What constitutes a method of authentication?
There are three valid categories of authentication available as part of SCA. Within each category, there are a number of potential methods for satisfying that category.
The three categories are:
- Knowledge (something only the payer knows) - examples include a password, PIN, passphrase or secret fact/answer,
- Possession (something only the payer possesses) - examples include their mobile phone, smart watch, smart card or a token
- Inherence (something the payer is) - examples include a fingerprint, facial recognition, voice patterns, DNA signature and iris format
Only when the payer has been able to provide two of these forms of authentication, will they be allowed to complete their payment.
The three types of authentication allowed under SCA
On 21 June 2019, the EBA released a new opinion on what may constitute a compliant element in each of the three possible categories of inherence, possession and knowledge, as well as additional requirements on dynamic linking and the independence of elements.
What transactions does SCA apply to?
SCA is being brought in to make dealing with money and making payments online more secure and to reduce payment fraud. At a high level, SCA will be required where a payer transfers funds or access their account information.
- each time a payer accesses its payment account online,
- initiates an electronic payment transaction or
- carries out any action through a remote channel which may imply a risk of payment fraud or other abuse
The main impact is very likely to be on card payments and bank transfers. The reason for this being that card payments are instant and initiated by the end-customer, and the payment or the consent to access account details is instant, which creates risk.
Does SCA apply to recurring payments?
Where payments are initiated by an end customer, SCA will only apply to the first payment in a set of recurring payments for the same amount. However, if the amount changes, then SCA will apply.
Where payments are initiated by the merchant receiving the funds, SCA will typically (although not in the case of standard direct debits) be required for the first payment in a series of recurring payments. So long as the subsequent payments are initiated by the merchant, further SCA will not be required so long as the amounts being charged are within the reasonable expectation of the end customer.
This means subscription businesses, SaaS businesses and membership businesses will all need to prepare for SCA.‹ View table of contents Next page ›