well-defined exemptions based on risk, amount, periodicity and payment channel. For example, it does not apply when a user displays the account balance and recent transactions associated with their accounts, as long as sensitive payment data is not disclosed. However, recurring transactions of the same amount —such as for the payment of utilities — can be exempt from SCA, as long as payments to beneficiaries are saved as trustworthy and for which at least one strong authentication cycle has successfully occurred.

An important exemption scenario is around electronic payments managed by payment service providers that maintain a particularly low fraud rate. The amount of the exempt transaction depends directly on the institution’s fraud rate, reaching up to 500 euros in the case of electronic card-based payments where the payment service provider demonstrates a fraud rate of less than 0.01 percent. It is an ambitious goal, lower than the current average fraud rate in the Single Euro Payments Area (SEPA), which will undoubtedly lead to a virtuous acceleration of the security of the whole payment industry.

A Good Opportunity for Online Commerce

This is a real technological revolution, and it could catch many organizations off-guard and unprepared. Users who fail to heed the notices that all banks are providing these days risk finding themselves suddenly unable to authenticate, leading to an avalanche of cart abandonment. This is the stuff of nightmares for online stores. On the other hand, the PSD2 and SCA will attract an increasing number of buyers thanks to the growing trust in electronic payments.

One of the principles of the regulatory technical standards states that electronic remote payment transactions are subject to a higher risk of fraud. In fact, 73 percent of payment card fraud profits come from remote transactions, either online or via telephone, and, more generally, in card-not-present (CNP) payments, where the payment card is not physically shown at the time of the payment. It is in this area that strong customer authentication will bring the most valuable results.

In light of this revolution, it’s imperative for all the players in the electronic payment system to constantly improve their fraud rate, offer increasing thresholds of exemption and attract a growing number of customers due to the perception of a safer mode of transaction.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today