The Overview Of SCA - Pros And Cons
Strong Customer Authentication (SCA) is mandatory for PSD2-compliant businesses in Europe. PSD2 - the Second Payment Services Directive is a European Union Directive that includes rules on access to and processing of European customers' financial account information as well as the execution of payment transactions. PSD2 replaced the PSD1 and SEPA Direct Debit mandates in Europe. This directive is an important piece of legislation for financial institutions, businesses, and customers. PSD2 rules address the three 'S's: Strong customer authentication (SCA), Secure communication, and Storage of credentials. In this article, we're going to focus on the former-most of which, PSD2 SCA!
Strong Customer Authentication In PSD2
PSD2 is an acronym for the "EU Directive (EU 2015/2366) on Payment Services and its Implementing Regulation (EU) 2015/2302". Quite technical, right? Well, these sorts of documents impact the lives of 500+ million EU citizens, so it's also important to look past these legal names and understand the basic concepts that influence the way we use and access particular services.
The Strong Customer Authentication model relies on three unique, separate authentication factors. The customer has to authenticate by two out of three factors to prove authentication. These factors are grouped into three separate piles - Inheritance, Knowledge, and Possession.
Knowledge
Customer's ID Number or something only the customer knows (e.g password, PIN code).
Possession
Customer's mobile phone or another device that is in the customer's possession (e.g. NFC watch, security token).
Inheritance
Customer's bank details (e.g. name of the beneficiary, IBAN number) or more usually - biometric data, for example, the fingerprint or FACE ID.
Only when the customer authenticates via knowledge and inheritance for example (or a combo of any two factors), the transaction will go through. This prevents fraud on a very high level as these factors are quite separated from one another.
Pros Of SCA And MFA
The PSD2 SCA directive (read more about that -https://nordigen.com/en/psd2/sca/) brings a lot of advantages that should help both customers and businesses.
First, PSD2 rules are aimed at strengthening online security and minimizing the risk of fraud. PSD2 rules oblige financial institutions to adopt strong customer authentication (SCA) for PSD2 transactions that will prevent perpetrators from accessing customers' accounts without their knowledge.
Second, it allows third parties such as start-ups and competitors to offer payment services through existing account information belonging to PSD2 account holders. In short - it makes payments easier and quicker. But only in digital spaces where sufficient licensing and legal obligations are met.
Third, PSD2 rules allow payment initiation services, which would enable customers to make bank transfers with a few clicks via Facebook Messenger or Whatsapp using their online banking credentials.
Finally, PSD2 SCA is great news for small businesses as they are allowed to offer their services on a level playing ground with the big players. PSD2 rules require financial institutions to establish direct communication regardless of status, size, experience, or allegiance.
Cons Of SCA And MFA
PSD2 rules also bring some disadvantages. PSD2 SCA enhances security but, on the other hand, it requires you to switch in order to benefit. For example, some possession authentication methods became obsolete, forcing customers that were used to them, to switch.
Further, PSD2 rules allow only three possible SCA authentication factors; in order for the system to be secure enough, all of them should be required each time a customer wants to make a transaction. This can be quite limiting for PSD2 customers, especially those who are not very tech-savvy.
Consequently, PSD2 SCA poses some hurdles for banks too; they have to change the way they have been doing things so far, and PSD2 SCA requires a lot of money spending on customer authentication methods in order to have everything properly integrated.