Strong customer authentication
{{Short description|Requirement for payment service providers in the EU}}
Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.{{cite web|url=http://europa.eu/rapid/press-release_MEMO-17-4961_en.htm|publisher=European Commission|title=Payment Services Directive (PSD2): Regulatory Technical Standards (RTS) enabling consumers to benefit from safer and more innovative electronic payments|date=2017-11-27|accessdate=2019-04-17}} Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor.
The SCA requirement came into force on 14 September 2019.{{cite web|url=https://eba.europa.eu/-/eba-provides-clarity-to-market-participants-for-the-implementation-of-the-technical-standards-on-strong-customer-authentication-and-common-and-secure-|publisher=European Banking Authority|accessdate=2019-04-17|date=2018-06-13|title=EBA provides clarity to market participants for the implementation of the technical standards on strong customer authentication and common and secure communication under the PSD2|archive-date=2019-04-17|archive-url=https://web.archive.org/web/20190417205144/https://eba.europa.eu/-/eba-provides-clarity-to-market-participants-for-the-implementation-of-the-technical-standards-on-strong-customer-authentication-and-common-and-secure-|url-status=dead}} However, with the approval of the European Banking Authority, several EEA countries have announced that their implementation will be temporarily delayed or phased,{{cite web|url=https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication|title=FCA agrees plan for a phased implementation of Strong Customer Authentication|date=2019-08-13|publisher=Financial Conduct Authority|accessdate=2019-09-07}}{{cite web|url=https://support.stripe.com/questions/strong-customer-authentication-sca-enforcement-date|title=Strong Customer Authentication (SCA) Enforcement Date|publisher=Stripe|date=6 September 2019|accessdate=2019-09-07}} with a final deadline set for 31 December 2020. {{cite web |title=EBA publishes Opinion on the deadline and process for completing the migration to strong customer authentication (SCA) for e-commerce card-based payment transactions |url=https://www.eba.europa.eu/eba-publishes-opinion-on-the-deadline-and-process-for-completing-the-migration-to-strong-customer-authentication-sca-for-e-commerce-card-based-payment |website=European Banking Authority |date=16 October 2019 |access-date=11 July 2022}}
Requirement
Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:{{cite EU directive|serial=2015/2366/EU|date=25 November 2015|description=on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC|eurlextag=32015L2366}}
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Article 4(30) defines "strong customer authentication" itself (as multi-factor authentication):
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
Implementation
The European Banking Authority published an opinion on what approaches could constitute different "elements" of SCA.{{cite web|url=https://eba.europa.eu/-/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2|date=21 June 2019|accessdate=2019-09-07|publisher=European Banking Authority|title=EBA publishes an Opinion on the elements of strong customer authentication under PSD2|url-status=dead|archive-url=https://web.archive.org/web/20191230021431/https://eba.europa.eu/eba-publishes-an-opinion-on-the-elements-of-strong-customer-authentication-under-psd2|archive-date=2019-12-30}}
3-D Secure 2.0 can (but does not always) meet the requirements of SCA. 3-D Secure has implementations by Mastercard (Mastercard Identity Check){{cite web|url=https://newsroom.mastercard.com/eu/files/2018/08/Security-Matters-Authentication-under-PSD2-and-SCA-Mastercard-White-Paper2.pdf|title=Strong Customer Authentication and PSD2: How to adapt to new regulation in Europe|publisher=Mastercard|date=2018-08-17|accessdate=2019-04-17|archive-date=2019-04-17|archive-url=https://web.archive.org/web/20190417214935/https://newsroom.mastercard.com/eu/files/2018/08/Security-Matters-Authentication-under-PSD2-and-SCA-Mastercard-White-Paper2.pdf|url-status=dead}} and Visa{{cite web|url=https://www.visa.co.uk/dam/VCOM/regional/ve/unitedkingdom/PDF/visa-preparing-for-psd2-sca-publication-version-1-1-05-12-18-002-final.pdf|title=Preparing for PSD2 SCA|date=November 2018|accessdate=2019-04-17|publisher=Visa}} which are marketed as enabling SCA compliance.
E-commerce merchants must update the payment flows in their websites and apps to support authentication.{{cite web|url=https://stripe.com/guides/sca-payment-flows|title=Designing payment flows for SCA|publisher=Stripe|date=July 15, 2019|accessdate=2019-09-07}} If authentication is not supported, many payments will be declined once SCA is fully implemented.
History
On 31 January 2013, the European Central Bank (ECB) issued recommendations on Internet payment security, requiring strong customer authentication.{{cite web|url=http://www.ecb.eu/press/pr/date/2013/html/pr130131_1.en.html |title=ECB: ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services |publisher=Ecb.eu |date= 31 January 2013|accessdate=2014-07-17}} The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission{{cite web|url=http://www.ecb.europa.eu/paym/pol/activ/instr/html/comments.en.html |title=ECB: Public consultation |publisher=Ecb.europa.eu |date=2013-01-31 |accessdate=2014-07-17}} process to the ECB identified three solutions to strong customer authentication, two of which are based on reliance authentication, and the other being the new variant of 3-D Secure which incorporates one-time passwords.
Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2.
PSD2 strong customer authentication has been a legal requirement for electronic payments and credit cards since 14 September 2019.{{Cite web | url=https://newsroom.mastercard.com/eu/files/2018/02/Security-Matters-Authentication-under-PSD2-and-SCA-Mastercard-White-Paper.pdf | title=Strong Customer Authentication and PSD2 - How to adapt to new regulation in Europe | archive-url=https://web.archive.org/web/20190508053403/https://newsroom.mastercard.com/eu/files/2018/02/Security-Matters-Authentication-under-PSD2-and-SCA-Mastercard-White-Paper.pdf | archive-date=2019-05-08}}
Criticism
In 2016, Visa criticised the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt sales at online retailers.{{cite news|website=The Register|date=2016-11-27|accessdate=2019-04-17|last=Leyden|first=Josh|title=Visa cries foul over Euro regulator's stronger authentication demands|url=https://www.theregister.co.uk/2016/11/23/visa_criticises_eu_stronger_authentication_plan/}}
In 2019, consumer representation group Which? noted that many UK banks were implementing SCA by requiring a phone capable of receiving a text message or push notification. When surveyed, nearly one in five Which? members were concerned that they may be unable to make payments if there was no alternative, either due to poor reception or not owning a phone.{{cite news |title=New online security checks exclude people without mobile phones or decent signal |url=https://www.which.co.uk/news/2019/06/new-online-security-checks-exclude-people-without-mobile-phones-or-decent-signal/ |accessdate=24 June 2021 |publisher=Which?}}
In 2020, an independent report conducted by consultancy firm CMSPI found that the potential disruption caused by strong customer authentication (excluding the United Kingdom) could be €108 billion in 2021.{{cite news |title=News SCA for PSD2 could cost merchants more than EUR 100 bln in 2021 |url=https://thepaypers.com/digital-identity-security-online-fraud/sca-for-psd2-could-cost-merchants-more-than-eur-100-bln-in-2021--1244803 |accessdate=24 September 2020 |publisher=The Paypers}}
Outside Europe
The Reserve Bank of India has mandated an "additional factor of authentication" for card-not-present transactions.{{cite web|url=http://rbi.org.in/scripts/NotificationUser.aspx?Id=7874&Mode=0|archiveurl=https://web.archive.org/web/20130304110912/http://rbi.org.in/scripts/NotificationUser.aspx?Id=7874&Mode=0|archivedate=2013-03-04|title=Security and Risk Mitigation Measures for Electronic Payment Transactions|publisher=Reserve Bank of India}}
A proposal to make 3-D Secure mandatory in Australia was blocked by the Australian Competition & Consumer Commission in 2016 after objections.[https://www.accc.gov.au/media-release/accc-proposes-to-deny-authorisation-to-apca-for-3d-secure-arrangements ACCC proposes to deny authorisation to APCA for 3D secure arrangements] Australian Competition & Consumer Commission 20 May 2016