SCA (Strong Customer Authentication) is the first change introduced by the new PSD2 regulation to make payments more secure. Starting from 14 September 2019 online payments in Europe will be required to perform two or more factor authentication. Basic protections like usernames and passwords will no longer be sufficient for security purposes, but it will be necessary to be authenticated with at least two of these elements:
Information that only the customer knows
- Passwords
- Security questions
Something only possessed by the customer
- Telephone
- Token
- Wearable device
Something that uniquely identifies the customer
- Fingerprint
- Facial recognition
- Voiceprint
- Iris scan
- DNA signature
With two factor authentication, you can therefore also use the most recent biometric protections, already used to a significant extent on smartphones, like fingerprint or retina controls.
Are there exemptions to SCA? Certainly, there are transactions that do not need to use SCA:
- Transactions for low amounts or with reduced risk Transactions under € 30, which added together over 24 hours do not exceed € 100 or five exempt transactions. Low-risk transactions, whose low degree of risk is labelled after a careful analysis of information by a payment service provider. These transactions are exempt from SCA only if the percentage of fraud of the payment provider does not exceed these thresholds for card payments:
0.13% for transactions up to € 100
0.06% for transactions up to € 250
0.01% for transactions up to € 500 - Subscriptions Subscriptions or recurring transactions with a fixed value. In these cases, SCA will be required only for the first transaction (and not for the subsequent automatic renewals). If, at a certain point, the cost of the subscription or the recurring transaction changes, 3DS will be requested again. This obviously does not apply for products whose cost varies depending on period and use (e.g., costs based on consumption), which are classified as “merchant initiated” transactions and, therefore are exempt from SCA.
- Trusted beneficiaries Customers may add a company to the list of “Trusted beneficiaries”. SCA will be requested only for the first payment to that company and the customer may then continue to purchase from this company with no need for SCA.
- MOTO transactions All orders made via post or telephone will always be exempt from SCA, as they are not considered electronic payments.
- Inter-regional transactions All payments in which the issuer or acquirer reside outside Europe are exempt from SCA. It therefore will not be a problem to accept payments in Europe if the purchaser does not belong to the Member States: there will be no need for two or more factor authentication.
And here’s 3DS 2.0
The other improvement in consumer protection is the transition to 3DS 2.0. The current 3DS has many limits, starting from the fact that it uses a pop-up window with a different URL. If phishing sites have immediately come to mind, you’re on the right track. Basically, the risk is greater if a window of this type is used, as it is aesthetically very similar to fake ones created for online fraud. There are also operational problems, for example the saving of a fixed password (there are also variable ones) for the current 3DS, which may complicate the experience of users who have multiple cards. In addition to this is the fact that there is currently no obligation to implement 3DS as a security measure, and this increases risks for the consumer.
All of this will change with the introduction of 3DS 2.0, which will become compulsory by law on 14 September 2019. 3DS 2.0 will make it possible to use biometric methods, thus reducing the number of frauds and improving the experience of consumers, who will not be required to remember countless passwords. Another element lacking in the old system and which will be introduced is the possibility to pay with virtual wallets and not only cards. In addition, as is the case for SCA, 3DS 2.0 will not be required for subscriptions and instalment payments either. SCA and 3DS 2.0 are just two of the changes introduced with the new European PSD2 regulation. If you want to discover all of the new aspects introduced by the PSD2, we suggest you take a look at our correlated article: What is PSD2: a step forward towards open banking.
