Strong Customer Authentication under
PSD2 Guidelines

European banks will be required to follow SCA under PSD2, but what is PSD2 and why must banks comply? PSD2 is the second iteration of the ‘Payment Services Directive’ (PSD), a European Union (EU) directive first introduced in 2007 to regulate payment services and payment service providers (PSPs). PSD allowed for better pan-European competition and participation in the payments industry while threatening to break-up the banking industry’s monopoly on facilitating secure online payments. Many are concerned about the implications of adapting to SCA under PSD2 but they need not be. GPayments, a well-known 3D Secure vendor for over 15 years, is introducing a new version of ActiveAccess, its innovative authentication platform, which supports 3D Secure, 3D Secure 2, and SCA, using its multi-factor authentication module. This page will give you an overview of the changes to come.

What is Strong Customer Authentication (SCA)

Strong customer authentication (SCA) is defined as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). These must be independent from one another, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”

With the general shift towards online services, there is a greater need to authenticate the identity of users during transactions and banking activities, in order to:

  • Reduce the potential for online fraud
  • Reduce the cost of processing fraudulent transactions
  • Increase cardholder confidence in using online services
  • Comply with international regulations such as PCI-DSS and of course PSD2

What is dynamic linking?

Dynamic linking is another concept which is a new requirement of PSD2. This involves dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction.

In the case of changes to the payment amount or payee, the authentication token will no longer be valid and a new one needs to be generated and used. The inclusion of such dynamic linking elements in SCA features a well encompassed additional authentication layer beyond the previously required guidelines.

GPayments’ ActiveAccess will support each of the following requirements, which need to be met during a dynamically linked transaction:

  • The payer must be aware of both the transaction amount and the payee at all times
  • Authentication tokens must be specific to the amount of the transaction and to the payee
  • The underlying technology must ensure the confidentiality, authenticity and integrity of:
    • the amount of the transaction and of the payee
    • information displayed to the payer through all phases of the authentication procedure
  • The authentication code must change if any changes are made to the amount of the transaction and/or the payee
  • The channel, device or mobile application, through which the information linking the transaction to a specific amount and payee is displayed, must be independent or segregated from the channel, device or mobile application used for initiating the electronic payment transaction

What types of transactions are covered under SCA?

The majority of online transactions will be covered under SCA. PSD2 has made it mandatory for service providers to facilitate SCA. If SCA has not been successfully utilised in the process, liability falls on the payment service provider. PSD2 requires SCA when the following situations arise:

  • Accessing payment accounts online
  • Initiating electronic transactions
  • Any action carried out through a remote channel that presents a risk of payment fraud
  • Provisioning of information through a service provider (payment or information)

In almost all circumstances, Two-Factor Authentication (2FA) will become mandatory, with many scenarios requiring more than two security checks to help protect customers, merchants, and banks against online fraud.

There will be a small amount of transactions which will be exempt from the new PSD2 regulations regarding SCA. These include very small transactions (under €30), along with non-supervised payment machines, such as the ones you would find in parking lots, bars and supermarkets, for example.

For the most part, though, service providers will be required to implement SCA and, if they don’t, PSPs will be required to facilitate the process.

3D Secure 2 & PSD2

Many are wondering how the introduction of PSD2 will affect 3DS2 (3D Secure 2), the updated protocol to ensure safe and secure online transactions. First, let’s quickly recap 3DS2.

  • Merchants will be able to offer a consistent, easy-to-use service across multiple payment gateway platforms and digital media during transaction authentication; this will help combat the 3D Secure issue of high cart abandonment rates.
  • Issuers can improve ‘frictionless authentication’ by way of richer data exchanges. Additionally, cardholders will be able to choose their preferred medium for making purchases – thanks to multi-factor authentication functionality – without compromising on security.
  • Consumers want a convenient and secure service when carrying out eCommerce payments; 3D Secure 2, along with the corresponding MPI and ACS technology, will provide these benefits, adding efficiency with little to no impact on applications and payment gateways that customers are already familiar with.

The good news is PSD2 does not require 3DS2; 3DS 1.0.2 satisfies the requirements of PSD2 so, if you are yet to take the plunge and update to 3DS2 (which we highly recommend), you can still comply. However, 3DS2 promises to make the experience a lot easier, eliminating friction and allowing the provisions of PSD2, and the prevention of fraud to be achieved effortlessly by consumers, merchants and Banks.

Support for PSD2/SCA in GPayments ActiveAccess

GPayments’ authentication platform, ActiveAccess, is an EMVCo compliant Access Control Server which offers a multi-factor authentication service for internet banking, mobile banking and eCommerce transactions, with or without card schemes’ directory servers. This provides banks with a flexible, cost-effective solution for their eBanking customers.

GPayments’ ActiveAccess Multi-Factor Authentication module provides the required services outlined under ‘Strong Customer Authentication’ in the PSD2 guidelines. This authentication service allows banks and financial institutions to provide their end users with a secure mechanism for accessing their internet and mobile banking portals. Supporting a range of devices, ActiveAccess provides organisations with flexibility now and in the future, allowing the deployment of one or many devices simultaneously, from any vendor, by providing an authentication layer, which hides the device specific intricacies of the authentication process.