EU Strong Customer Authentication

Strong Customer Authentication

The requirement for Strong Customer Authentication (SCA) went into effect this past September. Notwithstanding the deadline, several countries announced a delay in implementation which was approved by the European Banking Authority (EBA). SCA is a specific requirement of the Revised Directive on Payment Services (PSD2), originally issued in 2015 and subsequently amended in 2019.

To provide context, the EBA is a regulatory body that works to oversee and regulate the EU banking industry. It was established in 2010 by the European Parliament and works closely with the European Central Bank (ECB) to maintain price stability in the EU so as to maximize the value of the Euro currency.

Tsunami of Online Crime

Of course, the digital transformation leveraging the internet worldwide has contributed to the tsunami of online crime. In fact, online fraud is now a very common crime impacting all corners of society. Criminals have stepped up their attacks and use many tools such as malware, phishing, malicious websites, and other tactics to reach their goals. Once a criminal has tricked a customer into revealing their passwords and personal details, they can gain persistent access to their accounts. Prior to the requirement for SCA, customers could complete a transaction utilizing the card number and the visible CVC verification code. Heads Up! This is no longer sufficient to support an online transaction in the EU.

PSD2 – Electronic Payments

PSD2 is the requirement for strong customer authentication for electronic payments. When using a physical card in the EU, this typically includes both an electronic chip and a PIN except when participating on an internet-based transaction. The new requirement stipulates that payment service providers use SCA when a customer is accessing a payment account online, beginning an electronic payment transaction, or conducting any activity through electronic channels that present a risk of payment fraud and related abuse.

A payment service provider provides online access to services for processing payments. This may include credit cards, direct debit, bank transfer, and real-time bank transfer based on online banking. Payment service providers are typically connected to multiple banks and payment networks.

At the very core of PSD2 is multi-factor authentication. Specifically, authentication must be based upon the use of two or more of the following elements: something that the user knows, something that the user possesses, or something that the user is, such as a biometric. It must be clear that breach of one or more of the factors should not compromise the reliability of the other factors such that the authentication data is protected.

There are just a few exemptions to the SCA. These include low-value transactions of under 30 euros. If there are more than five of these transactions conducted serially, or if the total of all payments for multiple transactions exceeds 100 euros, then the SCA is required. Recurring transactions need only be validated the first time with SCA, then they may be repeated automatically for the same amount. There is also a provision for merchant whitelisting for labeled “low-risk” transactions so deemed by the card issuers, mail orders and telephone orders that are exempt, and corporate payments initiated by a business as opposed to a consumer. As the SCA came into force in September 2019, there were delays by as much as 18 months for business in countries like the U.K. and others.

There are also implications for mobile devices and desktop computing platforms. SMS-based authentication will be used, as the EBA has allowed SMS as an SCA feature for authentication as something the user possesses. But SMS is not a truly secure technology. SIM cloning, malware, and jailbroken phones are the cause of continued concern. SMS also doesn’t have transaction audit support.

In the final analysis, it is still a race to the bottom. Given the likely dependence on SMS and the significant vulnerabilities associated with it, fraud will perhaps be reduced but certainly not eliminated. Attackers will penetrate point-of-sale, bank, and financial networks and will continue to perpetrate fraud. Credit cards and related authentication will be stolen, and cyber thieves will do the research to clone the phones and defraud accounts so compromised.

Deception technology is the perfect solution by design for the cyber challenges that continue to impact financial transactions.

Deception technology can help you more rapidly identify cyber attackers and uncover their activities. More rapid detection reduces your risk of these attackers accessing your sensitive data and defrauding your accounts.

Deception is able to detect the reconnaissance of the stealthiest attackers and is your highest accuracy warning system for finding and eliminating these threats. Anywhere they go in your networks, deception technology will lure them out and bait them into investigating a decoy. Once that happens, you have them before they can complete their Kill Chain execution.

Deception is also blessedly black and white. Either it detects a threat at a very high probability of certainty or it doesn’t. There is no nebulous middle ground full of noisy alerts. The high-integrity alerts generated by deception technology help reduce the mountain of extraneous alerts that today bombard your information technology and cybersecurity practitioners.

Find out more about Acalvio and how deception technology can help you make your financial transactions safer. We’d be pleased to introduce you to our latest technology and share information about customers that have used Acalvio ShadowPlex to protect banks and financial transactions around the world.