Upgrading security with PSD2 and strong customer authentication


If you work in an industry that processes financial transactions in the EU or UK, you’ve undoubtedly heard of PSD2 — and strong customer authentication (SCA) is one of PSD2’s core features. 

We’ll take a look at what SCA is, how it relates to PSD2 (also known as the Revised Payment Services Directive), and how to effectively implement SCA technology into open banking processes. 

PSD2 and strong customer authentication: the low down

Strong customer authentication, or SCA, refers to more secure ways of authenticating users

Traditional — and now outdated — authentication processes simply required users to have a username and password to log in to their accounts or validate transactions. 

But then, as data leaks became increasingly common and people started reusing the same passwords for different accounts and services, the traditional methods of account security were deemed not strong enough. 

Enter, PSD2 and strong customer authentication. The Directive’s SCA regulations outline how multi-factor authentication is supposed to work in order to be compliant.

To be specific, PSD2 requires SCA to confirm at least two types of the following:

  1. Something the user knows. This is the example we’re most familiar with. It includes passwords, PINs, answers to security questions, and more. 
  2. Something the user has. This refers to a physical item (such as a phone), hardware token, serial number, state-issued ID, etc. The user doesn’t have to present the item necessarily, but rather prove that they have it by validating possession through an authentication app or a one-time passcode sent to the phone number, for example.
  3. Something the user is. The last example of PSD2 SCA is something that primarily refers to biometrics like fingerprints and face scanners. 

Why is SCA an important part of PSD2?

SCA is a key component of PSD2, making it essential to anyone whose business falls under the PSD2 umbrella — that includes those offering open banking as well as online payment processing more broadly. 

Complying with PSD2’s strong customer authentication regulations brings benefits to both businesses and consumers alike. For example:

More effective fraud prevention

PSD2 SCA is much better at preventing fraud than traditional username/password combinations. 

That’s because the information used to secure an account or transaction is much more robust. It’s far easier to guess or retrieve a password through social engineering than to gain access to someone’s phone or biometrics. 

PSD2 SCA provides a massive security upgrade over the old way of doing things. And that makes it a must for businesses — not only to be compliant but also as a duty of care to their customers-

Tighter security without compromising user experience

Better still, PSD2 SCA provides these security benefits without hindering the user experience (UX).

Balancing UX with adequate security measures is an ongoing challenge for financial institutions and online retailers. Easy and effective payment processes are essential for a great user experience, but if a payment process is too easy, that makes it vulnerable to fraudsters too. The measures outlined in PSD2 SCA help to overcome this challenge through a safe yet user-friendly process. And with open banking, the experience is quick and easy for users as they just have to approve the payment through their online bank app. 

Because PSD2 SCA is being implemented on a large scale, solutions are being developed regularly to make SCA as seamless as possible — even for the more complex forms of security.

So how does this work in open banking?

As we’ve covered so far in this blog, implementing SCA is mandatory for businesses looking to facilitate open banking processes or online payments. What we can control, however, is how well strong customer authentication checkpoints fit in with the overall customer experience and regulatory compliance.

Top tips to make this a success:

  • Ensure that the user is offered multiple methods of SCA – An element of choice helps to make the authentication process smoother. The methods of SCA available will depend on your region and the transactions you’re looking to secure, but providing a range will help to create a better user experience, and users often favour biometrics like face identification and fingerprints.
  • Continue to monitor local regulations and update your APIs accordingly – The regulatory landscape is always subject to change and different regions have different regulations. Businesses can’t afford to get complacent when it comes to updating SCA methods and the APIs that power them.

Keep it simple by working with a trusted partner

Implementing user-friendly, 100% compliant PSD2 SCA methods doesn’t have to be complicated. We can support the SCA methods made available by banks when accessing open banking information and when making open banking payments, ensuring the process is as smooth as possible.

More news