What is PSD2 SCA?
The new Payment Services Directive–PSD2—is designed to improve the current state of the European financial markets. It requires the banking and financial industry (BFSI) to adapt to technological advancements and proposes common standards across the EU.
PSD2 affects EU consumers’ access to banking data and payments in many ways. The provision mandates an open banking approach and higher security through new authentication methods and dynamic linking.
PSD2 mandates the implementation of strong customer authentication (SCA) as a key aspect. While SCA implies the use of at least two authentications factors from two different categories, the European Banking Authority (EBA) allows the following categories: inherence, possession, and knowledge. Learn more about EBA’s Opinion on SCA elements as of June 2019.
Why major BFSI players requested the delay of the SCA deadline
Although the deadline for SCA compliance has already been extended from September 2019 to December 2020, in an open letter to the EBA, a group of six major players in the EU payments industry called for an additional six-month delay in the implementation deadline of SCA due to the current global COVID-19 crisis.
The signatories have allocated major resources to ensure SCA readiness and EMV 3DS implementation is steadily progressing across Europe. However, the letter explains that the global COVID-19 pandemic has put “an additional strain on the limited resources for all parties involved in the payment chain,” and that it has “significantly reduced the capacity available to progress SCA development and implementation.”
The letter also states that—in today’s challenging times—, consumers are counting more than ever on the availability of e-commerce. As such, making an extensive technological change such as SCA implementation “when in crisis mode” adds risk to any deployment. Moreover, without having enough time to roll out SCA technology and allow participants to test it, more disruption to the customer experience is inevitable.
In a sensible move, the U.K.’s Financial Conduct Authority (FCA) will not take enforcement action against firms for an additional six months pushing the deadline from March 14, 2021, to September 14, 2021, in an attempt to minimize the disruption to consumers and merchants amid the current pandemic. However, the FCA states that they cannot alter the legal deadline for complying with the requirements for SCA, as decided by the EBA.
The expectation, however, is that the EBA, as well as more European National Financial Authorities, will follow the U.K.’s FCA lead and extend their deadline.
BFSI push to delay SCA, but cyber threats loom large amid COVID-19 pandemic
Despite the potential extension of the SCA-compliance deadline, as consumers are forced to stay at home, they are heavily rerouting their routines to digital channels. In turn, financial institutions are expected to deal with increased cyber threats.
Therefore, banking and financial services providers should continue with the necessary preparatory activities—such as robust end-to-end testing—to begin the application of SCA and to protect their customers and businesses from the rapidly developing cyber threats that loom large in today’s uncertain times.
However, instead of waiting for a particular version of the 3DS 2.2 communication protocol, which is advancing slowly and does not have a clear roadmap, financial institutions should look for more accessible and quick solutions to reduce the risk of missing the December 31, 2020 SCA compliance deadline, as set in the EBA’s October 2019 update.
Keystroke dynamics authentication for security and SCA compliance—in weeks, not months
TypingDNA’s proprietary algorithms authenticate users based on how they type on their keyboards—a behavioral-based technology known as keystroke dynamics—. EBA has approved typing pattern recognition technology as an inherence element of strong customer authentication under the new PSD2.
Card issuers and payment services providers can deploy keystroke dynamics authentication within the 3-D Secure protocol to comply with SCA.
Fintechs and banks can deploy keystroke dynamics within compulsory two-factor authentication (2FA) in legacy apps—both for desktop and mobile banking. In doing so, banks can enable security by ensuring customers are who they claim to be, without negatively impacting their online experience.
Contact us by filling the form at the bottom of this page to discuss how you can become SCA-compliant in less than a month.