What is Strong Customer Authentication?
Strong Customer Authentication (further – SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area and UK. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments.
As licensed Electronic Money Institution, ConnectPay must ensure that BaaS partners would implement SCA for required events. There are a lot of SCA factors examples in the market, the most important thing is to use at least 2 of 3 independently (compromise of one should not undermine the reliability of the other components) :
- Knowledge – Something the customer knows (e.g. password, mobile PIN, passphrase, memorized swiping path).
- Possession – Something the customer has (e.g. a trusted device, signature token, QR code, One Time Password (OTP)).
- Inherence – Something the customer is (e.g. face ID, fingerprint).
SCA must be designed in such way as to protect the confidentiality of the authentication data.
When is SCA required?
- Accessing payment accounts. Anytime a user logs in online to view their payment account details.
- Initiating transactions. Whenever user starts an electronic payment process.
- Remote risk-prone actions. For any activity conducted remotely that could potentially lead to payment fraud or similar security threats. E.g. : change card PIN, confirm application data, order a card.
SCA Events
Certain workflows (events) undertaken by a user will require them to confirm it with SCA typically applying to the following event types:
Customer related events
- Login to the platform.
- Change of customer contact information – phone number, address, email address etc.
- Recover password, change password.
- Change credentials.
Document signing events
- Signing onboarding application.
- Signing card application.
- Opening a new account.
Payment events
- Authorization of a payment.
- Authorization of currency exchange.
Card related events
- Activate a card.
- Changing card PIN.
- Update card security settings.
- Unfreeze a card.
Important! When logged in your platform, user must be logged out after 5 min if they are inactive. Sessions must be short-lived.
Blocking access
It is very important to prevent unauthorized access by blocking user after max 5 incorrect attempts to login/confirm any kind of operation. Unblocking process is up to you, but it shall require identifying a user so that it would be clear which person tried to login.
Dynamic linking
All SCA authorization events require an “authentication code” that should be unique to each authorization event.
For payments there is additional requirement that “authentication code” must be transferred together with the amount, currency and recipient of the payment through every step of the payment and authentication process. Additionally, both the amount and recipient have to be made clear to the payer when authenticating the payment. If the authentication code or any payment details are changed, the transaction should fail.
In a picture below we provide high-level flow how this could be implemented. It might be that you will select to use some third party providers for SCA auth, this part is not reflected in the flow.
Logs
SCA logs must be saved for 13 months from creation date.