Strong customer authentication (SCA) is a requirement of the EU
Revised Directive on Payment Services (PSD2) on
payment service providers within the
European Economic Area. The requirement ensures that electronic payments are performed with
multi-factor authentication, to increase the security of electronic payments.
Physical card transactions already commonly have what could be termed strong customer authentication in the EU (
Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement,
and many contactless card payments do not use a second authentication factor.
The SCA requirement came into force on 14 September 2019. However, with the approval of the
European Banking Authority,
several EEA countries have announced that their implementation will be temporarily delayed or phased, with a final deadline set for 31 December 2020.
Requirement
Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Article 4(30) defines "strong customer authentication" itself (as multi-factor authentication):
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
Implementation
The
European Banking Authority published an opinion on what approaches could constitute different "elements" of SCA.
2.0 can (but does not always
) meet the requirements of SCA. 3-D Secure has implementations by
Mastercard (Mastercard Identity Check) and
Visa
Visa most commonly refers to:
*Visa Inc., a US multinational financial and payment cards company
** Visa Debit card issued by the above company
** Visa Electron, a debit card
** Visa Plus, an interbank network
*Travel visa, a document that allows ...
which are marketed as enabling SCA compliance.
E-commerce merchants must update the payment flows in their websites and apps to support authentication.
If authentication is not supported, many payments will be declined once SCA is fully implemented.
History
On 31 January 2013, the
European Central Bank (ECB) issued recommendations on Internet payment security, requiring strong customer authentication. The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission process to the ECB identified three solutions to strong customer authentication, two of which are based on
reliance authentication
Reliance authentication is a part of the trust-based identity attribution process whereby a second entity relies upon the authentication processes put in place by a first entity. The second entity creates a further element that is unique and speci ...
, and the other being the new variant of
3-D Secure which incorporates
one-time passwords.
Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2.
PSD2 strong customer authentication has been a legal requirement for electronic payments and credit cards since 14 September 2019.
Criticism
In 2016,
Visa
Visa most commonly refers to:
*Visa Inc., a US multinational financial and payment cards company
** Visa Debit card issued by the above company
** Visa Electron, a debit card
** Visa Plus, an interbank network
*Travel visa, a document that allows ...
criticised the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt sales at online retailers.
In 2019, consumer representation group
Which? noted that many UK banks were implementing SCA by requiring a phone capable of receiving a
text message or
push notification
Push technology or server push is a style of Internet-based communication where the request for a given transaction is initiated by the publisher or central server. It is contrasted with pull/get, where the request for the transmission of informa ...
. When surveyed, nearly one in five Which? members were concerned that they may be unable to make payments if there was no alternative, either due to poor reception or not owning a phone.
In 2020, an independent report conducted by consultancy firm CMSPI found that the potential disruption caused by strong customer authentication (excluding the United Kingdom) could be €108 billion in 2021.
Outside Europe
The
Reserve Bank of India has mandated an "additional factor of authentication" for card-not-present transactions.
A proposal to make 3-D Secure mandatory in Australia was blocked by the
Australian Competition and Consumer Commission
The Australian Competition and Consumer Commission (ACCC) is the chief competition regulator of the Government of Australia, located within the Department of the Treasury. It was established in 1995 with the amalgamation of the Australian Tra ...
(ACCC) after objections.
[{{cite web, url=https://www.timebase.com.au/news/2016/AT196-article.html , title=ACCC Releases Draft Determination Against Mandated Use Of 3D icSecure For Online Payments, date=23 May 2016, accessdate=2019-09-07]
See also
*
3D Secure
3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and th ...
References
Payment systems
Banking in the European Union
European Economic Area
Authentication methods