[{"@context":"https:\/\/schema.org\/","@type":"BlogPosting","@id":"https:\/\/www.the-future-of-commerce.com\/2018\/05\/10\/strong-customer-authentication-for-psd2\/#BlogPosting","mainEntityOfPage":"https:\/\/www.the-future-of-commerce.com\/2018\/05\/10\/strong-customer-authentication-for-psd2\/","headline":"Strong Customer Authentication for PSD2 in the EU: Elements for success","name":"Strong Customer Authentication for PSD2 in the EU: Elements for success","description":"PSD2 has implications for all banking, payment, fintech, and online merchants throughout the EU: Strong Customer Authentication for PSD2: Elements for Success.","datePublished":"2018-05-10","dateModified":"2024-07-17","author":{"@type":"Person","@id":"https:\/\/www.the-future-of-commerce.com\/contributor\/william-dudley\/#Person","name":"William Dudley","url":"https:\/\/www.the-future-of-commerce.com\/contributor\/william-dudley\/","identifier":264,"image":{"@type":"ImageObject","@id":"https:\/\/secure.gravatar.com\/avatar\/f66da11a3ba102cd558ce3c968c4a41ce67db23f5932f4b18e4f1e9276d20d50?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f66da11a3ba102cd558ce3c968c4a41ce67db23f5932f4b18e4f1e9276d20d50?s=96&d=mm&r=g","height":96,"width":96}},"publisher":{"@type":"Organization","name":"The Future of Commerce","logo":{"@type":"ImageObject","@id":"https:\/\/www.the-future-of-commerce.com\/wp-content\/uploads\/2023\/01\/logo-foc-schema-app-1.png","url":"https:\/\/www.the-future-of-commerce.com\/wp-content\/uploads\/2023\/01\/logo-foc-schema-app-1.png","width":172,"height":60}},"image":{"@type":"ImageObject","@id":"https:\/\/www.the-future-of-commerce.com\/wp-content\/uploads\/2018\/05\/thumbnail-15b3191dd869de0140bad9c51ed9f9c1.jpeg","url":"https:\/\/www.the-future-of-commerce.com\/wp-content\/uploads\/2018\/05\/thumbnail-15b3191dd869de0140bad9c51ed9f9c1.jpeg","height":375,"width":1200},"url":"https:\/\/www.the-future-of-commerce.com\/2018\/05\/10\/strong-customer-authentication-for-psd2\/","about":["Banking",{"@type":"Thing","@id":"https:\/\/www.the-future-of-commerce.com\/commerce\/","name":"Commerce","sameAs":["https:\/\/en.wikipedia.org\/wiki\/Commerce","http:\/\/www.wikidata.org\/entity\/Q26643"]}],"wordCount":692,"keywords":["Authentication","Banking","Banking Industry","Data Privacy","GDPR","PSD2"],"articleBody":"This is the first of a three-part series of posts detailing the EU\u2019s PSD2 Strong Customer Authentication (SCA).The European Union\u2019s European Banking Authority (or EBA) directive called PSD2 (short for The Second Payment Services Directive) was originally published at the end of 2015.\u00a0 By 13 January 2018, all member states were required to implement the regulations. This directive has implications for all banking, payment, fintech, and online merchants throughout the EU.There are three key purposes of PSD2:To open new market opportunities for a variety of players such as online merchants, while leveling the playing field for all key stakeholdersTo provide consumer transparency and consumer choiceTo introduce new and more robust security practices for online paymentsOf these, the one that we will focus on in this and two additional articles is the last one \u2013 new and more robust security practices for online payments.\u00a0 Specifically, this is called Strong Customer Authentication (or SCA).The EBA notes: \u201cThanks to PSD2 consumers will be better protected when they make electronic payments or transactions (such as using their online banking or buying online). The Regulatory Technical Standard (RTS) makes strong customer authentication (SCA) the basis for accessing one’s payment account, as well as for making payments online.\u201d\u00a0 While most PSD2 regulations are in effect as of January 2018, SCA has until around September 2019 to be operational.Strong Customer Authentication\u2019s guiding principle is to ensure that customers (e.g. consumers) are protected via an increased level of security when using electronic payments:When a customer (either individual consumer or business) accesses their payment account onlineWhen making an electronic payment (online and mobile):When carrying out actions through a remote channel where there may be a risk of fraudThere are a number of exceptions to these rules for SCA:For remote payments less than \u20ac 30, except:When a cumulative value of \u20ac 100 is reachedOr when 5 payments up to \u20ac 30 have been made (e.g. every 5 payments under \u20ac 30)For contactless card payments up to \u20ac 50, except:When a cumulative value of \u20ac 150 is reachedOr when 5 contactless payments up to \u20ac 50 have been made (e.g. every 5 contactless payments under \u20ac 50)At unattended payment terminals for transport fares and parking fees (such as for a metro train, etc.)Online transactions to an identified beneficial (trusted, by name). These may be card based credit transfers)Corporate payments if dedicated payment processes and protocols are used. These may require audit from a national authority to make sure all security levels are satisfiedWhen an online payment account is accessed, except:The first time the account is consultedEvery 90 days thereafterWhen fraud rates of the payment service provider (PSP) are lower than the pre-set reference fraud rates as described in the Annex to the PSD2 RTS).These various exceptions are not strictly required, but the implementer \u2013 typically the merchant, coordinated with or the payment service processor, must weigh requiring SCA activities vs. consumer convenience. SCA basically calls for, at minimum, two-factor authentication (2FA).Two-factor authentication means that users will need to prove their identity by two separate elements of three:Something they know (a PIN code or password)Something they possess (a mobile device, a card)Something they are (fingerprints, face scan: e.g. biometrics)Fortunately, there are wide variety of 2FA solutions already in place that can be applied to conforming to SCA and are widely accepted by consumers such as tokens (codes) sent over SMS or other channels. Another fortunate fact is that the EBA does not specifically specify how SCA (or 2FA under SCA) may be implemented.The international law firm Taylor Wessing, in their paper: Strong customer authentication under PSD2, notes that the \u201cThe EBA agreed with the majority of respondents to the Consultation Paper that, in order to ensure technology neutrality and allow for the development of user-friendly, accessible and innovative means of payment, it should not define the authentication elements further.\u201dIn part 2 of this series, we\u2019ll go deeper into the limitations and specific regulations that SCA implementers must consider: details around authentication codes, dynamic linking of the transactions, and channel independence.Want to follow along on Twitter? You can find me here.\u00a0"},{"@context":"https:\/\/schema.org\/","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"2018","item":"https:\/\/www.the-future-of-commerce.com\/2018\/#breadcrumbitem"},{"@type":"ListItem","position":2,"name":"05","item":"https:\/\/www.the-future-of-commerce.com\/2018\/\/05\/#breadcrumbitem"},{"@type":"ListItem","position":3,"name":"10","item":"https:\/\/www.the-future-of-commerce.com\/2018\/\/05\/\/10\/#breadcrumbitem"},{"@type":"ListItem","position":4,"name":"Strong Customer Authentication for PSD2 in the EU: Elements for success","item":"https:\/\/www.the-future-of-commerce.com\/2018\/05\/10\/strong-customer-authentication-for-psd2\/#breadcrumbitem"}]}]