Strong customer authentication

What is Strong Customer Authentication?

Strong Customer Authentication (further – SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area and UK. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.

As licensed Electronic Money Institution, ConnectPay must ensure that BaaS partners would implement SCA for required events. There are a lot of SCA factors examples in the market, the most important thing is to use at least 2 of 3 independently (compromise of one should not undermine the reliability of the other components) :

  • Knowledge – Something the customer knows (e.g. password, mobile PIN, passphrase, memorized swiping path).
  • Possession – Something the customer has (e.g. a trusted device, signature token, QR code, One Time Password (OTP)).
  • Inherence – Something the customer is (e.g. face ID, fingerprint).

SCA must be designed in such way as to protect the confidentiality of the authentication data.

When is SCA required?

  1. Accessing payment accounts. Anytime a user logs in online to view their payment account details.
  2. Initiating transactions. Whenever user starts an electronic payment process.
  3. Remote risk-prone actions. For any activity conducted remotely that could potentially lead to payment fraud or similar security threats. E.g. : change card PIN, confirm application data, order a card.

SCA Events

Certain workflows (events) undertaken by a user will require them to confirm it with SCA typically applying to the following event types:

  • Login to the platform.
  • Change of customer contact information – phone number, address, email address etc.​
  • Confirming of onboarding application.
  • Initiation of a payment.
  • Changing card PIN.
  • Opening a new account.
  • Activate a card.
  • Update card security settings.
  • Unfreeze a card.

Important! When logged in your platform, user should be logged out after 5 min if they are inactive. Sessions should be short-lived.

Dynamic linking

For payment events it’s not enough to use SCA with confirmation type. All SCA events for payments require an “authentication code”, unique to each transaction, to be transferred together with the amount and recipient of the payment through every step of the payment and authentication process. Additionally, both the amount and recipient have to be made clear to the payer when authenticating the payment. If the authentication code or any payment details are changed, the transaction should fail.

In a picture below we provide high-level flow how this could be implemented. It might be that you will select to use some third party providers for SCA auth, this part is not reflected in the flow.

Open account

Initiate a payment

Create card application

Manage cards

Scroll to Top