Strong customer authentication as an EU-wide measure against fraud

What is strong customer authentication?

To prevent fraud even more effectively, the EU introduced a new regulation, which obliges companies to integrate even stricter authentication procedures in their payment processes. This regulation on what is known as ‘strong customer authentication’ (SCA) supplements PSD2.

The most important component of SCA is the two-factor authentication using two of the following security components.

Something the customer knows:

password, PIN, or security answer

Something the customer owns:

a mobile phone, hardware token, etc.

Something the customer is:

biometrics such as fingerprint or face scan

Each of these elements must be independent of each other, so that the security of the others is not compromised in the event of a security breach. SCA as a whole must be designed logically in such a way that the confidentiality of the authentication data can be guaranteed at all times.

Exemptions from using SCA processes

According to the SCA regulation, some types of transactions can be exempted from strong customer authentication. In certain exceptional cases, it is at the discretion of the merchants, issuers and acquirers whether SCA is required from the consumer or not.

With all exemptions, the respective authentication process remains invisible for the user: Transactions are carried out like transactions without 3D Secure, thereby guaranteeing a smooth customer experience.

Low-value transactions:

  • Low-value transactions under €30
  • Maximum number of subsequent transactions without SCA = 5
  • Maximum cumulative amount of transactions without SCA = €100 or for payments at the POS = €150

Transactions with low security risk

  • For transactions over €30, a new procedure of risk-based authentication will be used depending on the reference fraud rates of the acquiring bank and the issuer, not of the merchant
  • Acquirers and issuers may conduct ongoing risk analysis on transactions and make a risk-based decision, thereby temporarily suspending the SCA
  • The following limits apply: €100 for a fraud rate of < 0.13; €250 for a fraud rate of < 0.06; €500 for a fraud rate of < 0.01

Transactions based on subscriptions, corporate payments, or based on a whitelist:

  • Recurring transactions with the same amount for the same business
  • SCA is only needed for the first transaction respectively
  • Secure B2B payments via dedicated payment processes and protocols are exempt
  • Cardholders have the opportunity to whitelist merchants or beneficiaries together with their bank.

Transactions outside the scope of SCA:

  • Transactions initiated by merchants
  • The purchase order for buying goods and services is issued by telephone or in writing via fax or order form (MOTO)
  • ‘One leg out’ transactions, in other words, transactions where either the issuer or the acquirer is not located within the European Economic Area (EEA)
  • Transactions using anonymous payment methods, such as anonymous prepaid cards 

A smooth customer experience thanks to risk-based authentication (RBA)

Thanks to RBA, the number of cart abandonments can be significantly reduced.

To continue to offer customers a smooth payment process for most transactions despite stricter security requirements, a method known as risk-based authentication can be used. It can be applied to transactions of between €30 and €500 that have been classified as low-risk. Thanks to RBA, customers can be spared additional authentication. Should a transaction be classified as suspicious, customers can be actively requested to undergo additional authentication. The more transaction data is made available, the easier it is to assess the risks.

Benefits of RBA

  • Smooth payment process up to a value of €500
  • The same level of security with less work
  • Fewer cart abandonments during the payment process

Back to 3D Secure 2