Multi-factor authentication (MFA) has been working its way into consumer life for years. To get to your bank account from a new machine, you often have to provide not only a username and password but a numeric code that you receive via a text message or an email. By implementing a requirement of more than one type of authentication, the bank is ensuring that the person logging in is the actual owner of the account and not a possible cyber criminal. MFA —which up until now has been a best practice, a recommendation and a feature implemented by vendors and financial institutions only when they deemed it necessary—is now becoming a regulated requirement.
As of December 31st, 2020, the European Union (EU) is requiring that consumer electronic payments over €50 ($60) require MFA. This requirement is defined as part of the Payments Services Directive (PSD2) that took effect in January 2018. A key component of this regulation is called Strong Customer Authentication (SCA). And this is the precise component that requires all EU consumers purchasing anything online will need to provide an additional form of authentication.
What authentication factors will meet the requirements?
The SCA requires that a purchaser’s identity be validated by providing authentication factors from at least 2 of the 3 common categories of authentication factors. These categories are:
- Something you know (e.g. PIN)
- Something you have (e.g. Card/phone)
- Something you are (e.g. fingerprint)
Who does this affect?
The December 31st, 2020 deadline affects all online financial transactions in the European Economic Area (EEA) where both the payee and the payer are in the EEA. On September 14th, 2021, the SCA will also apply to those within the United Kingdom (UK).
Are there any exemptions?
To be clear, the regulation only applies to transactions that are over €50, but there are a few other exceptions.
- Recurring payment exemption – That monthly delivery from the wine club is exempt as long as it is the same payment amount each month.
- Allow listing (or Trusted beneficiary) exemption – Consumers will be able to designate certain merchants as those they trust. So someone could mark Amazon as trusted and not have to provide 2 forms of authentication to make a purchase with them.
- Secured corporate payment exemption – Businesses that are using secure dedicated payment protocols as defined by the European Commission will be exempted when making payments.
- Low risk transaction exemption (or Transaction Risk Assessment – TRA) – Businesses that use a payment service provider (PSP) are exempted from these requirements. The burden then lies with the PSP. So if the merchant accepts payments through PayPal it is on PayPal to require the additional authentication factor.
Since e commerce was introduced in the 1990s online fraud has become more and more of an issue. According to PwC, online fraud has cost companies $42 billion in the last 24 months. Merchants and PSPs have been implementing MFA on their own in order to prevent these losses and ensure that they and their customers are not victims of fraud. SCA is the first step to ensuring that both merchants and consumers are protected against online fraud across the board.
Risk reduction impact of Strong Customer Authentication
With the introduction of Strong Customer Authentication (SCA) as part of the EU revised Payments Services Directive (PSD2), we believe it will reduce the risk of credit cards being stolen in the future. With Strong Customer Authentication, the financial and banking industry have enabled individuals to make informed risk-based decisions. Now individuals need to stay conscious and aware, choosing to only use service providers who protect their finances and identity with strong authentication or MFA.