Strong Customer Authentication: new payment verification rules explained

Strong Customer Authentication will change the way that payment service providers (PSPs),including banks, validate payments and verify their customers' identity.

The legislation in respect of Strong Customer Authentication has applied across EU member states since 14 September 2019. However, in an Opinion provided in June 2019, the European Banking Authority (EBA) acknowledged the complexity of the payment markets across the EU and the fact that this might mean that some parts of the payments chain would not to be ready to implement Strong Customer Authentication by this date.

Therefore, the EBA allowed Competent Authorities with responsibility for their state’s PSPs limited additional time to implement Strong Customer Authentication.

In August 2019, the FCA confirmed that they had agreed a timeline with EBA for implementing Strong Customer Authentication in the UK. The deadline for online banking providers to implement Strong Customer Authentication is 14 March 2020. The deadline for those in the e-commerce industry (card issuers, payment firms and online retailers) is 14 March 2021.

However, in a second Opinion provided in October 2019, the EBA confirmed its own deadline of 31 December 2020 for the implementation of Strong Customer Authentication by merchants across all EU member states. Therefore, there is a discrepancy between the UK enforcement date (14 March 2021) and the EBA’s deadline for the rest of the EU (31 December 2020).

Nonetheless, the FCA have confirmed that UK card issuers will be required to decline all non-SCA-compliant transactions after 14 March 2021 with no extension to this date.

Fundamentally, Strong Customer Authentication aims to reduce fraud and make payments more secure. However, PSPs should be aware that compliance with Strong Customer Authentication alone is unlikely to provide adequate protection against the risk of fraud or the challenges arising from payment disputes.

What is Strong Customer Authentication?

Strong Customer Authentication is one of the fundamental changes to be implemented by the Revised Payment Services Directive (commonly known as PSD2).

PSD2 is an update to the Payment Services Directive (PSD), which was introduced in 2007 to create a single market for credit transfers, direct debits and card payments in the EU. Due to the rapid progress of the EU economy, new services for online payments had emerged that were outside of the scope of PSD, which meant that they were not regulated at an EU level. PSD2 sought to formalise payment security requirements under national law and to establish safer and more innovative payment services across the EU single market. This included aims to make payments safer and more secure, and to protect consumers. Strong Customer Authentication has been designed to achieve this, by enhancing the security of payments and seeking to limit fraud.

Who will have to comply with Strong Customer Authentication?

All PSPs (defined under Article 4 (11) of PSD2) will have to comply with Strong Customer Authentication.

A PSP is a collective term referring to a number of different payment providers. However, the majority of entities concerned are the credit institutions (i.e. institutions whose business is to take deposits or other repayable funds from the public and to grant credits for its own account) and electronic money institutions (i.e. a legal person that has been granted authorisation to issue electronic money) that process electronic transactions on behalf of consumers.

Some elements of Strong Customer Authentication will also apply where payments are initiated through a payment initiation service provider (PISP defined under Article 4 (16) of PSD2), who facilitate account to account transfers (e.g. through the Faster Payments scheme) instead of card payments (e.g. via a card provider like Visa/Mastercard).

Whilst there is an exemption for corporate payments, operationally distinguishing these from consumers within the same (or linked) payment channel may be difficult. In any case, firms intending to operate under this exemption must submit, at least 3 months before the date of intended use of the exemption, an operational and security risk assessment form to the FCA.

When should PSPs use Strong Customer Authentication?

Under Article 97 of PSD2, member states have to ensure that a PSP applies Strong Customer Authentication where a payer:

  • Accesses its payment account online
  • Initiates an electronic payment transaction
  • Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

As such, Strong Customer Authentication will apply to a wide variety of electronic transactions (although there will be some limited circumstances in which it will not apply - for example where the payment is for less than £30 or is recurrent or deemed low risk by the PSP).

Where Strong Customer Authentication does apply, two or more of the following elements will need to be used to verify the transaction:

Strong Customer Authentication's 'knowledge' element

This is defined as "something only the user knows". In their Opinion, which contains guidance on which authentication approaches comply with Strong Customer Authentication, the European Banking Authority (EBA) have confirmed that a password, a pin, a passphrase, a memorised swiping path or knowledge based responses to challenges or questions would all satisfy the knowledge element of Strong Customer Authentication.

Strong Customer Authentication's 'possession' element

This is defined as "something only the user possesses" and can refer to physical possession as well as possession of something virtual (such as an app). The EBA have confirmed that possession of a device evidenced by a one-time password or signature generated by, or received on, the device (for example via a token generator or a text message) or possession of a card or device evidenced through a QR code, card reader or a dynamic card security code, would all satisfy the possession element of Strong Customer Authentication.

Strong Customer Authentication's 'inherence' element

This is defined as "something the user is" and refers to authentication elements that can be read by devices and software. The EBA has confirmed that retina, iris and fingerprint scanning, vein or voice recognition, identifying the shape of the user's face or hand, or identifying the user by the way they type, or swipe, or hold the device, would all satisfy the inherence element of Strong Customer Authentication.

Will Strong Customer Authentication prevent fraud?

The two elements used for Strong Customer Authentication must also be independent. This means that the elements must be subject to measures which ensure that (in terms of technology, algorithms and parameters) breach of one of the elements will not compromise the reliability of the other element.

At first blush, Strong Customer Authentication is a more robust anti-fraud measure than older methods of single-factor authentication. However, that doesn't mean it is enough by itself to prevent fraud, nor to satisfy all of the anti-fraud obligations which fall on banks' and other PSPs' shoulders. We discuss this issue in a separate article.

For now, if you have any questions regarding Strong Customer Authentication, please contact me on [email protected].