Strong authentication isn’t simply a compliance exercise but can also be a driver for innovation.
What is SCA – Strong Customer Authentication (SCA)?
Authentication is the process of proving who I am and confirming my intention to perform an action such as allowing access to account information or making a payment transfer – all electronically. Strong customer authentication is a European regulatory requirement that is based on the use of two or more of the following elements: knowledge (something only the user knows, such as a password), possession (something only the user possesses, such as a mobile phone or a code generating device), and inherence (something the user is, such as their facial or fingerprint biometric data).
What’s the hurry?
While the Payment Services Directive 2 (PSD2) came into force from January 2018 and requires SCA, SCA will only be enforced from 1st January 2021.
A short recap of PSD2:
- PSD2 was created to stimulate innovation, participation and competition from non-banks in electronic payment services AND increase consumer protection by making payments safer and more secure
- PSD2 requires banks to open APIs to third parties such as fintechs to perform account to account transactions and access account information such as transaction history
- SCA applies to any electronic payment transaction with at least one leg in the EU or EEA – whether it is payment card transaction or account transactions
- PSD2 relies on SCA – this is the key to protect consumers and allow trusted third parties to access bank accounts
What constitutes SCA and why it is so hard to deliver?
SCA requires two factor authentication and dynamic linking (meaning a clear and unforgeable message to the consumer) to make sure that the consumer is fully informed and makes an active decision to authorise a payment transaction. In other words, in order to successfully process a payment under the new rules, banks must ask customer for at least two authentication factors – for instance, a PIN or password entered on their mobile device would constitute two factors – knowledge and possession.
Despite the business opportunities PSD2 has opened, the adoption of SCA has been slower than the European authorities would have preferred. The reason for this is that implementing SCA requires well designed user experience to minimize friction, and striking the balance between SCA and UX has proven to be a challenge to some companies.
There are exceptions where SCA is not required – in particular for regular subscriptions and transaction values less than EUR30.
In this blog post, we explore how to turn SCA from a perceived problem to a business opportunity.
What’s happening today?
We ran an informal and highly unscientific poll at our webinar on Business Benefits with Strong Customer Authentication (here)– to better understand current status and plans. There were some interesting take-aways:
Despite the fact that the deadline is looming, not everyone is ready:
The most important choice for SCA is existing electronic IDs such as Bank ID in Sweden – however, this may be a reflection of the webinar audience which were largely from the Nordics where eIDs is the most used authentication method
The most important motivation to deploy SCA remains fraud – reflecting the importance of the industry challenge
Embrace SCA, don’t avoid it
SCA offers some fundamental business benefits, and with the right mindset, can strengthen the business through the following:
Innovation and Customer Acquisition
With a simple SCA process, it is possible to take the customer from mere interest in your service or products, to settling a payment in only a few minutes. With SCA, using new services become easier – such as top-up and pre-paid credit cards, self-service management of geographical limits and merchant or transaction specific credit cards, spending analytics, special offers, and more – as all these services require SCA to be set-up and used. With a poor and cumbersome SCA (such as SMS+OTP + password), the use of new and innovative services such as the examples given above, is much harder.
Increased Security for Consumers
For the consumers, SCA is a lock with a secure key to protect their money. Getting a lock with a secure and easy to use key establishes trust with the consumers. The easiest and most secure key gets most used – where well implemented SCA provides the opportunity to become card number 1.
For society, SCA combats money laundering, human trafficking and terrorism by making access to money more difficult for illegal uses. Furthermore, SCA is an equaliser – combined with digital identity verification, it can enable everyone with a mobile phone access to money and accounts with adapted access levels for refugees and other hard-to-serve consumer groups. Governments and banks can efficiently handle benefit disbursements and basic bank account to manage the funds.
SCA is a core element of compliance which ensures a level playing field for all actors in the payment market – incumbent banks and new entrants as SCA mechanisms must be made available by the incumbent banks. Compliance is just the beginning; any SCA solution must be compliant but then needs to be improved to deliver a fantastically convenient user experience.
The above is an example of the use of Swedish BankID for strong customer authentication; the automatic app switching combined with biometrics gives a very simple and convenient but secure payment process
Four easy steps to realise business benefits of SCA
From experience with a number of other payment issuers and banks, we have the following easy steps to realise the business benefits described above through strategic use of SCA – and become the consumers’ payment method #1:
1. It’s a mindset
Embrace SCA as an opportunity to demonstrate service security and build trust with the consumer. For instance, SCA using biometrics and a simple push message gives reassurance of payment without being intrusive.
2. Consider customer onboarding and “getting the customer back in” as a seamless continuation of customer interactions
Combine a simple Know your Customer (KYC) process using an existing digital identity (eID) or user experience (UX) optimised document validation for an Anti-Money Laundering (AML) compliant customer due diligence process; this process should establish a digital identity for the consumer which is combined with biometrics to create a simple to use strong customer authentication
Step 1: Online identity verification using eID or document verification to ensure AML compliant customer identity validation. Use this validated customer identity to create a digital identity
Step 2: Bind the digital customer identity to a strong authentication method such as biometrics to make it easy to come back as a verified customer
3. Start with compliance…
Ensure the authentication solution fulfils both PSD2 SCA and 3DS v2.2 requirements – this means both two-factor authentication and dynamic linking.
4. …continue to build a great UX for repeat interactions and engagements
Continue to improve and iterate on the UX to optimise the flow and conversion rates
How to solve SCA in the best way for your business
Watch the recording of our webinar on Business Benefits of SCA with Monika Liikamaa (CEO and Co-Founder Enfuce), Mikaela Linders (Business Developer SEB Card), Matias Pietilä (Head of Design Qvik) and Marie Austenaa (VP Market Development Signicat).
Download the Strong Customer Authentication in Practice Whitepaper.