Strong customer authentication (SCA) is a European regulatory requirement to reduce fraud, make online and contactless payments more secure. SCA was integrated in the PSD2 directive as a solution to ensure an elevated level of security for customers when making payments.
The solution presented itself as two-factor authentication (2FA), where customers need to provide two independent pieces of information to confirm their identity.
With the growth of online services, there is a greater need to authenticate the identify of users during online transactions and banking activities. With that in mind, SCA was conceived with 4 main goals in mind:
In Europe, PSD2 strong customer authentication is regulated by the drafted regulatory technical standards (RTS). These standards specify all the authentication requirements for payment providers to comply with SCA and offer their customers a reduced risk of fraud.
To comply with the strong customer authentication requirements, payment providers need to confirm customer identity through at least two independent pieces of information. These pieces of information can be organised in three categories:
For a transaction to be confirmed and accepted, at least two of the previous conditions must be fulfilled.
These requirements are only applicable to transactions in the European Economic Area (EEA), were both payer and payee are in the region.
Strong customer authentication is required by PSD2 in most online or remote transactions, but there are a few situations where exemptions are applied.
Under the new regulation, specific types of low-risk payments may be exempted from strong customer authentication. Even though the payment provider might request authorisation for an exemption to be applied, the customer bank always makes the final decision.
In the context of the PSD2, dynamic linking is one of the most important topics of SCA, even though it might be a little confusing at times.
Essentially, dynamic linking involves dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction. These token should be present through every step of the payment and authentication process. If at any stage the token is lost or modified, the transaction must be cancelled.
According to the regulatory technical standards (RTS) there are specific requirements for the implementation of dynamic linking in SCA. When discussing dynamic linking, four main requirements need to be considered:
Originally, strong customer authentication requirements went into effect on 14 September 2019, but the European Banking Authority (EBA) decided that all the providers would have until the 1st of January 2021.
Even though the PSD2 SCA deadline was established for the beginning of 2021, many countries in Europe have communicated their individual enforcement timelines, going against EBA's decision.
Strong customer authentication is already in full enforcement throughout all the European Economical Area (EEA), with only the United Kingdom and Switzerland extending their deadline until April 2022.
Inside the European Union, we have seen 7 countries adopting different timelines for the SCA full enforcement:
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept