Rapid changes in the payments industry, the meteoric rise of e-commerce and the constant threat of fraud have led the European Union (EU) to update its Payment Services Directive (PSD), which has regulated the electronic payment services industry since 2007.

The EU’s new PSD2 directive (2015/2366/EU), a revision of the PSD, is about to take effect. One of the most relevant changes relates to the security of electronic payments through a new technical standard that regulates strong customer authentication (SCA), which will have tangible effects on how we execute electronic payment transactions, both through e-banking sites and online stores.

What Is Strong Customer Authentication?

Effective Sept. 14, 2019, users must confirm their identity through strong customer authentication during a transaction. Authentication occurs by combining two or more factors between elements categorized as knowledge (something only the user knows, such as a password or PIN), possession (something only the user possesses, such as a mobile device or app) and inherence (something the user is, such as a fingerprint, facial scan or other biometric feature). The authentication factors must be mutually independent so that the breach of one does not compromise the reliability of the others.

Payment systems already rely on multifactor authentication (MFA). In some online payments, the username and password are not enough, and the bank or credit card company sends an SMS containing a one-time password that you must re-enter to confirm a transaction. Strong customer authentication extends this mechanism with the most recent and safest user verification methods, such as biometrics or a mobile authentication app, carefully chosen based on frauds observed in the past.

When Does SCA Apply?

Strong customer authentication applies when a user:

  • Accesses their payment account online;
  • Initiates an electronic payment transaction; or
  • Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.

The regulation applies to electronic payments in which both parties are within the European Economic Area (EEA), which is made up of the 28 EU states, plus Iceland, Liechtenstein and Norway.

Strong customer authentication has some well-defined exemptions based on risk, amount, periodicity and payment channel. For example, it does not apply when a user displays the account balance and recent transactions associated with their accounts, as long as sensitive payment data is not disclosed. However, recurring transactions of the same amount —such as for the payment of utilities — can be exempt from SCA, as long as payments to beneficiaries are saved as trustworthy and for which at least one strong authentication cycle has successfully occurred.

An important exemption scenario is around electronic payments managed by payment service providers that maintain a particularly low fraud rate. The amount of the exempt transaction depends directly on the institution’s fraud rate, reaching up to 500 euros in the case of electronic card-based payments where the payment service provider demonstrates a fraud rate of less than 0.01 percent. It is an ambitious goal, lower than the current average fraud rate in the Single Euro Payments Area (SEPA), which will undoubtedly lead to a virtuous acceleration of the security of the whole payment industry.

A Good Opportunity for Online Commerce

This is a real technological revolution, and it could catch many organizations off-guard and unprepared. Users who fail to heed the notices that all banks are providing these days risk finding themselves suddenly unable to authenticate, leading to an avalanche of cart abandonment. This is the stuff of nightmares for online stores. On the other hand, the PSD2 and SCA will attract an increasing number of buyers thanks to the growing trust in electronic payments.

One of the principles of the regulatory technical standards states that electronic remote payment transactions are subject to a higher risk of fraud. In fact, 73 percent of payment card fraud profits come from remote transactions, either online or via telephone, and, more generally, in card-not-present (CNP) payments, where the payment card is not physically shown at the time of the payment. It is in this area that strong customer authentication will bring the most valuable results.

In light of this revolution, it’s imperative for all the players in the electronic payment system to constantly improve their fraud rate, offer increasing thresholds of exemption and attract a growing number of customers due to the perception of a safer mode of transaction.

More from Banking & Finance

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…