UKTN: SCA and PSD2, Achieving compliance in the new era of banking security

Earlier this month, the Strong Customer Authentication (SCA) requirements have finally come into effect. The goal is to reduce fraud and enhance security by strengthening the authentication process. Since the requirements for SCA are finally in full effect, lets look at the pros and cons of SCA and the most necessary security measures that have to be taken in order to be compliant.

Pros
The introduction of SCA will enhance security within the payments landscape and forces weak authentication methods to be phased out. Also, the authentication process can be adjusted to the level of risk that is at stake. This means that less authentication is needed for lower risk transactions.

Cons
The implementation of SCA results in a situation where users of an application probably have to authenticate twice: once in the application of the Third Party Provider (TPP) and once to use a bank account via the application. Additionally, authentication flows can differ for each bank or TPP which could be confusing for consumers. Finally, timelines for SCA have shifted in recent months and deadlines became fragmented. This means that different parties have to deal with different timelines for SCA compliance.

Important security measures to achieve PSD2 complianc

  • Transaction monitoring has to be implemented to deter fraudulent payments and to prevent fraud.
  • Replication protection is mandated by PSD2 which means that countermeasures have to be implemented in applications to prevent the replication of authentication factors.
  • Dynamic linking is also an important PSD2 requirement. This means that the payer must be aware of the amount and recipient of the transaction and the authentication code must be dynamically linked to these details.
  • Independent authentication elements have to be provided for authentication, to ensure that the breach of one authentication factor does not compromise another factor.