What is Strong Customer Authentication (SCA)?
Strong Customer Authentication (SCA) is a European regulatory framework that describes three types of information that should be reviewed as part of an online payment transaction to increase security and reduce fraud. To accept ecommerce payments once PSD2’s obligations go into effect, merchants will need to build authentication technologies into their checkout flows that measure at least two of the following three elements:
- “Something you know”, the KNOWLEDGE Element (e.g., password or PIN)
- “Something you have”, the POSSESSION Element (e.g., phone or hardware token)
- “Something you are” the INHERENCE Element (e.g., fingerprint or face recognition)
The Knowledge Element: “Something you know”
What PSD2 describes as “Something the user knows,” the EBA refers to as the knowledge element. Acceptable knowledge elements are sets of information that are protected by mitigation measures to prevent disclosure to third parties and that existed prior to the transaction being attempted. The EBA has outlined the following as a non-exhaustive list of possible knowledge elements:
| EBA verified as SCA Compliant | EBA verified as Not Compliant with SCA |
|---|---|
|
|
The Possession Element: “Something you have”
What PSD2 describes as “Something the user has”, the EBA calls the possession element. Possession elements are measured by the generation or receipt of a secure, dynamic validation on a device. Possession elements can be measured by some technologies that do not require active customer interaction (e.g., capturing the unique signature generated by a device) or more commonly by pushing a one-time password to the device via SMS text. The EBA has outlined the following as a non-exhaustive list of possible possession elements:
| EBA verified as SCA Compliant | EBA verified as Not Compliant with SCA |
|---|---|
|
|
Note, the card itself or information contained on it cannot qualify as something the user “has.”
The Inherence Element: “Something you are”
What PSD2 describes as “Something the user is”, the EBA refers to the inherence element. This element consists of measuring data related to the physical properties, physiological characteristics or behavioural processes of the body. The EBA has outlined the following as a non-exhaustive list of possible Inherence elements:
| EBA verified as SCA Compliant | EBA verified as Not Compliant with SCA |
|---|---|
|
|
Many of these data elements are available only on mobile devices, so merchants should consider how to handle transactions placed on both mobile apps and in-browser. Additionally, note that authentication protocols such as 3DS do not include any inherence elements, per the EBA, in the current versions of 2.0 or newer.
Signifyd’s Payments Optimization Solution with Seamless SCA does include both browser- and mobile-friendly inherence elements..
Read the original SCA requirements, set out in the Regulatory Technical Standards or RTS. The EBA issued an Opinion on 21 June 2019 that describes which technologies adequately measure the three different elements of SCA, which the above tables summarize.
When is Strong Customer Authentication required?
Strong Customer Authentication will apply to “customer-initiated” online payments within the European Economic Area (EEA) and is not only for companies based in the EEA. If you have customers whose cards are issued in the EEA and you sell in (payments are acquired in) the EEA, then the PSD2 requirements will apply. As a result, most credit and debit card payments and all bank transfers will require SCA. Recurring direct debits are considered “merchant-initiated” and will not require strong customer authentication. With the exception of contactless payments, in-person card payments are also not impacted by the regulation.
For online credit and debit card payments, these requirements will apply to transactions where both the merchant and the cardholder’s bank are located in the EEA, and the UK.
How to authenticate a payment
The most widely adopted way of authenticating an online card payment in the EEA relies on 3-D Secure — a protocol created by EMVCo, a consortium of the card scheme brands.
3-D Secure usually requires that consumers take at least one extra step during or after the checkout to provide additional information to complete a payment (e.g., entering a one-time code sent to their phone or authentication through their mobile banking app).
3-D Secure 2 (or 3DS2) — the new version of the protocol released in 2019 — will be the main method that merchants use to meet PSD2’s requirement to “dynamically link” the payment to the issuing banks and confirm that SCA has been conducted.
This version introduces support for mobile applications, but on its own will require even more additional steps to conduct SCA (e.g., both requiring the cardholder to enter a previously known password or PIN and also confirming the cardholder’s device by entering a one-time password provided by SMS).
- The EBA’s Opinion on 21 June 2019 confirmed that 3DS2 does not support the ability to measure any inherence data points and that a one-time password may satisfy possession but does not satisfy the knowledge element.
Other card-based payment methods such as Apple Pay or Google Pay support payment flows with a built-in layer of authentication (including biometrics for the inherence element). These can be a great way for merchants to offer a frictionless checkout experience while meeting the new requirements, but they have relatively low adoption rates among consumers.
Signifyd’s Payments Optimization Solution adopts a similar approach to Apple Pay and allows merchants to passively conduct SCA while customers shop on their site, by measuring device token information to satisfy the possession element and behavioral and biometric information to satisfy the inherence element. Our built-in 3DS2 capabilities ensure that a merchant’s payment provider and the cardholder’s issuing banks receive the information necessary to authenticate the transaction.
