STRONG CUSTOMER AUTHENTICATION

Strong Customer Authentication

Strong Customer Authentication (SCA) is a requirement of the EU’s Payment Services Directive (PSD2) that aims to add extra layers of security to electronic payments. It requires banks to undertake additional checks to confirm their identity when their customers make payments.

When customers are at the online checkout, banks must ask customers for a combination of two forms of identification that proves something that they know, something that they have and something they are.

  1. Knowledge – this is something they know – for example, their PIN or password;
  2. Possession – something they have – a mobile phone, card reader or another device evidenced by a one-time passcode;
  3. Inherence – something they are – can be biometric such as a fingerprint or face scan on a mobile phone that accesses the banking app or authenticator service asking for authentication.

This is most obvious when using EMV 3D secure when a SMS message with a one-time passcode to authenticate the transaction is sent to the mobile number provided to the bank. However, criminals can socially engineer consumers to reveal their passcode by impersonating their bank and asking for the number to prevent the fraud, when, in fact, they use the number to authenticate the fraudulent transaction and get the goods.

Biometric authentication occurs when the consumer must access a message sent by their bank to their banking app that requires the consumer to use a fingerprint or face-scan to authenticate the transaction. Because there is no one-time password, fraudsters can’t socially engineer the consumer to divulge it. The consumer has their mobile phone and can access the banking app to authenticate the transaction

Tokenisation

Card schemes are now implementing tokenisation to prevent fraudsters intercepting payment instructions. Tokenisation is the process of turning the PAN into a unique stream of numbers that is encrypted, transmitted and decrypted at the transaction end-point. This avoids fraud as the full card number is not being transmitted and possibly intercepted.

Back to