What is Strong Customer Authentication (SCA) & PSD2?

Strong Customer Authentication works to protect European users when accessing sensitive financial information, but your company may also need it for compliance.

What is strong customer authentication? Strong Customer Authentication (SCA) is a European requirement under Payment Services Directive (PSD2) that requires users to authenticate their account before logging in in order to prevent fraud when accessing their banking or making online purchases.

What Is Strong Customer Authentication and Second Payment Services Directive (PSD2)?

In 2007, the European Union (EU) implemented the Payment Services Directive to support better security practices around electronic payments in participating countries. This helped protect consumer information but wasn’t suitable for advances in payment technology, specifically the rise of third-party payment processors.

In 2016, the EU enacted the Second Payment Services Directive to promote a more integrated system of payment processing that would make it easier to work across EU borders, to promote competition in the payment processing market, and to enhance protection for EU consumers increasingly using digital and mobile payment options. 

This law applied specifically to three different types of services:

  • Account Information Services (AIS): These services provide consumers and businesses with information on their finances, either in a single account or across multiple accounts.
  • Payment Initiation Services (PIS): These services support online payments for merchants and consumers, including processing payments, communicating with merchants regarding the completion of transactions for the release of services, and other parts of digital payments. 
  • Card-Based Payment Instruments: Third-party providers that offer card readers (whether through POS terminals or those connected to tablets or phones) that read information and communicate with credit accounts to verify fund availability. 

Essentially, if a technology or organization handles transaction information, including card numbers and related information, it falls under PSD2 jurisdiction.

To govern the security of these services, PSD2 defines a few core requirements:

  • Strong Customer Authentication: Increased customer identification (described in detail later). 
  • Transaction and Device Monitoring: Processors should provide monitoring for systems and devices to track unusual customer behaviors to prevent fraud. 
  • Reliable Application Programming Interfaces (APIs): Providers must provide secure APIs so that merchants, banks, card networks, and the processors themselves can share consumer data securely for authentication and transaction. 

What Is Strong Customer Authentication?

Strong Customer Authentication, or SCA, is the most integral part of PSD2 in protecting consumer information. 

In terms of payment processing, authentication is a bit different from other kinds of authentication. The purpose, in this context, is to help merchants and payment processors verify that users are who they claim to be in order to reduce fraud during transactions. 

Simply put, SCA requires that consumers must be authenticated for transactions using strong multi-factor authentication methods (MFA). More specifically, these consumers must be authenticated through methods comprised of at least two of the following categories:

  • Knowledge: Authentication methods of knowledge are those based on a piece of information that the user knows (either memorized or recorded). These include username/password combinations or PINs.
  • Possession: Authentication methods of possession are those based on methods of confirming possession of an application, account, or device. These methods include One-Time Passwords (OTPs) generated by authentication apps or PINs sent through email or SMS texts. 
  • Inherence: Authentication methods of inherence are based on the user’s physical or behavioral (and relatively stable) aspects. These methods include iris scans, fingerprint scans, facial scans, etc.

Each measure must be completely independent for any two or more methods used for SCA. That is, if one is breached, it does not compromise the other. This means that a hacker can’t, for example, steal a password and gain access to a mechanism changing where a PIN is texted to–in this case, SCA would require that the hacker have both the password and the device to authenticate before changing either. 

In terms of PSD2, secure authentication can come from a variety of interactions. A common example is a consumer making a purchase through an app on their phone using payment information stored in the app. 

To verify the user during the transaction, the app may rely on both knowledge (the user is signed into their account) and inherence (the user performs a facial scan from their phone at the point of purchase). 

Dynamic Linking

Whenever a payment processor uses SCA, they must (under PSD2 regulations) also use “dynamic linking” during the transaction. This means that additional security measures are in place to link the transaction to a specific amount and security tokens to verify legitimacy. 

Dynamic linking includes the following steps:

  • The payer (consumer) must be made aware of the exact amount of the transaction and who the recipient of the payment is. 
  • The payment method must generate an authentication code tied to the amount of the transaction and the recipient. 
  • The payment service provider can derive the amount and recipient from that number once it reaches its destination.
  • If anything changes (amount or recipient) then the transaction automatically fails. 

What Is 3D Secure 2 and How Does it Apply to SCA?

In general consumer payment processing in the United States, there isn’t an equivalent law that governs processing at the same scale as the EU. However, some private-sector solutions can meet SCA laws. One of these is 3D Secure 2. 

This standard includes several necessary mechanisms that meet SCA standards, including:

  • Frictionless Authentication: 3D Secure allows payment providers to include more authentication information as a part of a transaction. Using secure channels, this data remains private but can be used to strengthen authentication through MFA while streamlining the entire process. 
  • Challenge Flows: If the user/merchant transaction provides enough information for a bank or credit network to authenticate, they’ll authenticate. If not, the transaction will be challenged and require additional authentication information. 
  • Various Data Points: 3D Secure 2 can collect several data points from apps and browsers to authenticate, including account information, biometric information, and device information, allowing for more secure and dynamic access.

Powerful Authentication to Meet SCA with 1Kosmos

The cornerstone of SCA and meeting PSD2 standards is having the authentication standards in place to collect the right information from the customer. Businesses and payment processors must do this while meeting consumers where they are–at their computers and at their mobile devices. 

With 1Kosmos BlockID, you get the added security of SCA with the advanced protections of liveness proofing, NIST-compliance identity assessment tools, passwordless authentication, and biometrics all tied to mobile devices. 

1Kosmos gives you the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone. 
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user. 
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure that there are no databases to breach or honeypots for hackers to target. 
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK. 

To learn more about strong authentication for your organization, read our whitepaper on Identity-Based Authentication.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.