PSD2 Strong Customer Authentication – time to prepare and adjust for the reality of two factor authentication

TRUSTECH – CANNES – The EUs 2nd Payment Services Directive is designed to be a game-changing piece of legislation to increase competition in retail banking sector. Adopted in 2016, it applied from 13th January 2018 onwards by which time EU Member States are required to have implemented the Directive into their national law.



PSD2 text mandated the European Banking Authority (EBA) to define the new security standards in consultation with industry. The resulting regulation on Strong Customer Authentication (SCA) is directly applicable across EU from Sept 2019. Hence, we are currently in a transitionary period giving industry sufficient time to prepare, adjust and comply with the new rules on Strong Customer Authentication (SCA) which will apply across the EU from 13th September 2019 onwards. This article provides an overview of the new SCA rules.

The SCA procedure

From 13th September 2019, all remote electronic payments in the EU will require SCA or Strong Customer Authentication. SCA is a two factor authentication procedure to be carried out by an issuer to identify cardholder before any payments approval.

The SCA procedure requires at least two independent factors from the following three categories. The rules do not stipulate what the procedure must be and instead allows the market to decide.

• Knowledge: something a user knows (e.g. secret code)

• Possession: something a user possesses (e.g. smartphone)

• Inherence: something a user is (e.g. fingerprint, voice or facial characteristics).

In-scope vs. out-of-scope

Cash payments are therefore out of scope. As are payments using a physical card at a POS terminal, which are already secured via two-factor authentication (i.e. chip and PIN). The new SCA rules essentially attempt to mirror this level of security for remote payments.

All customer-initiated transactions are in-scope of SCA rules. In other words, SCA applies to all transactions triggered by customers. However, some transaction types are out-of-scope. These include some merchant-initiated transactions such as direct debit where a contract or an e-mandate agreement has been signed between the payee and the payer. Also out of scope are so-called ‘one leg transactions’ where, for example, a US issued card is used online at an EU merchant. Mail order and telephone order (MOTO) payments are also out of scope.

SCA exemptions do exist

Specific named SCA exemptions do exist which only issuers and acquirers can apply. These exemptions are as follows.

Subject to acquirer agreements, merchants may be able to request their acquirers to apply exemptions.

1. Contactless payments at POS (Article 11 RTS) – no SCA is required for contactless payments such as contactless cards as well as contactless payments initiated by mobile wallets. The maximum limit is set at €50.

2. Unattended terminals for transport fares and parking fees (Article 12 RTS) – no SCA is required, reflecting the uniqueness of this transaction category and desire to further foster payment options regarding transit ticketing and parking fee payments.

3. Trusted beneficiaries / Whitelisting (Article 13 RTS) – SCA is not required for payees / merchants that a payer designates as trusted. Issuers are permitted to enable card holders to create and manage a list of trusted merchants – also known as a ‘whitelist’. However, an SCA is require when a cardholder adds or amends a merchant on the list – thereafter SCA is exempted.

4. Recurring transactions (Article 14 RTS) – SCA is not required for a series of recurring transactions with the same amount and with the same payee. However, an SCA is required when a payer creates, amends, or initiates for the first time a series of recurring payments.

5. Credit transfers between accounts held by the same person (Article 15 RTS) – no SCA is required for credit transfers where the payer and the payee are the same person and both accounts are held by the same bank. An example would be transferring funds from a current account to a savings account.

6. Low-value remote transactions (Article 16 RTS) – no SCA is required for payments below €30. SCA is required after a cumulative total of €100 or after the fifth transaction since SCA.

7. Secure corporate payment processes and protocols (Article 17 RTS) – no SCA is required for corporate payments as long as certain equivalent security thresholds are met. These are to not set at an EU level, rather each individual EU member state regulator can decide if the equivalence conditions are met.

8. Transaction Risk Analysis (TRA) (Article 18 RTS) – Transaction risk analysis is allowed to exempt SCA on transaction up to a maximum value of €500. Provided that transaction monitoring is in place, and that fraud is kept below the ‘reference fraud rate’ at each Exemption Threshold Values (ETV). It is important to note that merchants cannot apply this exemption by themselves. Only issuers and acquirers can do so. This is a departure from the current situation where a merchant can decide whether to accept liability for an ‘unsecure’ e-commerce transaction or secure it by implementing 3D Secure and shifting the liability over to the issuer. However, merchants can agree bilaterally with their acquirer to share liability risk and thereby retain control over their customer’s experience.

Implications and business conclusions

SCA is a reality and all participants in the payments value chain need to prepare and adjust in time for the deadline on 13th September 2019. SCA rules raise many strategic as well as technical questions for all players and stakeholder on the payment value chain. These range from whether fraudster may shift to attack out of scope channels such as MOTO through to the ongoing business value of risk scoring capabilities to merchants.