PSD2 Two Factor Authentication

PSD2 and Two Factor Authentication (2FA) came into force on 14 September 2019. The new regulations were intended to generate a safer payment environment and stimulate innovation within the EU. In the Revised Payment Services Directive (PSD2) there are two key elements to put focus on - Strong Customer Authentication (SCA) and Open Banking. SCA is a model that involves the Two Factor Authentication process. Whereas Open Banking regulations monitor access to consumer banking and payment accounts by Third Party Providers (TPP).


PSD2 2 Factor Authentication

PSD2 is a revised and updated version of Europe’s Payment Services Directive (PSD). It originally was designed to regulate and enhance mobile and online customer protection while making payments. The PSD2 2 Factor Authentication was introduced as part of SCA and is required for the majority of electronic transactions.

Two Factor Authentication is there to ensure the added security layer by minimising the risk of fraud while safeguarding buyers sensitive data. For instance, if someone acquires login details to a Facebook account, they can try to use it and hijack the personal account. Here, 2FA comes in - the hacker utilises an unusual device that is not linked to the account. Therefore, Facebook perceives it as a potential risk and when they attempt to log in the owner receives a notification about suspicious activity from a new device. It will ask to confirm if it is the owner or deny the login. When the owner rejects the log in, the implied risk of losing an account vanishes.

The corresponding process occurs when a consumer uses a credit card - if there is an indication of the potential risk of fraud a person will be asked to provide additional details or confirm their identity before the funds can be accessed.


Strong Customer Authentication (SCA)

In recent years Internet usage has seen a dramatic increase in online shopping. The evolution and growing fraud likelihood led to the urgency of strict regulations. Therefore, the PSD2 directive is there to invigorate competition and open up further development opportunities while securing consumer data and reducing the levels of payment fraud. The majority of fraud cases appear on card-not-present transactions. This means that when the payment is made the cardholder is not obliged to utilise the physical card.

By using SCA and PSD2 Two Factor Authentication a user is well protected against fraud at the in house stores and online. To identify themselves users are obligated to provide at least two of their security elements. These elements can be:

  1. Knowledge - something a person knows, such as a password or PIN code.
  2. Ownership - something a person owns, such as a mobile device.
  3. Biometrics, something they are, such as fingerprint, face scan, iris scan.

To simplify the regulations and create a more comprehensive user experience PSD2 Two Factor Authentication has exemptions. For instance, SCA is only applied to online transactions above 30€. However, the payment value is not the only exception, it is possible to avoid SCA by performing low-value transactions, or using trusted beneficiaries. Moreover, with PSD2 regulations banks are now held responsible if a customer succumbs to online fraud without having to authorise the payment through SCA.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.