Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on

payment service provider A payment service provider (PSP) is a third-party company that assists businesses to accept electronic payments, such as credit cards and debit cards payments. PSPs act as intermediaries between those who make payments, i.e. consumers, and thos ...

s within the

European Economic Area The European Economic Area (EEA) was established via the ''Agreement on the European Economic Area'', an international agreement which enables the extension of the European Union's single market to member states of the European Free Trade As ...

. The requirement ensures that electronic payments are performed with

multi-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...

, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU (

Chip and PIN Chromatin immunoprecipitation (ChIP) is a type of immunoprecipitation experimental technique used to investigate the interaction between proteins and DNA in the cell. It aims to determine whether specific proteins are associated with specific geno ...

), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor. The SCA requirement came into force on 14 September 2019. However, with the approval of the

European Banking Authority The European Banking Authority (EBA) is a regulatory agency of the European Union headquartered in Paris. Its activities include conducting stress tests on European banks to increase transparency in the European financial system and identifying ...

, several EEA countries have announced that their implementation will be temporarily delayed or phased, with a final deadline set for 31 December 2020.

Requirement

Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:

(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Article 4(30) defines "strong customer authentication" itself (as multi-factor authentication):

an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

Implementation

The

published an opinion on what approaches could constitute different "elements" of SCA.

3-D Secure 3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the ...

2.0 can (but does not always) meet the requirements of SCA. 3-D Secure has implementations by Mastercard (Mastercard Identity Check) and

Visa Visa most commonly refers to: *Visa Inc., a US multinational financial and payment cards company ** Visa Debit card issued by the above company ** Visa Electron, a debit card ** Visa Plus, an interbank network *Travel visa, a document that allows ...

which are marketed as enabling SCA compliance. E-commerce merchants must update the payment flows in their websites and apps to support authentication. If authentication is not supported, many payments will be declined once SCA is fully implemented.

History

On 31 January 2013, the

European Central Bank The European Central Bank (ECB) is the prime component of the monetary Eurosystem and the European System of Central Banks (ESCB) as well as one of seven institutions of the European Union. It is one of the world's most important centr ...

(ECB) issued recommendations on Internet payment security, requiring strong customer authentication. The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission process to the ECB identified three solutions to strong customer authentication, two of which are based on

reliance authentication Reliance authentication is a part of the trust-based identity attribution process whereby a second entity relies upon the authentication processes put in place by a first entity. The second entity creates a further element that is unique and speci ...

, and the other being the new variant of

which incorporates

one-time password A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...

s. Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2. PSD2 strong customer authentication has been a legal requirement for electronic payments and credit cards since 14 September 2019.

Criticism

In 2016,

criticised the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt sales at online retailers. In 2019, consumer representation group

Which? ''Which?'' is a United Kingdom brand name that promotes informed consumer choice in the purchase of goods and services by testing products, highlighting inferior products or services, raising awareness of consumer rights and offering independe ...

noted that many UK banks were implementing SCA by requiring a phone capable of receiving a

text message Text messaging, or texting, is the act of composing and sending electronic messages, typically consisting of alphabetic and numeric characters, between two or more users of mobile devices, desktops/laptops, or another type of compatible comput ...

push notification Push technology or server push is a style of Internet-based communication where the request for a given transaction is initiated by the publisher or central server. It is contrasted with pull/get, where the request for the transmission of informat ...

. When surveyed, nearly one in five Which? members were concerned that they may be unable to make payments if there was no alternative, either due to poor reception or not owning a phone. In 2020, an independent report conducted by consultancy firm CMSPI found that the potential disruption caused by strong customer authentication (excluding the United Kingdom) could be €108 billion in 2021.

Outside Europe

The

Reserve Bank of India The Reserve Bank of India, chiefly known as RBI, is India's central bank and regulatory body responsible for regulation of the Indian banking system. It is under the ownership of Ministry of Finance, Government of India. It is responsible f ...

has mandated an "additional factor of authentication" for card-not-present transactions. A proposal to make 3-D Secure mandatory in Australia was blocked by the

Australian Competition and Consumer Commission The Australian Competition and Consumer Commission (ACCC) is the chief competition regulator of the Government of Australia, located within the Department of the Treasury. It was established in 1995 with the amalgamation of the Australian Trad ...

(ACCC) after objections.{{cite web, url=https://www.timebase.com.au/news/2016/AT196-article.html , title=ACCC Releases Draft Determination Against Mandated Use Of 3D icSecure For Online Payments, date=23 May 2016, accessdate=2019-09-07

References