Strong Customer Authentication (SCA) became compulsory for services taking all types of electronic payment transactions from the European Economic Area (EEA) on the 31st of December, 2020. This includes contactless point-of-sale payments, online card transactions, and banking services such as the faster payments system. In the UK, the Financial Conduct Authority issued a deadline for full SCA compliance for e-commerce transactions in the UK, which came into effect on the 14th of March, 2022.
Why is SCA important?
If either the payee or payer is based elsewhere, then SCA is not currently a requirement. However, it would be prudent for Payment Service Providers (PSP) around the world to ensure that their online payment services still adhere to SCA requirements. Not only is this best practice, but other countries are likely to enact similar policies eventually, just like Australia did in 2019.
Although businesses and customers alike may question the need for another layer of authentication, the increase in fraudulent transactions has driven this development. According to Action Fraud, over 103,000 reports of online shopping and auctions fraud were reported in 2020. UK Finance, which represents the banking industry, revealed that more than £750 million was stolen via fraud in the first half of 2021. Consumers need to be confident in the integrity of the payment system, and the safety of their financial resources.
As well as online and contactless transactions, the number of people in the UK using online banking services grew from 30% in 2007 to 76% in 2020. There have been objections from some groups of users, who don’t have a mobile phone, aren’t able to receive a reliable signal, or have other barriers that may prevent them from being able to use SCA effectively. However, several banks have agreed that customers can be sent security codes via landline (such as Lloyds, Tesco and TSB) or continue to access accounts and make payments at bank branches (like Santander.)
Currently, the 3D Secure authentication protocol requires a user to satisfy one additional verification request before a payment can be authorised. Typically, this is a code sent via SMS to the phone number registered to the bank account. 3D Secure is due to be phased out later in 2022.
What’s needed for authentication?
SThe revised Payment Services Directive 2 (PSD2) legislation requires that service providers use the 3D Secure 2 authentication protocol to verify a user’s identity before a transaction can be approved. This requires two discrete pieces of information from the user, which can be from three potential categories:
• Knowledge - something only the user knows, such as a password or a PIN.
• Possession - something the user has, such as a code sent via SMS.
• Inherence - something that’s a part of what the user is, such as a fingerprint.
Some banks have chosen to enact SCA by sending a notification to their online banking app, which details the merchant’s name and amount to be paid on the payer’s banking app. The payer must then log in to their app (knowledge) and confirm that the transaction is valid on the app (possession). Digital wallet services such as PayPal, Apple Pay, and Google inherently meet two-factor authentication requirements.
There are several exemptions from SCA, which include:
• Transactions initiated by merchants - i.e., a payment on a date that has previously been agreed by the customer, such as pre-authorised card payments taken on a periodic basis. Direct debit mandates fall under this exemption only if the customer’s bank is not involved in the initial setup.
• For recurring payments such as standing orders and subscriptions, only the first payment requires SCA. If it’s amended at a later date, then SCA will be required again.
• Contactless payments below £100, or cumulative contactless payments totaling less than £300 since the last time SCA was required.
• Unattended payment terminals for payment of transport fares or parking fees.
• Credit transfers where the payer and payee are the same person.
• Whenever corporate payments are made via dedicated payment processes not available to consumers.
What should you be doing?
With these new requirements in mind, businesses and organisations may find that existing procedures will need to be adjusted to ensure a continuation of services, even if they’re not operating within the retail sphere.
For instance, when paying supplier invoices via faster payments, if there’s not already a procedure outlined, now would be the time to do so. Ideally, two senior members of staff would be designated to make such payments, and the SCA requirements set up to deliver a confirmation code to their work-provided phone. Alternatively, the process for employees booking transport and accommodation for business-related travel could be assigned to one member of the finance team (corporate credit cards are exempt from SCA – allowing the provision of these for staff who often travel may be another viable alternative).
A full audit of outgoing payments, sources and requisitions should provide some insight into any necessary adjustments that need to be made. Payments can be a source of compromise – phishing and whaling (an even more targeted version of phishing) attacks are often aimed at specific members of staff who are known to hold fiscal responsibility – so ensuring that procedures are clear will help to protect your organisation against potential exploitation, monetary loss, and reputational damage.
If you’re unsure of what cyber security procedures you might need to enact, or how to educate your employees about what to do in the case of phishing campaigns, then look no further. At Cyber Security Associates, we can help your staff with security training, to create a more cyber-secure culture within your business. As well as E-learning courses, we offer webinars and sessions for organisations of all sizes, in both the public and private sectors. Find out more about how we can help, and get in touch with us today.