PSD2 & Instant Payment Basics – Strong Customer Authentication (SCA)
Published: 27 March 2019
Strong Customer Authentication: What are the rules as dictated by PSD2?
In our previous infographic in this series, we introduced the new principles from PSD2 (Payment Services Directive 2) and Instant Payment. In this article, we will discuss one aspect of PSD2 that has a direct impact on merchants: Strong Customer Authentication (SCA) for payments.
As of January 1st, 2021, merchants will have to adapt to SCA, which aims to increase payment security and protect sensitive consumer payment data. Each country will transpose the EU law locally, starting with a full enforcement or gradually.
What are the characteristics of SCA?
For an authentication to meet the criteria of the PSD2, it must combine at least 2 of these 3 factors:
To strongly authenticate strongly an online payment, for example, consumers will be required to use their phone (something you own) and authenticate via fingerprint (something you are).
The 3-D Secure authentication method used for credit card payments will also evolve to version 2.0. Today, before the validation of a credit card payment, the 3-D Secure takes into account two elements which are the credit card number and the code sent via SMS to the payer.
As of January 1st, the credit card number will no longer be considered as a valid authentication because it can be read by an attacker. Thus, this factor will be replaced by another factor that meets the requirements of PSD2, such as biometrics with the 3-D Secure 2.0 protocol.
In which cases is SCA applicable?
SCA will become mandatory in the following cases, whether for individuals or professionals:
- For consultation of an online bank account initiated by the consumer or an AISP (Account Information Service Provider).
- Adding a beneficiary to the online banking space as this could lead to fraudulent transactions.
- During an online payment initiated by the consumer or a PISP (Payment Initiation Service Provider).
What are the exemptions to SCA?
For online payments, certain exemptions have been made by PSD2 to exclude SCA from the customer journey:
- Small amounts:
For a transaction of less than 30 euros, up to 100 euros accumulated or up to 5 transactions since the last SCA. Beyond 100 euros or beyond 5 unauthenticated transactions, a new SCA is required.
- Recurring transactions of the same amount for the same beneficiary:
A new SCA is not required if the amount of a service subscription is exactly the same from one due date to the next.
- Payment to a trusted beneficiary:
The payer may declare trusted beneficiaries to his/her bank, in which case it is not required to have an SCA for each payment.
- A transfer to yourself:
The SCA does not apply when a transfer is made for yourself, but only if both accounts are held by the same bank.
- TRA – Transactional Risk Analysis:
For online payments between €30 and €500, SCA can be deactivated thanks to TRA.
TRA exemption from the issuing bank: The card issuer can apply a TRA exemption even if you did not request for it. We advice you to send additional information in your payment request enhances the likelihood of getting this exemption.
TRA exemption request from the PSP: Payment providers can have the option to choose whether to apply SCA to a transaction or not. However payment providers must ensure their fraud rates do not exceed certain thresholds.
- Merchant Initiated Transaction (MIT):
MIT transactions are subjected to SCA except when a mandate is signed by the client. For example, SEPA Direct Debits are initiated by the merchant but have a direct debit mandate signed by the end customer. Thus, SCA is not applicable in this case and there are no restrictions to the frequency or the amount.
The challenge lies in balancing payment security with a frictionless customer experience by avoiding additional steps that could impact the conversion rate.