What is strong customer authentication?
To prevent fraud even more effectively, the EU introduced a new regulation, which requires companies to integrate even stricter authentication procedures in their payment processes. This regulation on what is known as ‘strong customer authentication’ (SCA) is meant to supplement the PSD2.
The most important component of SCA is the two-factor authentication. The system uses two of the following security components.
Something the person knows:
Something the person owns:
Something the person is:
password, PIN, or security answer
a mobile phone, hardware token, etc.
biometrics such as fingerprint or face scan
Each of these elements must be independent of each other, so that the security of the others is not compromised in the event of a security breach. SCA as a whole must be designed logically in such a way that the confidentiality of the authentication data can be guaranteed at all times.
Exemptions from using SCA processes
According to the SCA regulation, some types of transactions can be exempted from strong customer authentication. In certain exceptional cases, it is at the discretion of the merchants, issuers and acquirers whether SCA is required from the consumer or not.
With all exemptions, the respective authentication process remains invisible for the user: Transactions are carried out like transactions without 3D Secure, thereby guaranteeing a smooth customer experience.
Transactions with low security risk
Subscriptions, corporate payments, or transactions based on a whitelist:
Transactions outside the scope of SCA:
A smooth customer experience thanks to risk-based authentication (RBA)
Thanks to RBA, cart abandonment can be significantly reduced.
To continue to offer customers a smooth payment process for most transactions despite stricter security requirements, we can mention a method known as risk-based authentication. It can be applied to transactions of between €30 and €500 that have been classified as low-risk. Thanks to RBA, customers are spared additional authentication, and their experience is improved. If a transaction is classified as suspicious, customers can undergo additional authentication. The more transaction data is made available, the easier it is to assess the risks.