Overview of the Strong Customer Authentication requirements
The Second Payment Services Directive (PSD2) introduces SCA to improve the security of payments and limit fraud during the authentication process between the payment user and payee. SCA builds on the EBA’s December 2014 Guidelines on the Security of Internet Payments. SCA is a means of authentication based on the use of two or more elements: Knowledge — something only the user knows (e.g., a password or PIN); Possession — something only the user holds (e.g., a card chip or a token); Inherence — something only the user is (e.g., a fingerprint or voice recognition). The breach of one element should not compromise the reliability of the others and authentication protects the confidentiality of customers’ personalised security credentials (PSCs).
Although PSD2 has applied since 13 January 2018, in order to provide the payments industry with sufficient time to prepare, including addressing the technical challenges involved, SCA was not due to take effect until 14 September 2019. However, in light of industry concerns about their readiness to apply SCA to e-commerce card transactions, and to limit potential disruption to payment users and merchants, the European Banking Authority (EBA) accepted that national supervisors might give firms additional time and published an Opinion on 21 June 2019.