Rapid changes in the payments industry, the meteoric rise of e-commerce and the constant threat of fraud have led the European Union (EU) to update its Payment Services Directive (PSD), which has regulated the electronic payment services industry since 2007.

The EU’s new PSD2 directive (2015/2366/EU), a revision of the PSD, is about to take effect. One of the most relevant changes relates to the security of electronic payments through a new technical standard that regulates strong customer authentication (SCA), which will have tangible effects on how we execute electronic payment transactions, both through e-banking sites and online stores.

What Is Strong Customer Authentication?

Effective Sept. 14, 2019, users must confirm their identity through strong customer authentication during a transaction. Authentication occurs by combining two or more factors between elements categorized as knowledge (something only the user knows, such as a password or PIN), possession (something only the user possesses, such as a mobile device or app) and inherence (something the user is, such as a fingerprint, facial scan or other biometric feature). The authentication factors must be mutually independent so that the breach of one does not compromise the reliability of the others.

Payment systems already rely on multifactor authentication (MFA). In some online payments, the username and password are not enough, and the bank or credit card company sends an SMS containing a one-time password that you must re-enter to confirm a transaction. Strong customer authentication extends this mechanism with the most recent and safest user verification methods, such as biometrics or a mobile authentication app, carefully chosen based on frauds observed in the past.

When Does SCA Apply?

Strong customer authentication applies when a user:

  • Accesses their payment account online;
  • Initiates an electronic payment transaction; or
  • Carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.

The regulation applies to electronic payments in which both parties are within the European Economic Area (EEA), which is made up of the 28 EU states, plus Iceland, Liechtenstein and Norway.

Strong customer authentication has some well-defined exemptions based on risk, amount, periodicity and payment channel. For example, it does not apply when a user displays the account balance and recent transactions associated with their accounts, as long as sensitive payment data is not disclosed. However, recurring transactions of the same amount —such as for the payment of utilities — can be exempt from SCA, as long as payments to beneficiaries are saved as trustworthy and for which at least one strong authentication cycle has successfully occurred.

An important exemption scenario is around electronic payments managed by payment service providers that maintain a particularly low fraud rate. The amount of the exempt transaction depends directly on the institution’s fraud rate, reaching up to 500 euros in the case of electronic card-based payments where the payment service provider demonstrates a fraud rate of less than 0.01 percent. It is an ambitious goal, lower than the current average fraud rate in the Single Euro Payments Area (SEPA), which will undoubtedly lead to a virtuous acceleration of the security of the whole payment industry.

A Good Opportunity for Online Commerce

This is a real technological revolution, and it could catch many organizations off-guard and unprepared. Users who fail to heed the notices that all banks are providing these days risk finding themselves suddenly unable to authenticate, leading to an avalanche of cart abandonment. This is the stuff of nightmares for online stores. On the other hand, the PSD2 and SCA will attract an increasing number of buyers thanks to the growing trust in electronic payments.

One of the principles of the regulatory technical standards states that electronic remote payment transactions are subject to a higher risk of fraud. In fact, 73 percent of payment card fraud profits come from remote transactions, either online or via telephone, and, more generally, in card-not-present (CNP) payments, where the payment card is not physically shown at the time of the payment. It is in this area that strong customer authentication will bring the most valuable results.

In light of this revolution, it’s imperative for all the players in the electronic payment system to constantly improve their fraud rate, offer increasing thresholds of exemption and attract a growing number of customers due to the perception of a safer mode of transaction.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…