Nov 30, 2020
SCA, Strong Customer Authentication: its role and how to implement it
Strong Customer Authentication is one of the key requirements for companies to operate online. Its focus on developing secure procedures in relation to electronic payments will redefine online operations and activities.
Identity verification plays a key role within this concept and solves many of the problems that previously existed when both companies and users face online transactions with confidence and peace of mind.
What SCA really is
SCA, an acronym for Strong Customer Authentication, is a concept born from the need to reinforce security in certain online processes. The focus of this term is on reducing payment fraud. SCA is understood as the authentication process that must be carried out to corroborate the real identity of a remote client or user.
The main difference between the traditional process of user authenticating for online payments and the SCA process is the introduction of the concept of two-factor authentication. In this way, the risk of online fraud is extremely reduced.
Thus, we understand Customer Authentication as that method of identifying a customer through a single factor (introduction of simple registration data) and Strong Customer Authentication or SCA as requiring more than one factor to verify the identity of a customer.
There are three categories of authentication factors to verify the identity of a customer:
- Knowledge: This category refers to those ones that only the customer should know, such as a password, a PIN, an account number, the bank card details (CVV), the address…
- Possession: Those ones that only the payer should have, such as access to a mobile phone (for OTP receiving), a physical identity document, an NFC card (token)…
- Inherence: Those that the payer is by himself, that is, those associated with biometrics. For example, iris, a voice pattern, or facial biometric pattern.
When we request for our customer authentication process two or more factors belonging to two or more of these categories, we can then talk about an SCA, Strong Customer Authentication process.
Contact eID through this form and we will advise you on authentication methods to comply with the SCA standard.
Although the concept can be understood in isolation and it is applied throughout the world, it has taken shape and been standardized thanks to its official introduction in regulations. SCA is the central axis of the new PSD2 regulation.
Its role within PSD2
PSD2 is the European Directive on payment services that standardizes the procedures for conducting online transactions. It significantly broadens the scope and obligation that its predecessor PSD had already introduced, as well as incorporating new extended rights for consumers.
PSD2 modifies the access to payment information, simplifies procedures by eliminating intermediaries, transforms the way of acting of financial entities and includes SCA.
Learn in-depth in this article all the details about the PSD2 (Payment Services Directive 2) regulation.
PSD2 has made the Strong Customer Authentication processes mandatory. Thus, the SCA is presented as a set of requirements for any company with an online presence to operate.
This regulation applies directly to financial institutions and TTPs, transforming payment gateways and forcing them to comply with the same standards as traditional ones. Any electronic payment transaction or remote activity that may involve a risk of fraud or a payer’s access to his digital payment account must include the SCA process of strong customer authentication.
Facial biometrics in SCA
Among the three types of authentication factors that can be used for an SCA process, inherence is the one that is most difficult to falsify, modify or subtract. We have been able to notice how passwords, PINs, access to mobile phone data or duplicate of low-security NFC cards have been falsified and stolen.
However, identification factors such as the iris or the facial biometric pattern in real-time represent a high-security method that is impractical for potential offenders, even despite deepfakes or other face replication methods.
Biometric facial recognition is one of the safest methods to create an identity verification factor within a Strong Customer Authentication process.
This technology is capable of effectively and securely verify the identity of a subject through streaming video. Thanks to advances in artificial intelligence and machine learning, some technologies such as SmileID and VideoID create an unequivocal dynamic mathematical pattern, not only of the face but also of the smile, in movement and gestural to prove the identity of a person.
The choice of biometric facial recognition within a multiple authentication factors strategy as a second factor of authentication (2FA) is essential to develop an SCA process with guarantees and complying with PSD2.
Strong Customer Authentication and KYC
The KYC (Know Your Customer) process, widely known in the banking and financial sector, sets its focus on verifying the identity of the customer in such a way that it is legitimately checked that they are who they say they are. It is a standardized and mandatory process.
When we carry out this process online and remotely, we then talk about the eKYC process (electronic Know Your Customer). It verifies, without a doubt and with a series of precise and advanced AML controls, in a legitimate way, the identity of the client so that he can carry out processes of all kinds through the internet.
Thanks to eKYC, it is possible, for example, to open bank accounts remotely, digitally onboard clients or perform payments of large amounts with an agile, simple process and in less than 3 minutes. Along with SCA processes, customers can carry out all kinds of online activities with guarantees and security.
The eKYC process must comply with AML5 (Anti-Money Laundering Directive 5) and eIDAS (electronic IDentification, Authentication and trust Services) regulatory standards in order to be reliable and safe.
AML5, eIDAS and PSD2 shape the regulatory framework so that companies can operate the internet and users are safe from online fraud not only in Europe but throughout the world since their standards are adapted to regulations of other states and countries.
Download at this link our complete whitepaper on eIDAS and AML5.
eID, strong customer authentication solutions provider
Electronic IDentification, eID, has developed specific tools to comply with SCA procedures within any type of online activity, both for businesses required to comply with PSD2 and those that must integrate secure processes for their online activities.
As a RegTech and digital transformation partner, it develops customized solutions for the needs of companies in all sectors in their user-company relationships.
Request a free trial of our authentication and identification products for SCA processes here.