FCA agrees 18-month plan for a phased implementation of Strong Customer Authentication.

SCA Deadline Delayed

Last week the Financial Conduct Authority (FCA) announced a transitional period for the introduction of Strong Customer Authentication (SCA) under the PSD2 Payment Service Directive. The new plan gives the payments and e-commerce industry extra time to implement SCA, as the original deadline was set for 21st June 2019.

Now, from 14 September 2019, new EU rules will apply that impact the way in which banks or payment services providers verify their customers identity and validate specific payment instructions. The new SCA rules are intended to enhance the security of payments and limit fraud during this authentication process.

What is Strong Customer Authentication?

SCA is a method of establishing beyond all reasonable doubt that a person is who they claim to be via the use of more than one authentication method, and therefore key to reducing fraud. SCA standards stipulate authentication must rely on at least two of the following three elements:

  • Knowledge — Something the customer knows, a payment card PIN
  • Possession — Something the customer has, a mobile phone or tablet
  • Inherence — Something the customer is, a biometric factor such as facial or voice recognition

One Time Passcodes Are No Longer Enough

For the past 25 years, one-time-passcodes (OTPs) have been relied upon by the financial services industry as an authentication tool for online banking and shopping. When consumers access their online banking platform on their browser and attempt to make a transaction, the OTP is usually sent to their mobile phone by an SMS. The user will then enter the OTP into their bank’s or merchant’s online platform to authenticate the transaction.

However, the European Banking Association (EBA) has announced OTPs (that are aimed at providing evidence of possession) are not secure and as such cannot be used as part of SCA. This leaves many banks and financial organisations with a dilemma; the PSD2 deadline is looming and their solution strategy is not compliant. However, MYPINPAD’s patented solution, MPP Auth offers a direct replacement for OTP utilising our fully SCA-compliant PIN onMobile technology. By using the consumer’s smart phone or tablet (something they own), they can be automatically requested to enter their card PIN (something they know) at the point of online checkout.

PIN on Mobile

Apart from delivering industry-leading PCI security standards and SCA compliance, our solution takes advantage of consumers pre-existing familiarity with card PIN authentication. This approach significantly reduces the risk of purchase abandonment which is predicted to sharply rise with the additional authentication steps introduced at online checkout.

The FCA has said it will continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers and provide alternative means of authentication where needed.