What exactly are PSD2 and SCA? Why does it matter? Find out the most important facts and tips from Maciej Michalczak, CISSP, Information Security Specialist at Conotoxia.com, a company that is subject to the new directive.

The European Union has introduced a new directive known as PSD2 (Payment Services Directive). This mandatory legal action will affect the whole EU payment industry by introducing new regulations and significantly strengthening the safety regimes of payment services. One of the requirements is SCA (strong customer authentication) directly affecting the customer authentication process, handled by payment services. Statistics show that the number of fraud cases related to online payments is rapidly growing each year. Enter PSD2. The new directive is designed to keep customers of online shopping protected while revolutionising the payments industry.

Why do business owners need PSD2?

There are many ways to combat fraud and reduce the number of fraudulent transactions. Some sophisticated methods include a combination of artificial intelligence (AI) and machine learning (ML). However, simpler approaches are available for smaller companies, such as reliable authentication – the verification of a user with dependable sources.

One of the changes included in PSD2 is the necessity for payment service providers (PSPs) to introduce SCA (strong customer authentication) for its customers who utilize online payments. The main goal of SCA is to ensure your company accurately verifies its users.

What exactly does SCA mean for my business?

SCA increases the security of payments transactions, reinforces customer authentication, forces the implementation of a strict regime for PSPs in order to ensure better protection of the privacy of your customer’s data and the integrity of the whole payments process. It should not be possible for anyone including hackers to change the sender, amount or recipient of a transaction.

The European Central Bank (ECB) defines this security-related feature as a combination of at least two out of three mutually-independent factors, these are categorised as knowledge, possession and biometrics. PIN and passwords are examples of the knowledge factor, payment cards and mobile phones represent possession, and for biometrics, we have fingerprints, iris, voice, etc.

It is also required that the compromise of one of the factors mentioned above should not jeopardize the reliability of the others. Additionally, the method of authentication must utilize one non-reusable element and one non-replicable (except for biometrics), which cannot be easily reproduced or stolen from the internet.

The design and implementation of SCA mechanisms must ensure the security of the elements used for verification. Knowledge factors have to be protected in order to prevent them from getting into unauthorised hands and possession factors against easy replication. In the case of biometric factors, the ECB requires that devices and software provided to the payer which obtain data must ensure a low level of “likelihood” and “resistance”. Likelihood relating to the chance of a third party obtaining the data and “being authenticated as the legitimate payment service user” and “resistance against unauthorized use of the elements”.

One example of a company that has been integrating SCA is Conotoxia.com. It is an online financial platform that offers a variety of services including payments, currency exchange, money transfers and Forex trading. The new method of customer authentication is unavoidable and will result in increased client security.

Are there any requirements and drawbacks that could affect your business?

SCA is necessary when users of a payments service access their payment accounts online, initiate electronic payment transactions and perform any activities that could be at risk of fraud. From the perspective of your company as a payment service provider, online payments that are successfully authorized by customers using strong authentication are safer and much less likely to be fraudulent. The responsibility of disputes then shifts from your company to the issuer of the particular payment method.

There is only one major drawback of implementing this mechanism, there can be a discrepancy in user experience as additional steps must be taken during the payment process. This can be undoubtedly challenging for businesses. PSD2 is a crucial step towards combating payment fraud, however, it is really important for us to seamlessly make these changes from our customers point of view.

It is expected that payment service providers will accept and introduce the SCA before 14 September 2019.