Strong Customer authentication is a change to how payment transactions are approved - this is a requirement from the EU to reduce the volume of fraudulent activity and increase the security of payments.
At its core, it's made up of three factors, out of which two are required from the effective date of September 14th 2019.
We will now look at each in more detail.
What Is Strong Customer Authentication?
SOMETHING YOU KNOW
This is the most common form of authentication currently, and it usually refers to something like a password. It's a piece of information that you know but (theoretically) no one else does. This can also be things like security questions, knowledge about your personal history, and so on.
SOMETHING YOU HAVE
This is anything that you possess that is unique to you. Most commonly, your mobile phone is used. If you've ever tried logging into an account only to be sent a verification code on your mobile phone, then you've encountered this kind of authentication before. Since no one else has your phone number, you are the only person who can be sent this code. Credit card numbers or car keys are other common examples of this.
SOMETHING YOU ‘ARE’
And lastly, the most secure form of authentication. This refers to your fingerprint, your face, your voice. Typically, if it falls under biometrics, it belongs in this category. Despite being the most secure, this is still the least common form of verification since it's a little more complicated to implement than the others. It is becoming increasingly popular, however.
Why Is Why is Strong Customer Authentication Important?
Strong Customer Authentication combines two of these three kinds of authentication in order to verify a person's identity. Now, if you're used to only having to remember your passwords and nothing else, this might seem like nothing more than an extra step you have to complete before logging in to an account. However, it is an extremely important layer of security that can greatly reduce the chances of having your account(s) compromised.
The issue with the three forms of verification is that - when on their own - they are relatively easy to crack. Passwords can be guessed, overheard, shared, and forgotten, not to mention that most people rarely use a unique password for each of their accounts. So all a hacker need is to uncover the password for one account, and they can easily access and alter the others.
When it comes to something you have, well, all a person would have to do is take that thing, and then they have access to it (i.e., having your credit card stolen). Biometrics are much harder to breach since a hacker would need you in order to bypass them. However, because biometric tech is difficult to implement, it will be some time before we can rely on it solely.
When you combine these forms of authentication, however, you create security measures that are greater than the sum of their parts. Two-factor authentication is particularly important when you're handling sensitive consumer information or resources, like a bank or other financial institution.
Challenges Of SCA
If you're a business trying to implement SCA for your customers, the most common way that you'll do this is by sending a verification code to their phone. In fact, if you're in the EU, SCA will be required for consumers to make electronic payments.
The challenge with implementing this kind of SCA is in being able to successfully send out SMS messages with verification codes to a large base of customers. Each of these SMS messages needs to reach its recipient quickly, reliably, and with as little room for error as possible. When your customers are local to the region where your SMS codes are coming from, the messages will generally send quickly and without error. When your customers are outside of this region, however, the potential for errors and failures can quickly rise.
Messages, delivered in an instant
A "hop" is an extra connection an SMS has to make in order to reach its destination.
Every hop that an SMS makes is a potential for something to go wrong. Data can be lost, messages can be delayed, and you can receive false positives on delivery receipts, telling you that a message reached its intended recipient when it really only made it through a single hop.
Ideally, when you're sending sensitive information like a verification code for two-factor authentication, an SMS would have zero hops. This is what's called a direct connection, and it's the most secure method for sending SMS messages to your customers. In order to ensure 2FA reliability and maintain successful conversion rates, a business needs to use as many direct connections as possible.
SCA is one of the best ways to keep your customers’ data safe against hackers and fraudsters. However, it can be difficult to implement from scratch, especially when depending on unreliable mobile networks. Opting for trustworthy telecom providers that offer as many direct connections as possible will keep your customers’ information secure and your 2FA system dependable.
Would you like to learn more about the new EU requirements? We compiled a short infographic on the revised PSD2 directive that describes SCA in details. Take a look and learn more on the topic.