Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. [1] Physical card transactions already commonly have what could be termed strong customer authentication in the EU (Chip and PIN), but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, [1] and many contactless card payments do not use a second authentication factor.
The SCA requirement came into force on 14 September 2019. [2] However, with the approval of the European Banking Authority, [3] several EEA countries have announced that their implementation will be temporarily delayed or phased, [4] [5] with a final deadline set for 31 December 2020. [6]
Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer: [7]
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Article 4(30) defines "strong customer authentication" itself (as multi-factor authentication): [7]
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
The European Banking Authority published an opinion on what approaches could constitute different "elements" of SCA. [3]
3-D Secure 2.0 can (but does not always [3] ) meet the requirements of SCA. 3-D Secure has implementations by Mastercard (Mastercard Identity Check) [8] and Visa [9] which are marketed as enabling SCA compliance.
E-commerce merchants must update the payment flows in their websites and apps to support authentication. [10] If authentication is not supported, many payments will be declined once SCA is fully implemented. [10]
On 31 January 2013, the European Central Bank (ECB) issued recommendations on Internet payment security, requiring strong customer authentication. [11] The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission [12] process to the ECB identified three solutions to strong customer authentication, two of which are based on reliance authentication, and the other being the new variant of 3-D Secure which incorporates one-time passwords.
Subsequently, the European Commission drafted proposals for an updated Payment Services Directive including this requirement, which became PSD2. PSD2 strong customer authentication has been a legal requirement for electronic payments and credit cards since 14 September 2019. [13]
In 2016, Visa criticised the proposal of making strong customer authentication mandatory, on the grounds that it could make online payments more difficult, and thus hurt sales at online retailers. [14]
In 2019, consumer representation group Which? noted that many UK banks were implementing SCA by requiring a phone capable of receiving a text message or push notification. When surveyed, nearly one in five Which? members were concerned that they may be unable to make payments if there was no alternative, either due to poor reception or not owning a phone. [15]
In 2020, an independent report conducted by consultancy firm CMSPI found that the potential disruption caused by strong customer authentication (excluding the United Kingdom) could be €108 billion in 2021. [16]
The Reserve Bank of India has mandated an "additional factor of authentication" for card-not-present transactions. [17]
A proposal to make 3-D Secure mandatory in Australia was blocked by the Australian Competition & Consumer Commission in 2016 after objections. [18]
A debit card, also known as a check card or bank card, is a payment card that can be used in place of cash to make purchases. The card usually consists of the bank's name, a card number, the cardholder's name, and an expiration date, on either the front or the back. Many new cards now have a chip on them, which allows people to use their card by touch (contactless), or by inserting the card and keying in a PIN as with swiping the magnetic stripe. Debit cards are similar to a credit card, but the money for the purchase must be in the cardholder's bank account at the time of the purchase and is immediately transferred directly from that account to the merchant's account to pay for the purchase.
EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.
Secure Electronic Transaction (SET) is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enabled users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain attraction in the market. Visa now promotes the 3-D Secure scheme.
An e-commerce payment system facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become increasingly popular due to the widespread use of the internet-based shopping and banking.
Friendly fraud, also known as chargeback fraud occurs when a consumer makes an online shopping purchase with their own credit card, and then requests a chargeback from the issuing bank after receiving the purchased goods or services. Once approved, the chargeback cancels the financial transaction, and the consumer receives a refund of the money they spent. Dependent on the payment method used, the merchant can be accountable when a chargeback occurs.
3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.
Gemalto was an international digital security company providing software applications, secure personal devices such as smart cards and tokens, e-wallets and managed services. It was formed in June 2006 by the merger of two companies, Axalto and Gemplus International. Gemalto N.V.'s revenue in 2018 was €2.969 billion.
Virtual currency, or virtual money, is a digital currency that is largely unregulated, issued and usually controlled by its developers, and used and accepted electronically among the members of a specific virtual community. In 2014, the European Banking Authority defined virtual currency as "a digital representation of value that is neither issued by a central bank or a public authority, nor necessarily attached to a fiat currency but is accepted by natural or legal persons as a means of payment and can be transferred, stored or traded electronically." A digital currency issued by a central bank is referred to as a central bank digital currency.
The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:
The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.
Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.
The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, which replaced the Payment Services Directive (PSD), Directive 2007/64/EC) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations of payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.
A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical credit card imprinter which will only pick up embossed numbers.
European Banking Supervision, also known as the Single Supervisory Mechanism (SSM), is the policy framework for the prudential supervision of banks in the euro area. It is centered on the European Central Bank (ECB), whose supervisory arm is referred to as ECB Banking Supervision. EU member states outside of the euro area can also participate on a voluntary basis, as was the case of Bulgaria as of late 2023. European Banking Supervision was established by Regulation 1024/2013 of the Council, also known as the SSM Regulation, which also created its central decision-making body, the ECB Supervisory Board.
Reliance authentication is a part of the trust-based identity attribution process whereby a second entity relies upon the authentication processes put in place by a first entity. The second entity creates a further element that is unique and specific to its purpose, that can only be retrieved or accessed by the authentication processes of the first entity having first being met.
In financial services, open banking allows for financial data to be shared between banks and third-party service providers through the use of application programming interfaces (APIs). Traditionally, banks have kept customer financial data within their own closed systems. Open banking allows customers to share their financial information securely and electronically with other banks or other authorized financial organizations such as payment providers, lenders and insurance companies.
Banking as a service (BaaS) is the provision of banking products to non-bank third parties through APIs.
Auka is a Norwegian, VC-backed financial technology company. Its PSD2 compliant technology platform enables banks to issue white label mobile payments products to their private and merchant customers.
The development of neobanks in Europe is a trend in the European financial landscape beginning in the 2010s. Neobanks are a type of digital-only bank that offer financial services primarily through mobile and web applications, with little or no reliance on physical branches. The trend was driven by advancements in technology, changing consumer preferences, and supportive regulatory frameworks. Neobanks provide a range of services, including personal accounts, loans, and payment services, with a focus on user-friendly interfaces, low fees, and innovative features. In 2022, European neobank market have generated over 570B transactions.
The Central Electronic System of Payments (CESOP) regime is an automatic exchange of information regime being introduced in the European Union from 1 January 2024. The rules were introduced by Council Directive 2020/284, amending the EU's Value-added tax Directive.