Strong Customer Authentication (EU)
This article was published in the German Federal Financial Supervisory Authority’s “BaFinJournal” in June 2018, authored by Dr. Felix Strassmair-Reinshagen. Since not all contributions are made available in English, we have extracted the majority of points here to facilitate greater access for the global community.
TL;DR — The provisions of the Second Payment Services Directive (PSD2) on Strong Customer Authentication (SCA) in electronic payments will lead to noticeable changes, in particular in the use of online banking and internet payments.
While the majority of the PSD2 provisions had to be implemented into national law by January 13, 2018, the European legislator has granted the market a longer transition period in this particular point. The obligation to perform Strong Customer Authentication (SCA) will be binding only 18 months after the establishment of the Delegated Regulation, which described the details of the implementation. Since this rule book came into effect on March 14, 2018, the new regulation on SCA will apply from September 14, 2019 onward. However, many bank customers will notice the associated changes earlier, since banks are already adjusting their systems.
Every computer user is familiar with being authenticated on a web page, for example by entering a secret password. However, SCA requires authentication that does not consist of only one, but at least two components, which must come from two of the three categories of “knowledge”, “possession”, and “biometrics”. An example of an item in the knowledge category is the previously mentioned password. An example of the possession category is the mobile phone. The possession of the telephone can be proven, for example, by entering a transaction number (TAN), which was sent to the telephone through a text message. Biometric elements are personal to the user or physical characteristics, for example, her fingerprint.
PSD2 defines when SCA is required. This is particularly the case when the payer initiates an electronic payment transaction or when accessing her bank account online. However, the Delegated Regulation also contains exemptions that do not require SCA in these situations.
Effecting electronic payments
A classic example for effecting an electronic payment is the card payment using a personal identification number (PIN) at the supermarket checkout. There is no effecting of an electronic payment if you pay at the checkout with card and signature, irrespective of what type of card (debit/credit) is being used.
If the effected electronic payment is a remote payment process, for example, an online money transfer or a credit card payment on the internet, SCA requires a so-called “dynamic link” to be applied, referencing the recipient and payment amount. This is best explained with an example. When sending a transaction number (TAN) via text message, the user must be informed for which amount and payee this TAN should apply; any change to the payment details would invalidate the submitted TAN. The indexed TAN (iTAN) lists that are still occasionally in use do not fulfill this requirement, since these pre-defined TANs can be used for any payment. In addition, these lists are easy to copy. There is a risk that fraudsters will take possession of the TANs and then use them for payments in their favor. The iTAN procedure should therefore be abolished by September 14, 2019, at least for the effecting of electronic payments. However, they could continue to be used for the execution of securities transactions, since these are not covered by the scope of PSD2.
Internet payments by credit card will also change. So far, it often suffices to enter the data on the credit card — especially the card number, the expiry date and the check number on the back — on the merchant website. However, these are not elements of SCA. They neither comply with the possession element, because one can easily write down this data and then use it independently of the card, nor with the knowledge component, because unlike a password that can be kept secret, others could easily spy on this data if they — even for a short time — come into the possession of the card. In the future, solutions such as for online banking will also be necessary in e-commerce, for example the entering of a password and a TAN.
The Delegated Regulation describes cases in which payment service providers can operate without SCA. An example of such an exception are contactless card payments. Such a payment may be made without SCA if it is below €50. Also, to prevent a lost card from being used indefinitely, another limitation is that the card may only be used for a maximum of five consecutive payments without SCA. Alternatively, the payment service provider may also decide to accept payments made without SCA up to €150 in total. If neither alternative is met, the cardholder must go through SCA. This is usually done by the additional input of the PIN. After that, the exception is unlocked again.
Even with card payments on the internet, SCA does not always have to be done. The payment service providers can carry out so-called “transaction risk analysis”. Each incoming payment is automatically checked to see if the risk of fraud is low. If that is the case for the payment in question, SCA can be waived. However, if the payment information provided to the payment service provider gives the impression of an increased risk of fraud, SCA must be carried out. Indications of an increased risk of fraud may be, for example, a deviation from the usual behavioral patterns of the customer or a similarity to known fraud patterns.
The technical details of the statistical methods applied are not regulated at first; above all, it is important that the intended outcome is achieved. This requires that the individual payment service provider may not exceed a certain level of fraud in a category of payments. The exact maximum quota is set out in the Delegated Regulation and depends on the amount of payments for which the payment service provider wishes to make use of the exemption. If, for example, internet card payments up to €500 are to be potentially exempted, the fraud rate for such payments may not exceed 0.01 percent. Incidentally, transaction risk analysis can also be used to exclude individual online transfers from SCA; however, even stricter fraud rates apply.
According to PSD 2, SCA is required even if the user accesses their payment account online. In practice, however, a simple authentication will often be sufficient for a simple login to online banking, for example the entry of a password, because the Delegated Regulation provides an exception to the duty of SCA if the user only wants to view her account balance or the transaction history of the last 90 days.
However, in order to prevent the potential misuse of a compromised online banking password from being continued indefinitely, the user must perform SCA at least every 90 days.
While the principles of the new security rules are quite accessible, many market participants still have questions about the details of their implementation. BaFin is already in talks with the industry associations of the affected companies to ensure clarity. The European Banking Authority (EBA) also intends to publish FAQs to important interpretative issues of the Delegated Regulation on its website.