Whether booking a train ticket or buying something at their favourite online shop, users expect secure, convenient payment methods and require functional and consistent authentication for this. Many banking institutions have been looking forward to this day for quite some time: secure customer communication is finally becoming a reality in the European Union! The technical regulatory standards for strong customer authentication and for secure open communication standards have the potential to mean a true evolution for online payments.
Though implementation is not yet mandatory, this is not something completely new for German companies. In terms of content, most of the regulations in Germany were introduced by the BaFin Circular 04/2015. From September onwards, these regulations will affect almost every type of online banking in the EU and thus millions of users. In fact, many bank customers will be oblivious to this: most have no concrete idea what two-factor authentication (2FA), on which strong customer authentication is based, consists of. This makes it all the more important to have a customer-centric process and intuitive design that makes the innovations simple and convenient for the user.
What Is Strong Customer Authentication?
Strong customer authentication (SCA) is an EU-wide requirement regarding the type of authentication used for online payments. With the implementation of the new requirements, payments must be verified with two-factor authentication through at least two of these three forms:
Something that only the user KNOWS:
For example, a password or a security question.
Something that only the user OWNS:
For example, a device for authentication or a mobile phone/sim card - a smartwatch could also be used.
Something that the customer IS:
For example, a fingerprint or facial recognition.
What Does Strong Customer Authentication Mean?
First and foremost, this new authentication process is intended to detect fraud attempts that use stolen or lost customer login information. In addition, 2FA will ensure that the user is actually the authorised person who at that moment has given their consent for funds to be transferred or for their account information to be accessed.
What Are Existing Examples of Two-Factor Authentication (2FA)?
3D Secure 2 – the new version of the first 3D secure standard from 2019 – is an option developed by the credit card provider VISA. The 3D secure authentication when making a payment online is already the preferred method for authentication online credit card payments. It complies with both the two-factor authentication system and PSD2 requirements. With the identity verification of Secure Code (Mastercard), J/Secure (JCB) or SafeKey (American Express), other major credit card issuers offer a similar service. Mobile payment methods such as Google Pay and Apple Pay also use the additional security query during authentication.
Another everyday example is registration for online banking using a PIN and TAN. Two numbers and yet two authentication forms? The PIN here is “something that only the user knows” whereas the TAN that the user receives on their mobile phone is “something that only the customer owns”. The prerequisite is that a TAN with a dynamic link is used, as the former iTAN no longer meets the requirements due to the lack of information about the recipient and the amount.
Other innovative projects are also emerging, spurred on by the substantial leeway to interpret the regulatory standards. Strong links are set to be created between the core banking system of banks, the user and the service provider. This is made possible by accessing the customer’s online banking account (XS2A) via banking APIs. From a technological point of view, these new services are inspired by Google, Facebook Connect und Co. and are based on OpenID and OAuth.
However, it is not only third-party providers that are working on integrating online banking into their own platforms; banks are also investing in new solutions for their existing online banking. For example, Sparkasse is working with YES AG to develop a product that makes online banking usable beyond normal banking. Access to online banking is used to manage the digital identity. As part of the verimi project, a consortium consisting of Allianz, Axel Springer, Daimler and Deutsche Bank, among others, also want to serve as identity providers.
Is the Offline World not Affected at All?
In fact, the reverse is true: this security level already exists offline! In principle, two-factor authentication has existed in the offline world for some time. In shops, an electronic payment is triggered when the customer pays with a card and a personal identification number (PIN). There is also two-factor authentication when paying by card and signature, but no initiating of an electronic payment - thus this payment is outside the scope of RTS for strong customer authentication and secure customer communication in electronic payment transactions.
What Are the Most Important Dates?
Strong customer authentication is an integral part of the requirements laid down by the new Payment Services Directive and is binding from September 2019, although the deadline for implementing PSD2 was 13 January 2018. In contrast to other regulations in the Directive, however, the legislator has granted a longer implementation period for this.
The final version of the Regulatory Technical Standards (RTS) for strong customer authentication (SCA) and secure customer communication was published in an Official Journal of the EU Parliament on 14 March 2018. Within one year of this date, banks are expected to provide Account Information and Payment Initiation Services using an appropriate API, technical interface and test environment. From April 2019, companies will receive an automatic liability shift if they request two-factor authentication and the issuing bank cannot accept it.
Full implementation is then required as the second step: from 14 September 2019, the SCA requirements stipulated by PSD2 will be active. From then on, banks must reject payments that cannot be authenticated in the ways outlined above. If this is the case, the customer will receive a request to authenticate themselves.
In Germany, however, little has changed in practice for 2FA. BaFin has obligated German banks and card issuers to implement comparable measures by issuing Circular 4/2015 “Minimum Requirements for the Safety of Internet Payments”, which is based on the EBA Guidelines on the security of internet payments.
How Do PSD2 and Strong Customer Authentication Work Together?
One of PSD2’s greatest goals is to simplify payment transactions in the EU and make electronic payments more secure. In fact, one of the reasons for updating PSD1 is that the security risks for electronic payments have heightened in recent years. The main objective of the new SCA rules is to minimise the risk of fraud for electronic payment services. To this end, the European Banking Authority together with the European Central Bank was commissioned to develop technical regulatory standards (RTS) for strong customer authentication and secure communication. The RTS for electronic payments are intended to define the objectives and requirements of PSD2 from a technical point of view. Strong customer authentication is thus part of the requirements under the new Payment Services Directive.
PSD2 also regulates when strong customer authentication is required. When they come into effect, the standards require payment service providers to use 2FA authentication to ensure payments are dynamically linked to an amount and a payee. Online banking should become reliable and comprehensible through the new method. Instead of the traditional, comparatively insecure password, the customer now uses authentication via two factors and thus initiates a much more secure payment.
When Do I Need to Be Interested in Strong Customer Authentication?
The obligation to provide strong customer authentication covers electronic payments initiated by customers in Europe. This includes most card payments and credit card transactions, but SCA is also required when the user accesses their payment account online.
A card payment falls within the scope of the regulation if the cardholder’s bank and the payment service provider’s bank are located in the European Economic Area (EEA).
In the case of remote payments, such as a classic bank transfer in online banking or making online purchases using a credit card, it becomes somewhat more complicated. In addition to strong customer authentication, there is a also a dynamic link in terms of the recipient and the amount. In concrete terms, this means that an SMS-TAN is assigned to exactly one amount and one payee. We can bid farewell to iTAN lists!
From a technical standpoint, authentication with access to payment accounts (XS2A) is enabled by interfaces (APIs). The regulatory standards are therefore of general relevance for banks, as they must be able to provide a banking API.
Thanks to our own banking API, FinTecSystems has access to more than 100 million online banking accounts in Europe and covers 99.5 percent of all banks. Our interface has been used successfully for over 10 years. Contact us for more information!