Strong customer authentication


Strong customer authentication is a requirement of the EU Revised Directive on Payment Services on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU, but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor.
The SCA requirement came into force on 14 September 2019. However, with the approval of the European Banking Authority, several EEA countries have announced that their implementation will be temporarily delayed or phased, with a final deadline set for 31 December 2020.

Requirement

Article 97 of the directive requires that payment service providers use strong customer authentication where a payer:

accesses its payment account online;
initiates an electronic payment transaction;
carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Article 4 defines "strong customer authentication" itself :

an authentication based on the use of two or more elements categorised as knowledge, possession and inherence that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

Implementation

The European Banking Authority published an opinion on what approaches could constitute different "elements" of SCA.
3-D Secure 2.0 can meet the requirements of SCA. 3-D Secure has implementations by Mastercard and Visa which are marketed as enabling SCA compliance.
E-commerce merchants must update the payment flows in their websites and apps to support authentication. If authentication is not supported, many payments will be declined once SCA is fully implemented.

History

On 31 January 2013, the European Central Bank issued recommendations on Internet payment security, requiring strong customer authentication. The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission process to the ECB identified three solutions to strong customer authentication, two of which are based on reliance authentication, and the other being the new variant of 3-D Secure which incorporates one-time passwords.
Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2.
PSD2 strong customer authentication has been a legal requirement for electronic payments and credit cards since 14 September 2019.

Criticism

In 2016, Visa criticised the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt sales at online retailers.

Outside Europe

The Reserve Bank of India has mandated an "additional factor of authentication" for card-not-present transactions.
A proposal to make 3-D Secure mandatory in Australia was blocked by the Australian Competition and Consumer Commission after objections.