With the continuing rise in online shopping and online banking, both web and mobile comes an increased risk of cybercrime. To combat this, the European Banking Agency (EBA) presented it’s Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) in 2017, including follow-up clarifications and opinions.[0]
News On SCA For Open Banking
SCA can be defined as:
«An authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is).[1]»
These must be independent from one another, in that the breach of one does not compromise the reliability of the others, and be designed in such a way as to protect the confidentiality of the authentication data.
This means that payment providers must comply with SCA by delivering a combination of 2 of these element categories – for example, PIN (knowledge) and fingerprint recognition (inherence).
At the moment, the most common way of authenticating an online card payment relies on 3D Secure (3DS) – an authentication standard reported by the majority of European cards. Applying 3DS, customers need to provide additional information to complete the transaction, usually a code that is sent to their phones.
A new version of this standard, 3DS-v2, although not mandatory by SCA compliance, is bringing usefull features like more information in messages which will allow financial institutions more flexibility (for example, in applying SCA exemptions).
EBA published on 21 June 2019 an official opinion[2] with what are valid and non-valid examples for each one of the three authentication elements: knowledge, possession and inherence:
Tables 1, 2 and 3 are a summary of examples in what does and does not constitute inherence, possession and knowledge elements under the RTS and SCA.
Based on this information, one of the biggest concerns for banks is that the SMS OTP is valid only as a possession element (table 2) and not as a knowledge element (table 3).
This means that, to be compliant with the RTS on SCA, financial entities must have more than just the SMS OTP. They are required to have other elements for tables 1 and 3 as well involved in the operation.
Additionally, the matrix cards used by many banks in the login are no longer valid as elements for online authentication, bundling them in a similar situation with the data printed on credit cards[2]:
29. The EBA is also of the view that printed matrix cards or printed OTP lists are designed to authenticate the PSU are not a compliant possession element for approaches currently observed in the market, for similar reasons to those mentioned for card details above, namely that they are unlikely to comply with the requirements under Article 7 of the RTS.
PSD2 (Payment Services Directive 2) arises as an update of the first Payment Services Directive (PSD) from 2009, having a final implementation date of 14/September/2019.
SCA is a PSD2 requirement of payment service providers for making online payments more secure and prevent financial fraud.
Payments need to go through a stronger ID verification and therefore, all banks across European Union (EU) must add at least two-factor SCA on their online operations. PSD2 refers to the RTS on SCA for the compliance, and the need for SCA is not restricted to the new API channel imposed by PSD2 but to all online transactions including existing mobile or web homebanking (some exceptions may apply).
Banks should not only comply with these new regulations but try to benefit from them as well. We already see many banks deploying solutions to aggregate client information in their homebanking sites.
SCA is a PSD2 requirement of payment service providers for making online payments more secure and prevent financial fraud.
Payments need to go through a stronger ID verification and therefore, all banks across European Union (EU) must add at least two-factor SCA on their online operations. PSD2 refers to the RTS on SCA for the compliance, and the need for SCA is not restricted to the new API channel imposed by PSD2 but to all online transactions including existing mobile or web homebanking (some exceptions may apply).
Banks should not only comply with these new regulations but try to benefit from them as well. We already see many banks deploying solutions to aggregate client information in their homebanking sites.
The implementation of PSD2 is restructuring the payment sectors, and as such, it is important for companies to change their systems to new SCA methods!
