Strong Customer Authentication Compliance

Mike Engle

With the recent introduction of the SCA compliance requirements, authentication is becoming a key player in protecting against fraud and securing payments.

What is Strong Customer Authentication Compliance?

Strong Customer Authentication is a European regulation created to protect those making online and contactless offline payments from fraud. To become Strong Customer Authentication compliant, additional authentication is required in order to accept payments.

What Do I Need to Know About Strong Customer Authentication Compliance?

On November 16, 2015, the Council of the European Union passed the second Payments Service Directive (PSD2), with a two-year window for member countries to implement it into their national law. Part of this directive was a framework for authenticating customer payments. Called Strong Customer Authentication, its purpose is to reduce fraud during payment processing, particularly for online and contactless offline transactions. These requirements apply to organizations doing business in the European Economic Area (EEA). This means offering services to customers in EU member states and three additional members of the European Free Trade Association (Iceland, Norway, and Liechtenstein).

The EU requires that payment service providers must be compliant with SCA under specific circumstances, namely when a payer does the following:

  • Accesses an online payment account
  • Initiates an electronic transaction
  • Enacts some payment processes or related action that implies fraud risk

In effect, these requirements apply specifically to consumer-initiated transactions. Some transactions are exempt from SCA, including the following:

  • Merchant-initiated transactions, including recurring and subscription payments (Note that the initial payment of any recurring agreement does fall under SCA regulations if it does not meet other exemptions.)
  • Purchases under €30 (roughly $35.55 as of 2021)
  • Corporate transactions between two businesses
  • Low-risk transactions, which are determined through an evaluation of the payment network and the acquiring bank

The penalties for non-compliance aren’t levied by a governing body, but instead fall on banks and payment processors. If PSD2 SCA is not present, then any costs associated with returned payments, fraud, or other crimes fall upon the processor.

What Are the SCA Factors for Payment Authentication?

Many businesses think of Strong Customer Authentication as a requirement for two-factor authentication (2FA) or better. However, EU regulations state that the authentication requirements for SCA include very specific identifiers.

In order to be compliant with SCA, your businesses must use certain authentication controls in your customer payment flow. This includes at least two of the three following methods:

  1. Something the customer knows (Knowledge): This includes traditional authentication methods like a password or PIN.
  2. Something the customer is (Inherence): This includes biometrics like fingerprint scans, facial scans, and other physical identifiers.
  3. Something the customer has (Possession): A physical item or a token, which can include their phone, a USB token, or a scannable item like a QR code.

Note that while you can pick the exact methods you will implement and offer to your customer, what authentication artifacts the consumer provides are determined by the consumer. If you offer authentication through a PIN, facial scan on a mobile device, and a QR code, the user must be given the option to select the two they will provide.

If you are processing payments in the EU without these authentication methods in place, those transactions will likely be rejected.

What is the Relationship Between SCA, PCI DSS, and 3D Secure 2.0?

Secure Customer Authentication isn’t the only payment processing compliance framework around. The major credit card networks (Visa, Mastercard, American Express, etc.) came together to develop the Payment Card Industry Security Standard (PCI DSS) to govern security measures required for payment processors and merchants to accept credit card information from customers at the Point of Sale (POS) or through online payment portals.

Fortunately, SCA and PCI cover a lot of the same ground, only in different areas. One of the major differences between the two is that SCA is mandated by the force of law in the EU. That means that businesses accepting and authenticating payment information in qualifying areas must adhere to the regulations therein.
PCI, on the other hand, is a framework instituted by the card networks.

While adherence to PCI isn’t legally mandated (outside of required legal obligations in cases of theft or fraud), it is required if you (as a merchant or payment processor) want to accept payments from major credit cards. Non-compliance with PCI can impact your merchant account and incur several fines levied by the card networks that limit how you do business.

In the long run, it’s important to note that if your payment authentication methods are compliant with PSD2 and SCA, then they are PCI compliant as well. Following this, a technology called 3D Secure (now in version 2.0) provides a way to maintain the authentication measures detailed here (specifically multi-factor authentication) across several payment locations, including physical card readers and online payment portals.

3D Secure has several limitations, however. The most glaring for many is that while it claims to offer a “frictionless” customer experience, it is often not the case. Each card network implements their own version of the technology, and, more often than not, that means routing customer interactions through third-party sites to include the additional authentication measures.

1Kosmos BlockID and Payment Processing

Payment processing and protecting customer and financial data is a huge challenge, and hackers are only getting better in how they develop sophisticated tools to steal identities and commit fraud.

The BlockID system from 1Kosmos provides compliant and secure multi-factor authentication for users in the financial and retail industries. Our system includes a mobile app and advanced biometrics to provide the tools you need to offer SCA-compliant authentication for payments and financial data.

BlockID includes features like:

  • KYC compliance: BlockID Verify is KYC compliant to support eKYC verification that meets the demands of the financial industry.
  • Strong compliance adherence: BlockID Verify meets standards like NIST 800 63-3 for Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2).
  • Incorruptible Blockchain Technology: Store user data in protected (private) blockchains with simple and secure API integration for your apps and IT infrastructure.
  • Zero-trust security: BlockID Verify is a cornerstone for a zero-trust framework, so you can ensure user authentication happens at every potential access point and transaction.

With these measures, you won’t have to worry about the common weaknesses of password systems like brute-force attacks or stolen passwords.

If you’re ready to learn about BlockID and how it can help you remain compliant and secure, read our eBook on how to Go Beyond Passwordless Solutions. Make sure you sign up for the 1Kosmos email newsletter for updates on products and events.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.