Following in the footsteps of the first Payment Services Directive (PSD) in 2009, PSD2 came into effect in January 2018 with a goal to update banking within the EU and make it much more secure. The most recent addition to PSD2 is Strong Customer Authentication (SCA), which is now expected to come into full force in 2020.
Strong Customer Authentication (SCA) is a PSD2 requirement that aims to enhance the security of certain payment methods – namely payments made online. For payments requiring SCA under PSD2, consumers will be asked for at least two forms of identifying information before a transaction can be approved.
What are the challenges for financial institutions ahead of the implementation date?
The impending SCA deadline has created two main challenges for banks across the EU.
Firstly, what constitutes a valid form of SCA is too vague and the EBU (European Banking Union) isn't planning on clarifying their SCA requirements this year – at which point, the deadline will already have passed. Secondly, many financial institutions don't have the resources or skills to implement SCA within the deadline period.
Both of these challenges are in themselves somewhat alarming, particularly when looking at cases like British Airways being fined £183m for a data breach, and Marriott Hotels being charged £99m by the ICO. Clearly, the grace period for complying with security changes is long over.
What types of SCA are PSD2 approved?
SCA consists of three different components:
- Something a person has. This can be a debit card or smartphone with a specific phone number.
- Something a person knows. This is something that a person knows, which no one else would know, like a PIN or password.
- Something a person is. This kind of SCA uses biometric data like fingerprints or facial recognition to verify a person's identity.
PSD2 will require a person to provide at least two of these examples before a purchase can be approved. If these requirements are not met to PSD2's standards, the transaction will automatically be denied.
While not perfect, these three SCA components will help make online transactions much more secure – in turn, reducing the risk of fraud for consumers.
When is SCA required?
It's important to note that the SCA requirements are not going to be imposed on every transaction – at least for now. Instead, PSD2 is only requiring SCA for online transactions that are customer-initiated.
This means that nearly all business conducted online, whether that's consumer-facing shops or bank transfers will require PSD2 SCA. However, this doesn't apply to recurring payments initiated online. Online subscriptions and services will be considered merchant-initiated, so they can be approved without SCA.
SCA is required when the business a customer is purchasing from and the customer's bank are both located in the EU. International purchases on the other hand, will not require SCA approval. It's important to note that Brexit is not expected to affect the enforcement of these SCA requirements.
JT's role in strong customer authentication
If your financial institution is struggling to meet the upcoming September deadline, partnering with security providers like JT can help your institution become compliant.
JT is one of the oldest and most trusted telecom providers with over 300 direct operator agreements. JT's unique position within the telecom industry gives it the ability to provide secure effective SCA services to partnered financial institutions.
JT does this by taking advantage of one of the most popular forms of SCA – SMS verification codes. These are one-time tokens sent to a person's phone number (something they have), that when used in conjunction with a password or PIN (something they know) meets the requirements for SCA under PSD2, providing simple, yet secure, customer verification
Because JT is already an established provider it can seamlessly provide the framework needed to implement SCA whilst keeping everything as secure and as streamlined as possible.
How JT can improve your SCA security
Although one-time verification codes are widely used, they are not as secure as they may seem on the surface. All a fraudster has to do to breach the security of these codes is have them directed from the customer's phone to theirs. This is known as SIM swap fraud, and it's becoming an ever-increasing threat to consumer security.
JT can check for potential SIM Swaps every time a verification code is about to be sent, preventing a case of fraud before it has the chance to occur. This happens automatically, ensuring your customers will never notice any delay or lag in receiving their codes.
The upcoming PSD2 regulations surrounding Strong Customer Authentication may not be avoidable, but the repercussions of missing the new deadline are. While payment service providers are no longer required to be fully compliant by 14th September 2019, the push of deadline speaks of the market's readiness to comply and provides additional time to put the security into place.
We prepared a white paper on the topic of PSD2, which covers everything you need to know about the changes the new directive brings, how they might affect your business, and any measures you should take to keep your business as secure as possible.
Download your free copy and learn more about how to prepare your business for SCA.