The background to PSD2 and SCA
The PSD2 is the 2nd EU Payments Service Directive.
The directive builds on three key areas of legislation first brought in with the original 2007 Directive. These areas include increased consumer rights in payments, creating a level playing field by bringing into scope the regulation of third-party access to account information and enhanced security.
Enhanced security refers specifically to a set of requirements called Strong Customer Authentication (SCA). These requirements have far-reaching implications for any business with an online presence.
This guide will explore SCA, who and what it affects and how businesses can prepare for the requirements taking effect.
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication is a set of upcoming regulatory requirements, designed to make paying online more secure and, consequently, reduce payment fraud.
SCA adds an extra layer of security when end-customers make a payment online. Until now, shoppers have been able to simply enter their payment details and complete their purchase (although some businesses voluntarily choose to ask for further authentication).
How does SCA work?
SCA is a form of two-factor authentication designed to prove that end-customers are who they say they are, with specific rules around what constitutes ‘authentication’.
It requires two forms of validation out of three available categories.
What constitutes a method of authentication?
There are three valid categories of authentication available as part of SCA. Within each category, there are a number of potential methods for satisfying that category.
The three categories are:
- Knowledge (something only the payer knows) - examples include a password, PIN, passphrase or secret fact/answer
- Possession (something only the payer possesses) - examples include their mobile phone, smart watch, smart card or a token
- Inherence (something the payer is) - examples include a fingerprint, facial recognition, voice patterns, DNA signature and iris format
Only when the payer has been able to provide two of these forms of authentication, will they be allowed to complete their payment.
The three types of authentication allowed under SCA
On 21 June 2019, the EBA released a new opinion on what may constitute a compliant element in each of the three possible categories of inherence, possession and knowledge, as well as additional requirements on dynamic linking and the independence of elements.
What transactions does SCA apply to?
SCA is being brought in to make dealing with money and making payments online more secure and to reduce payment fraud. At a high level, SCA will be required where a payer transfers funds or access their account information.
In particular, SCA will apply each time a payer:
- accesses its payment account online
- initiates an electronic payment transaction
- carries out any action through a remote channel which may imply a risk of payment fraud or other abuse
The main impact is very likely to be on card payments and bank transfers. The reason for this being that card payments are instant and initiated by the end-customer, and the payment or the consent to access account details is instant, which creates risk.
Does SCA apply to recurring payments?
Where payments are initiated by an end customer, SCA will only apply to the first payment in a set of recurring payments for the same amount. However, if the amount changes, then SCA will apply.
Where payments are initiated by the merchant receiving the funds, SCA will typically (although not in the case of standard Direct Debits) be required for the first payment in a series of recurring payments. So long as the subsequent payments are initiated by the merchant, further SCA will not be required so long as the amounts being charged are within the reasonable expectation of the end customer.
This means subscription businesses, SaaS businesses and membership businesses will all need to prepare for SCA.
Why is SCA coming into force?
SCA is part of PSD2. One of the aims of PSD2 is to provide protection for consumers.
Since the implementation of the original PSD, there have been new technological advances within the payments market seeing an increase of Third Party Providers (TPPs). These TPPs offer new and innovative ways of accessing consumers’ account information and initiating payments.
However, opening up access to consumer accounts in this way creates increased security risk, and the tradeoff is strict regulation on how TPPs and payment service providers get access to these accounts.
That’s where SCA comes in. It aims to ensure that the end customer is the rightful owner of the bank account or other payment mechanism (e.g. card). By going through a two-factor authentication process, the risk of fraud is perceived to be reduced.
In short, SCA is aimed at improving the security of payers’ online transactions and reducing payer fraud.
The cost of payments fraud
SCA is designed to reduce fraud during online transactions, but how much impact will it make?
Europol estimated that card-not-present fraud accounted for 66% of €1.44 billion in fraudulent card transactions in 2013. By 2016, the European Central Bank (ECB) calculated the total cost of card payment fraud reached €1.8 billion. The UK, France and Denmark suffered from the highest rates of card fraud.
In the UK alone, £2 billion was stolen from credit and debit cards in 2017, with 28% of people becoming the victim of online payment fraud.
Any reduction in the rate of fraud could result in a significant saving across Europe.
What countries will SCA apply to?
SCA (as part of PSD2) is a European-wide requirement and will be required for any applicable transaction where both the business’ payment service provider and the payer’s bank or card provider are located within the European Economic Area (EEA). If one of these is outside Europe, the requirement is for the payment service provider in Europe to use ‘best efforts’ to apply SCA.
This means that even if a business is headquartered outside the EEA, if they take online payments from payers in the EEA, those transactions may still be subject to SCA.
It is highly likely that SCA will continue to apply to the UK, regardless of the outcome or timing of Brexit; the FCA has made its plans clear - it wants SCA to continue to apply; there has been no suggestion to the contrary by other European regulators.
The European Banking Authority's role in SCA
The European Banking Authority (EBA) is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
The EBA has released Regulatory Technical Standards (RTS) that outline the full remit of SCA for the EEA.
When does SCA come into force?
The deadline for businesses to enact Strong Customer Authentication (SCA) was originally the 14 September 2019.
However, on 13 August 2019 the Financial Conduct Authority (FCA) confirmed that enforcement of SCA in the UK will include a phased 18-month implementation, starting on 14 September 2019 and ending March 2021.
This means enforcement action will not be taken against businesses until after the 18-month grace period, “where there is evidence that they have taken the necessary steps to comply with the plan [as agreed with card issuers, payments firm and online retailers].”
The UK’s financial services industry body, UK Finance is looking to set up an “industry Programme Management Office (PMO)” to communicate the plan more broadly and to coordinate the rollout.
Additionally, on the 16 October 2019 the European Banking Authority (EBA) issued an opinion delaying the deadline of SCA until 31 December 2020, along with expected actions to be taken before the new deadline.‹ View table of contents Next page ›