PSD2: Understanding Strong Customer Authentication

July 26, 2019

PSD2: Understanding Strong Customer Authentication

PSD2: Get Set for Strong Customer Authentication
PSD2 has changed the landscape of banking forever – breaking the monopoly that banks have traditionally held over their customers’ account data. Good consumer news indeed, but for businesses, legislative changes on this scale invariably pose many a problem.
PSD2 also brings into effect fresh new processes for transaction security.
In this blog, we’re going to step through Strong Customer Authentication (SCA) – deciphering what it is, how it must be prepared for and whether an exemption may apply to your business.

Strong Customer Authentication (SCA)
SCA is making online payments more secure, with additional transaction checks undertaken at the checkout stage.
Before PSD2 customers would simply tap in their card number along with their CVC verification number. Now however, more information is taken before the transaction can be authorised.
For many years, this has been in the form of something called 3D Secure 1.0, which sent customers to a new page to type in a code. Now, its sucessor 3D Secure 2.0 has arrived, which has significantly improved the customer experience.

SCA – Beyond the outmoded password
SCA goes far beyond simply requiring a single password, instead involving two or more of the following details…

Something you know Something you own Something you are
Password Mobile phone Fingerprint
Passphrase Wearable device Facial features
Pin Smart card Voice patterns
Sequence Token Iris format
Secret fact Badge DNA signature

No longer will transactions rely on verifying a purchase exclusively through ‘something you know’, instead transactions can be authenticated using ‘two-step authentication’ – for example, combining ‘Something you own’ with ‘Something you are’; a smartwatch with a fingerprint; a smartphone with an eye scan, and so on.
Clearly, this is a big leap in terms of security, compared to the previous solution of a single static password.

SCA exemptions
There are several exemptions for PSD2 that you need to know about, as summarised below…
• Low value and low risk transactions – Transactions under €30 will be exempt, however if the total transactions over one 24-hour period reaches above €100, SCA will be required.
• Whitelisted merchants – Customers will have the freedom of adding trusted payment recipients to a whitelist, which will be ‘remembered’ by their bank – this will save the customer the hassle of SCA every time they checkout with a business they use regularly.
• Subscription/recurring transactions – For recurring transactions, only the first transaction will require SCA.
• Corporate cards – Corporate cards are completely exempt from SCA.
• Mail Order and Telephone Orders (MOTO) transactions – MOTO transactions are also completely exempt from SCA.
• Cross-regional transactions – Transactions that are made between an issuer and acquirer that aren’t both based in Europe are also exempt.

There’s no getting around the fact that PSD2 has and continues to pose an array of challenges, but undoubtedly it represents a huge step forward for payment security and smoother processes for consumers.