HOME

TheInfoList



Click Here for Items Related To - strong customer authentication
OR:
strong customer authentication on:   [Wikipedia]   [Google]   [Amazon]

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on
payment service provider A payment service provider (PSP) is a third-party company that allows businesses to accept electronic payments, such as credit card and debit card payments. PSPs act as intermediaries between those who make payments, i.e. consumers, and those who ...
s within the
European Economic Area The European Economic Area (EEA) was established via the ''Agreement on the European Economic Area'', an international agreement which enables the extension of the European Union's single market to member states of the European Free Trade Asso ...
. The requirement ensures that electronic payments are performed with
multi-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence ...
, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU ( Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor. The SCA requirement came into force on 14 September 2019. However, with the approval of the European Banking Authority, several EEA countries have announced that their implementation will be temporarily delayed or phased, with a final deadline set for 31 December 2020.


Requirement

Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Article 4(30) defines "strong customer authentication" itself (as multi-factor authentication):
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data


Implementation

The European Banking Authority published an opinion on what approaches could constitute different "elements" of SCA. 3-D Secure 2.0 can (but does not always) meet the requirements of SCA. 3-D Secure has implementations by Mastercard (Mastercard Identity Check) and Visa which are marketed as enabling SCA compliance. E-commerce merchants must update the payment flows in their websites and apps to support authentication. If authentication is not supported, many payments will be declined once SCA is fully implemented.


History

On 31 January 2013, the
European Central Bank The European Central Bank (ECB) is the central component of the Eurosystem and the European System of Central Banks (ESCB) as well as one of seven institutions of the European Union. It is one of the world's Big Four (banking)#International ...
(ECB) issued recommendations on Internet payment security, requiring strong customer authentication. The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission process to the ECB identified three solutions to strong customer authentication, two of which are based on reliance authentication, and the other being the new variant of 3-D Secure which incorporates
one-time password A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital dev ...
s. Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2. PSD2 strong customer authentication has been a legal requirement for electronic payments and credit cards since 14 September 2019.


Criticism

In 2016, Visa criticised the proposal of making strong customer authentication mandatory, on the grounds that it could make
online payment An e-commerce payment system (or an electronic payment system) facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become increa ...
s more difficult, and thus hurt sales at online retailers. In 2019, consumer representation group
Which? ''Which?'' is a United Kingdom brand name that promotes informed consumer choice in the purchase of goods and services by testing products, highlighting inferior products or services, raising awareness of consumer rights, and offering indepen ...
noted that many UK banks were implementing SCA by requiring a phone capable of receiving a
text message Text messaging, or texting, is the act of composing and sending electronic messages, typically consisting of alphabetic and numeric characters, between two or more users of mobile phones, tablet computers, smartwatches, desktop computer, des ...
or push notification. When surveyed, nearly one in five Which? members were concerned that they may be unable to make payments if there was no alternative, either due to poor reception or not owning a phone. In 2020, an independent report conducted by consultancy firm CMSPI found that the potential disruption caused by strong customer authentication (excluding the United Kingdom) could be €108 billion in 2021.


Outside Europe

The
Reserve Bank of India Reserve Bank of India, abbreviated as RBI, is the central bank of the Republic of India, and regulatory body responsible for regulation of the Indian banking system and Indian rupee, Indian currency. Owned by the Ministry of Finance (India), Min ...
has mandated an "additional factor of authentication" for card-not-present transactions. A proposal to make 3-D Secure mandatory in Australia was blocked by the
Australian Competition & Consumer Commission The Australian Competition and Consumer Commission (ACCC) is the chief competition regulator of the Government of Australia, located within the Department of the Treasury. It was established in 1995 with the amalgamation of the Australian Tra ...
in 2016 after objections.ACCC proposes to deny authorisation to APCA for 3D secure arrangements
Australian Competition & Consumer Commission The Australian Competition and Consumer Commission (ACCC) is the chief competition regulator of the Government of Australia, located within the Department of the Treasury. It was established in 1995 with the amalgamation of the Australian Tra ...
20 May 2016


See also

* 3D Secure


References

Payment systems Banking in the European Union European Economic Area Authentication methods