By Angie White, iovation manager, a TransUnion company
In case you haven’t seen, there’s good and bad news for Payment Service Providers (PSPs) in regards to Strong Customer Authentication (SCA) compliance for the Revised Payment Service Directive (PSD2). That’s because the recent European Banking Authority (EBA) opinion on SCA brought some much needed clarity about which factors will satisfy SCA requirements, and possibly some relief for those that won’t be ready by this September.
Echoing research from an earlier report we conducted with research and advisory firm Aite Group, the EBA conceded that the market is widely unprepared to meet the September 14 deadline to implement SCA requirements, especially for downstream actors such as merchants. Adding more fuel to the fire, the British Retail Consortium estimates that 25 percent to 30 percent of online purchases may fail when the SCA measures are rolled out.
Flexibility on SCA Implementation Timeline
The good news: In an effort to avoid disruption to online transactions because they do not meet the SCA requirements, the EBA has agreed that the Competent Authorities (CAs) may “decide to work with PSPs and relevant stakeholders, including merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA.” The bad news: The EBA stressed that such leeway will only be available when payment service providers:
Set up a migration plan
Have agreed to the migration plan with their CA
Execute the plan in an expedited manner
It is hoped that this additional flexibility will help merchants handle the transition, and ease disruption for consumers.
We’ve already seen some CAs respond. In the UK, the FCA has announced that they will hold on enforcement of SCA requirements for 18 months, provided that PSPs and merchants can demonstrate they have a plan in place and are working to implement SCA expeditiously.
In their recent opinion the EBA has also provided more clarity on whether specific authentication factors will satisfy SCA requirements for the elements categorized as: inherence, possession and knowledge.
Compliance of Inherence Factors
The EBA has confirmed that biometric authentication factors such as fingerprint, hand and face geometry, retina and iris scanning, voice recognition and even vein pattern recognition are all compliant inherence factors for SCA. Interestingly, a number of what are considered behavioural biometric factors were also included, e.g. keystroke dynamics which is how quickly or slowly a person types on average. This method is frequently used to identify bots. For instance, if an application is filled out in less than a second, that’s obviously not a human behaviour. Other compliant behavioural biometrics include heart rate or body movement patterns as well as the angle at which the device is held.
Not SCA Compliant
Compliance of Possession Factors
Devices, cards, apps and browsers were all substantiated as possible possession elements. The key here seems to be that there needs to be a reliable means to confirm possession. There are a number of ways that the EBA outlined to accomplish this, for example — generation of a one-time password (OTP). This can include tokens, text messages (SMS) or push notifications. Another method to confirm possession is to provide evidence of device binding, demonstrating a unique connection between the app and the device, or the browser and the device. Quick response (QR) codes are another way to verify possession.
An app simply being installed on a device is not enough to qualify as a possession element. Card details, e.g. a consumer entering their credit card number, expiration date and security code, do not satisfy the possession requirements. The EBA did note however that the adoption of dynamic card security codes – codes that are not printed on a card and change regularly – could possibly meet possession requirements.
Not SCA Compliant
Compliance of Knowledge Factors
For knowledge factors, the EBA outlined that traditional factors such as password and PIN are compliant with SCA. They clarified that factors that go into establishing possession, e.g. OTP, do not also qualify as knowledge factors. They elaborated that a knowledge element should exist prior to the initiation of online access or payment. Factors should also not be publicly discoverable elements such as email address and username.
Not SCA Compliant
The role of 3-D Secure in SCA
The EBA has also clarified that 3-D Secure does not qualify as an inherence factor, and does not meet SCA requirements. For those that might already be working on 3-D Secure, not to despair; the EBA did encourage the use of the communication protocol to:
· Help ensure customer convenience
· Help drive down fraud through data sharing, and
· Help in meeting transaction risk analysis requirements and gaining exemptions to SCA
So while 3-D Secure doesn’t currently satisfy any SCA requirements, it can definitely help in your overall strategy.
This issue can easily be remedied by layering a possession factor onto your existing authentication system. Consumers simply pair any device used to access your services to their account, then on subsequent visits they can transparently authenticate into your system–elping you satisfy SCA requirements without adding friction for good consumers.
If you need to fully address the SCA requirements, mobile multi-factor authentication (MFA) can easily be layered onto existing systems. With mobile MFA, the consumer’s device becomes their authenticator, providing all three factors of knowledge (PIN, swiping path), possession (device, wearable factor) and inherence (fingerprint, facial scan) right within your mobile app. You can allow consumers to choose the authentication factors that they are most comfortable with, driving buy-in by giving them a stake in their security. Or, you can select which factors to make available for your customers, giving you choice and flexibility in how to meet the SCA requirements.