Business Benefits from Strong Customer Authentication (SCA)
Strong authentication isn't simply a compliance exercise but can also be a driver for innovation.
What is SCA – Strong Customer Authentication (SCA)?
Authentication is the process of proving who I am and confirming my intention to perform an action such as allowing access to account information or making a payment transfer – all electronically. Strong customer authentication is a European regulatory requirement that is based on the use of two or more of the following elements: knowledge (something only the user knows, such as a password), possession (something only the user possesses, such as a mobile phone or a code generating device), and inherence (something the user is, such as their facial or fingerprint biometric data).
What’s the hurry?
While the Payment Services Directive 2 (PSD2) came into force from January 2018 and requires SCA, SCA will only be enforced from 1st January 2021.
A short recap of PSD2:
- PSD2 was created to stimulate innovation, participation and competition from non-banks in electronic payment services AND increase consumer protection by making payments safer and more secure
- PSD2 requires banks to open APIs to third parties such as fintechs to perform account to account transactions and access account information such as transaction history
- SCA applies to any electronic payment transaction with at least one leg in the EU or EEA – whether it is payment card transaction or account transactions
- PSD2 relies on SCA – this is the key to protect consumers and allow trusted third parties to access bank accounts
What constitutes SCA and why it is so hard to deliver?
SCA requires two factor authentication and dynamic linking (meaning a clear and unforgeable message to the consumer) to make sure that the consumer is fully informed and makes an active decision to authorise a payment transaction. In other words, in order to successfully process a payment under the new rules, banks must ask customer for at least two authentication factors – for instance, a PIN or password entered on their mobile device would constitute two factors – knowledge and possession.
Despite the business opportunities PSD2 has opened, the adoption of SCA has been slower than the European authorities would have preferred. The reason for this is that implementing SCA requires well designed user experience to minimize friction, and striking the balance between SCA and UX has proven to be a challenge to some companies.
There are exceptions where SCA is not required – in particular for regular subscriptions and transaction values less than EUR30.
In this blog post, we explore how to turn SCA from a perceived problem to a business opportunity.
What’s happening today?
We ran an informal and highly unscientific poll at our webinar on Business Benefits with Strong Customer Authentication (here)– to better understand current status and plans. There were some interesting take-aways:
- Despite the fact that the deadline is looming, not everyone is ready.
- The most important choice for SCA is existing electronic IDs such as Bank ID in Sweden – however, this may be a reflection of the webinar audience which were largely from the Nordics where eIDs is the most used authentication method.
- The most important motivation to deploy SCA remains fraud – reflecting the importance of the industry challenge.
SCA Requirements
Strong Customer Authentication (SCA) is a crucial regulatory requirement aimed at enhancing the security of online payments and reducing fraud. Defined by the European Union's Payment Services Directive (PSD2), SCA mandates that banks and businesses implement multi-factor authentication for certain transactions. This process involves at least two of three elements: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). SCA compliance is essential for any business handling online payments within the European Economic Area (EEA). Understanding the SCA meaning and its implications is vital for meeting regulatory technical standards on strong customer authentication. For businesses, this means ensuring that SCA requirements are met, particularly when SCA authentication is required for online payments. By adhering to SCA regulations, companies can better protect their customers and reduce the risk of payment fraud.
Embrace SCA, don’t avoid it
SCA offers some fundamental business benefits, and with the right mindset, can strengthen the business through the following:
Innovation and Customer Acquisition
With a simple SCA process, it is possible to take the customer from mere interest in your service or products, to settling a payment in only a few minutes. With SCA, using new services become easier – such as top-up and pre-paid credit cards, self-service management of geographical limits and merchant or transaction specific credit cards, spending analytics, special offers, and more – as all these services require SCA to be set-up and used. With a poor and cumbersome SCA (such as SMS+OTP + password), the use of new and innovative services such as the examples given above, is much harder.
Increased Security for Consumers
For the consumers, SCA is a lock with a secure key to protect their money. Getting a lock with a secure and easy to use key establishes trust with the consumers. The easiest and most secure key gets most used – where well implemented SCA provides the opportunity to become card number 1.
For society, SCA combats money laundering, human trafficking and terrorism by making access to money more difficult for illegal uses. Furthermore, SCA is an equaliser – combined with digital identity verification, it can enable everyone with a mobile phone access to money and accounts with adapted access levels for refugees and other hard-to-serve consumer groups. Governments and banks can efficiently handle benefit disbursements and basic bank account to manage the funds.
Compliance
SCA is a core element of compliance which ensures a level playing field for all actors in the payment market – incumbent banks and new entrants as SCA mechanisms must be made available by the incumbent banks. Compliance is just the beginning; any SCA solution must be compliant but then needs to be improved to deliver a fantastically convenient user experience.
SCA Compliance
SCA compliance is a critical aspect of meeting the regulatory technical standards on Strong Customer Authentication (SCA) as mandated by the European Union's Payment Services Directive (PSD2). Businesses and financial institutions must ensure that their payment processes adhere to SCA requirements to prevent unauthorised access and fraudulent transactions. SCA compliance involves implementing multi-factor authentication, where at least two independent elements—such as something the customer knows, has, or is—are used to authenticate payments.
Understanding the meaning of SCA and the requirements for SCA authentication is essential for any organisation operating within the European Economic Area (EEA). Failure to comply with SCA regulations can lead to significant penalties and increased fraud risks. Maintaining SCA compliance is not only about meeting legal obligations, but also about enhancing customer trust and securing online transactions.
SCA Payments
SCA payments refer to transactions that require Strong Customer Authentication (SCA) under the European Union's Payment Services Directive (PSD2).
These SCA payments involve the application of multi-factor authentication to ensure that the payment process is secure and that the customer is properly authenticated before completing the transaction. SCA payment regulations mandate that businesses and banks implement these security measures to reduce the risk of fraud in online and electronic payments. Understanding what SCA payments are and when SCA is required is crucial for any business operating within the European Economic Area (EEA). By adhering to SCA compliance, businesses can protect their customers and ensure that their payment processes meet the regulatory technical standards on strong customer authentication. This not only helps in preventing unauthorised transactions. but also enhances customer confidence in the security of their online payments.
Four easy steps to realise business benefits of SCA
From experience with a number of other payment issuers and banks, we have the following easy steps to realise the business benefits described above through strategic use of SCA – and become the consumers’ payment method #1:
1. It’s a mindset
Embrace SCA as an opportunity to demonstrate service security and build trust with the consumer. For instance, SCA using biometrics and a simple push message gives reassurance of payment without being intrusive.
2. Consider customer onboarding and “getting the customer back in” as a seamless continuation of customer interactions
Combine a simple Know your Customer (KYC) process using an existing digital identity (eID) or user experience (UX) optimised document validation for an Anti-Money Laundering (AML) compliant customer due diligence process; this process should establish a digital identity for the consumer which is combined with biometrics to create a simple to use strong customer authentication
Step 1: Online identity verification using eID or document verification to ensure AML compliant customer identity validation. Use this validated customer identity to create a digital identity
Step 2: Bind the digital customer identity to a strong authentication method such as biometrics to make it easy to come back as a verified customer
3. Start with compliance…
Ensure the authentication solution fulfils both PSD2 SCA and 3DS v2.2 requirements – this means both two-factor authentication and dynamic linking.
4. ...continue to build a great UX for repeat interactions and engagements
Continue to improve and iterate on the UX to optimise the flow and conversion rates
Strong Customer Authentication Solutions
Signicat offers robust Strong Customer Authentication (SCA) solutions that help businesses comply with the regulatory technical standards on strong customer authentication as mandated by the European Union's Payment Services Directive (PSD2). With Signicat's SCA solutions, organisations can implement multi-factor authentication, ensuring that at least two elements—such as knowledge, possession, or inherence—are used to authenticate users securely.
These solutions are designed to meet SCA requirements, providing seamless and secure authentication of payments, which is essential for reducing fraud and maintaining compliance. Signicat's platform is tailored to help businesses navigate the complexities of SCA compliance, offering strong customer authentication that is both effective and user-friendly.
SCA and Banks
SCA bank requirements are crucial for financial institutions operating under the European Union's Payment Services Directive (PSD2). Banks must implement Strong Customer Authentication (SCA) to enhance the security of online and electronic transactions, ensuring that customers are authenticated using at least two of the three factors: knowledge, possession, and inherence.
SCA banking processes are designed to protect against unauthorised access and reduce the risk of fraud in digital payments. For a bank, SCA compliance is not just about meeting regulatory standards; it is also about building trust with customers by safeguarding their sensitive financial information. By integrating SCA, banks can offer a secure and seamless banking experience, aligning with the stringent SCA regulations and contributing to overall payment security within the European Economic Area (EEA).
Watch the recording of our webinar on Business Benefits of SCA with Monika Liikamaa (CEO and Co-Founder Enfuce), Mikaela Linders (Business Developer SEB Card), Matias Pietilä (Head of Design Qvik) and Marie Austenaa (VP Market Development Signicat).