September 2019 will usher in a new paradigm in terms of online payment security and trust. September is the month when the requirements for Strong Customer Authentication (SCA) under the Revised Payment Service Directive (PSD2) will go live in the European Economic Area. Most payment processors and service providers are already working on implementing the same as the Regulatory Technical Standards (RTS) for Strong Customer Authentication were defined and adopted in 2017 itself.
As the name suggests, Strong Customer Authentication requires a customer initiating an online payment transaction to be authenticated by the service provider in a manner that is a lot more robust and fool proof than what was previously being done.
The need for having SCA in payment transactions is obvious. As more and more transactions move online, so do more bad actors who want to disrupt those transactions in order to profit personally. In order to protect retail users from such fraud, the European Commission wants to bring in regulations that can tackle the problem in a standardized manner. So that rather than having to worry about which bank or payment service provider offers the best authentication, you can rest assured that all of them mandatorily follow the minimum requirements that the European Commission deems appropriate to protect the consumer.
The philosophy behind SCA is that a strong authentication can be provided by a combination of at least two of the following:
Something that the user knows (like a password, secret question etc)
Something that the user owns (a mobile number to receive a One-Time password or a smart card that you have in your possession)
Something that the user is (fingerprints, voice pattern recognition, retina scans, etc.)
PSD2 mandates that Strong Customer Authentication is established using two or more of the above category of authentication features.
Implementing Strong Customer Authentication
Knowing what SCA is and why you need it, is just half the battle. The actual implementation is what matters in terms of having a noticeable impact on transactional security. The technical standards define the broad scope of what should be achieved and ensured – things like authentication requirements, independence of elements, monitoring, risk analysis, exemptions and so on.
The electronic identity (eID), with its cross-border usage and recognition as governed by the eIDAS regulation, can constitute an authentication mechanism based on what a user has (eID card) and knows (PIN). The Regulatory Technical Standard also requires qualified certificates for electronic seals and website authentication, as defined by eIDAS.
The actual implementation of SCA standards is where Hardware Security Modules (HSMs) come into the picture. They provide hardware Root of Trust which can help achieve Strong Customer Authentication for online payment transactions. These devices have the flexibility to allow multi-factor authentication requirements which are mandated to achieve SCA under the new regulations.
To stand the high expectations of eIDAS (and to contribute to its legal probative value), Hardware Security Modules should comply with the eIDAS Protection Profile EN 419 221-5, providing compliant and highly secure banking-grade and qualified trust services. Companies have already brought compliant modules into the market and this will undoubtedly help financial service providers jump start the next phase of their digital transformation.