The EU’s second payment services directive (PSD2) is steadily gaining interest as the deadline for compliance — September 14, 2019 — draws nearer. After that date, the payments landscape will be more secure, though many banks, payment service providers, and business owners are putting forth a lot of effort to comply with PSD2’s requirements.
One aspect business owners are focused on is strong customer authentication, a key component of PSD2. We explore SCA and its impact on online businesses below.
Strong customer authentication and your online business
What is strong customer authentication?
The European Commission defines strong customer authentication (SCA) as authentication that uses at least two of three verification elements:
- Knowledge — something only the user knows. “These are things like a password or a PIN,” explains Jeremy Bellino of Worldpay.
- Possession — something only the user possesses. “Think debit or credit card, or a mobile phone,” Bellino says.
- Inherence — something the user is. “This will involve some type of biometric identifier, such as facial recognition or a fingerprint scan,” Bellino notes.
The main purpose of SCA is to reduce fraud from card-not-present (CNP) transactions, which represents a significant portion (73 percent) of card fraud, according to a 2018 report by the European Central Bank.
Stephen Hart of Cardswitcher, a payment processing comparison site, says customers are often hesitant to buy products online from a seller they don’t know, but he adds that SCA helps build confidence in the purchasing process.
“Customers are right to be skeptical, given the lag in updating security practices,” Hart says. “However, SCA represents a big leap in modernizing online security. Business owners who use it will help build trust with their customers, since those customers can be assured you are safeguarding their data from fraudulent parties.”
Why is strong customer authentication important?
“Customer data needs to be secured to protect their identity and financial well-being,” says Uku Tomikas of Messente Communications. He notes that online services are collecting more and more data about people, from phone numbers to email addresses to dates of birth. This includes more habitual data as well, including browsing and purchasing habits, and the types of online services and tools people use.
While each data point is insignificant on its own, Tomikas says, “combining them can give bad actors what they need to cause financial harm, such as with unauthorized purchases and identify theft, to otherwise unaware consumers. SCA helps mitigate such harm.”
Who is strong customer authentication for?
While SCA certainly provides customers with a safer online purchasing experience, business owners also benefit. Fraudulent CNP transactions hurt business owners due to lost revenue, often unrecoverable inventory sent to phony customers, and diminished trust from actual customers.
Ollie Smith of ExpertSure says SCA provides online businesses with “a critical level of protection when dealing with online payments. Ensuring that each payment is performed with multifactor verification significantly diminishes fraud rates.”
How is strong customer authentication delivered?
The technical vehicle that delivers SCA is 3D Secure 2.0, a protocol for authenticating a cardholder’s online transaction and verifying their identity. It’s also used to provide a cardholder’s account information. There’s a lot more to 3D Secure 2.0, including the improvements over its predecessor, 3D Secure 1.0, which is why we devoted an entire post to it.
PSD2 is a complex topic for business owners. To help clarify this and other components of the directive, including SCA exemptions you may be able to take advantage of, we created a lengthy guide on becoming PSD2 compliant.