What is Strong Customer Authentication (SCA)?
Published 29th July, 2019 by StuartHow safe are your online transactions? Well, safer than they used to be.
Since January 2018, when the new EU Payments Services Directive (PSD2) implemented new legislation to protect you when you’re shopping online, you’re far safer from online fraud than you once were. A key factor of the new online safety measures is the introduction of Strong Customer Authentication, or SCA, which will be mandatory throughout the European Economic Area from the 14th September. But what do SCAs actually mean for you?
When does Strong Customer Authentication apply?
Strong Customer Authentication is applicable to all online ‘customer-initiated’ transactions within Europe, for instance:
- Accessing your bank account online
- Making an online payment
- Using a platform at high risk of payment fraud or other data breaches
Direct Debits, and other payments made without you present are known as “merchant-initiated transactions (MIT)” and don’t require SCA. Card payments made in person are aren’t affected by SCA either, as chip and pin payments are already considered to be protected by Strong Customer Authentication.
Security processes can sometimes feel like a bit of a rigmarole if you need to make a quick money transfer when you’re out and about without your card-reader, but in reality your vulnerability to online fraud decreases significantly. It’s important not to fall prey to convenience over security, especially when it comes to your money.
The SCA requirements mean all electronic payments over the value of €30/£30 must be verified by multi-factor authentication. Merchants must validate two or more independent sources of identity verification during the payment stage of an online transaction. This is also known as ‘two-factor authentication’, essentially meaning customers will have to pass through a double-locked door.
The sources of validation that can be requested for SCA are Knowledge of a password or ‘secret answer’, possession of a mobile device or card reader, and inherence of identity, such as facial or fingerprint recognition. It’s important that these factors are independent of each other, to ensure that the compromise of one does not affect the security of the others.
3D Secure 2
You’re likely to be familiar with 3D Secure if you’re a regular online shopper - the secure authentication software for online payments. One of the key developments in online security prompted by the new PSD2 regulations is 3D Secure mark 2. The new version of the software is rolling out through 2019, and once it’s introduced it’ll be the main method for authenticating online card payments and meeting the new SCA requirements. It facilitates a less disruptive authentication process and a better user experience overall by sending information such as your device ID or previous transaction history to your bank when you approve a payment. This allows your bank to make an informed choice when assessing the level of risk of a transaction and responding appropriately.