Last editedMar 20222 min read
The digital payments market continues to grow rapidly, with the likes of 2FA and MFA security protocols designed to make it as fraud-safe as possible.
Obviously, no security measure can be 100% secure. But with cybercrime costing an estimated £4.5 trillion in 2021, it is clear that something had to be done. In Europe, the something being done is Strong Customer Authentication (SCA), which involves 2FA and MFA.
The recent SCA mandate is part of the EU’s Second Payments Services Directive (PSD2) which covers all European ecommerce transactions.
The SCA measures primarily involve implementing authentication systems for online payments. These systems are 2FA and MFA, which stand for Two-Factor Authentication and Multi-Factor Authentication respectively. It is important for ecommerce businesses to understand what these security measures mean, so here is a quick guide to PSD2 and the 2FA and MFA payment authentication systems.
The PSD2 regulations are intended to reduce fraud as well as improve consumer choice. Strong Customer Authentication has been mandated for all European e-commerce transactions under PSD2 since 31 December 2020.
The PSD2 should significantly reduce fraud rates as well as increase trust with consumers, with 2FA and MFA the major elements that affect online transactions.
2FA and MFA explained
The first thing to understand is that while 2FA and MFA are similar, they differ in the amount of factors involved in securing an online transaction. You can say that 2FA is technically a form of MFA, though MFA is not a form of 2FA. This is because MFA will involve more measures to authenticate a transaction, while 2FA involves just two measures.
For example, an MFA authentication system requires you to present three forms of identification to gain access to a device, apps and files, or to carry out financial transactions online. These forms of ID are:
something you know, such as a password
something you are, such as a fingerprint
something you possess, such as a physical security token
A 2FA authentication system only requires two out of the three forms of identification mandated by the SCA guidelines. Thus, MFA is a more secure system than 2FA, though 2FA is still designed to be very secure.
Just going for the most secure authentication system isn’t necessarily the answer though, as a balance must be struck with convenience and consumer experience. For example, to acquire a physical security token every time you want to buy something online is just not viable.
Let’s look closer at some of the items to consider when implementing payment authentication.
Payment authentication considerations
Escalation of authentication is a big consideration. This involves increasing the amount of authentication factors required as the size of the transaction increases. For example, small purchases under a ceiling of £20 should not require the same level of authentication as a transaction costing hundreds of pounds.
Customers should also be given adequate context when asked to supply additional payment authentication factors. The PSD2 outlines the principle of dynamic linking in order to provide such context before authorising a payment.
Another important consideration of implementing 2FA or MFA is providing a variety of authentication choices for the customer. There are plenty of options that can be offered, such as time-based one-time passwords and SMS confirmations, as well as biometric or voice identifiers.
Also be aware that with the emergence of third-party payment providers, the variety of possible authentication is growing. One example is WhatsApp, which has recently been incorporated as a possible identification factor.
A wide range of authentication options is strongly advised as it will make your customers’ buying experience much smoother.
We can help
If you’re interested in finding out more about why 2FA and MFA are important when taking payments, or any other aspect of your business finances, then get in touch with our financial experts at GoCardless. Find out how GoCardless can help you with ad hoc payments or recurring payments.