Strong Customer Authentication, with the English acronym "SCA", involves application of new security measures that will make card payments even stronger, as this will be the way in which issuing entities are going to identify card holders when they order over-the-counter payments in stores or on the Internet.
These new security measures have been introduced through the new Payment Services Directive, also known as PSD2, as a rule that must be complied with by all payment services providers (such as banks) within the European Economic Space.
Strong authentication means that card holders will have to identify themselves before the entity issuing their card using at least two authentication factors when they perform certain electronic payments. Thus, the issuing entity will ask the holder for 2 of the following 3 types of authentication factors or security identifying elements:
- Knowledge: something they know, like the PIN of their card.
- Possession: something they possess, such as a single use password sent to their Smartphone or a payment card.
- Inherent: something that "is", for example, biometric elements such as facial features or a fingerprint.
These new requisites have a lower impact on payments with presence-based cards thanks to cards with chip and PIN. In these cases, the requisites of strong authentication are already fulfilled as there is a factor of possession (the card) and a factor of knowledge (the PIN code), and all the holder will necessary when buying is that the terminal will ask them to input their PIN more frequently, even for amounts under € 20.
In electronic commerce payments, the impact will be greater, as card holders will no longer be able to make online payments using the information printed on their cards (card number, expiry date and security code). Instead, the issuing entity will ask for 2 of the 3 possible types of authentication factors mentioned above, that in most cases will be an OTP (One Time Password) they will receive by SMS on their mobile phone, and something else, that will depend on the more or less technological profile of the holder.
All this must be performed through a secure protocol, so stores that do not have this must migrate to 3DSecure.
Return to frequent questions on PSD2 for stores.