Skip to main content

Back to Blog

Are PSD2 SCA Options Too Narrow in Scope?

On September 14th, new PSD2 requirements known as Strong Customer Authentication (SCA) were introduced across Europe. These requirements are part of the EU Revised Directive on Payment Services (PSD2) and are intended to increase security for online payments. We are living in an increasingly security-conscious time, and the EU is making meaningful steps with GDPR and PSD2 to address the cybersecurity concerns of EU citizens.

One study found that 88% of daily Internet users in the EU expressed substantial concerns regarding becoming the victim of cyberattacks. The same study also found that 77% of daily Internet users expressed significant concerns about their personal information not being kept safe by websites.

With this in mind, we want to answer the following questions: What do these changes mean for customers and businesses? Are these changes enough, or is there more that organizations should consider? And finally: Are customers and businesses prepared for these changes?

What Is Strong Customer Authentication

SCA means that banks, merchants, and service providers will have to update their systems to include extra customer authentication steps for all electronic payments over 10 euros. The purpose of these additional authentication steps is to provide an increased level of security for customers, protecting them from fraud, or the mishandling of their data. At least two of the following authentication steps must be used:

Something the customer KNOWS

“Something the customer knows” could be a password, PIN, passphrase, or a secret fact or answer. The idea is that this would be something only the customer would know and would easily be able to recall.

Passwords and PINs are now so ubiquitous that we can often forget why they are so important, or what our responsibility is as a password creator. When something becomes so normalized, we become relaxed with it and start to see creating a password as an extra annoying step to creating yet another online account. Convenience and memory concerns are why we reuse passwords, even when we know it is risky. That is also why we default to picking something familiar to us, like the name of our favorite sports team, our pet’s name or a celebrity. These behaviors make for weak passwords and leave our accounts vulnerable.

While it is our own responsibility as the password creator to create a strong password and to not reuse it, it’s fair to say that bad password hygiene is alarmingly common. By requiring additional forms of authentication for online payments, we can add a layer of security to protect ourselves.

Something the customer HAS

“Something the customer has” is something that the customer, and only the customer, should possess. Examples are phones, hardware tokens, smartwatches, or smart cards.

This type of authentication aims to reduce the success of remote cyber-attacks. High profile data breaches have become a depressingly regular reality in the last decade, with many millions of user credentials leaked. These leaked credentials find their way onto databases on the dark web where cybercriminals can use them to attempt credential stuffing and account takeover attacks.

Account takeover can be conducted from anywhere in the world as long as the attacker has the right username and password. If your credentials have been exposed and you have reused these credentials across several accounts, then the attacker could potentially gain access to several of your accounts. Once inside your accounts, they could commit fraud or steal your personal data.

However, a remote attacker can usually be thwarted by the “something the customer has” type of authentication because the attacker has a harder time accessing it. Most of us carry around mobile devices and an increasing number of people are opting for wearable tech. This is something that only you have access to, or at the very least, something which should be incredibly difficult for a remote attacker to utilize. Although bad actors are increasingly finding ways around this second factor, according to Google and the recent hack of Twitter’s CEO is an example of this.

Something the customer IS

“Something the customer is” refers to biometrics such as fingerprint, facial recognition, iris recognition, or voice patterns.

The benefit that biometric authentication provides is similar to that of carrying a smartphone or a hardware token; only it takes it one step further. Authentication through a smartphone only works because so many people carry one. With smartphone dependency increasing, you are usually unlikely to be caught without one. However, that isn’t always the case. Sometimes our phones run out of charge, or we forget to pick them up; then we can be locked out of our account. It is even more true for a hardware token where you may leave it somewhere safe at home and rarely remember to take it out with you.

Biometrics can help solve this problem. After all, you’re never going to be caught without your fingerprint, face, or Iris. Voice recognition authentication is a little riskier in this regard. While technology has come a long way, your vocals can be made to sound very different if you have a respiratory illness or there is a lot of background noise.

Biometric authentication has several advantages. It is difficult to forge fingerprints and other biometrics, making it excellent for protection against fraud. There is also a strong sense of accountability since only you have access to your body. They are also designed to be quick, requiring minimal effort to use. But there are inherent risks associated with biometrics. The main one being that if your biometric information is exposed, you cannot change it if it gets exposed with some other risks outlined by Dark Reading. The US-based NIST agency outlines additional concerns around biometrics in that they are based on probable risk vs. definitive risk.

Is This Enough?

There is always an opportunity to increase security protections further. Has the EU Revised Directive on Payment Services (PSD2 SCA) gone far enough? For example, screening for exposed passwords or credentials is another sophisticated tool that can be used by businesses to protect their customers against fraud and account takeover without introducing additional user friction. Customer credentials can be compared to databases of known, exposed credentials, or weak and common passwords. Credential screening or password filtering is a low-friction security measure because it only requires action by the customer when it detects an exposure. It also makes users more aware of how secure their credentials are. The requirement to check against compromised passwords has been added to the National Institute of Standards and Technology (NIST) password guidelines in the United States. It’s somewhat surprising that the EU didn’t take this opportunity to add the same.

Are We Prepared for These Changes?

In 2013 The European Central Bank (EBC) first released the final recommendations for the security of internet payments, and the discussion continued to evolve from then. It was three years ago in 2016 that the SCA regulation was announced and businesses began to prepare for the regulation coming into effect this month, in 2019. Well, in truth, many organizations are wholly unprepared, but why?

The regulation was challenged with immediate backlash by some businesses. Payment services giant Visa, was outspoken about its concerns, saying: “Changes mean no more express checkouts or quick in-app payments from mobiles, reduced access to non-European online shopping sites, and longer queues at places like toll booths and parking.”

Many businesses and industry leaders are concerned that the additional steps required by the regulation will cause friction during the checkout process. It’s feared that this friction will have a direct impact on sales as customers choose to abandon their shopping carts in frustration. According to data on Statista, 69.57% of shopping carts were abandoned so far in 2019. SCA would potentially cause this figure to increase significantly. Customers will hopefully adapt to the new process, and businesses will implement improved checkout flows and tools to help with user friction.

These concerns have led to some businesses lobbying for delays to the regulation, likely in the hopes that it will eventually be discarded. For other businesses, they may simply be unaware of the changes. According to Mastercard, “75% of online merchants in Europe are potentially unaware of a new security standard set to come into effect.”

The Impact on Customers

The regulation has the potential to be frustrating to customers. Many EU customers will not have access to biometric authentication options through their devices and will be forced to opt for the other two options, which will be more time-consuming. This may become even more frustrating if unprepared businesses choose to use a service that already has this compliance built-in, such as Apple pay. These systems provide an easy solution to companies and a smooth process for customers who can use biometric payment systems but makes it more frustrating to users without this access.

In a climate where more and more people are exercising caution when it comes to sharing their personal information, customers find themselves in a strange position. They potentially will have to trade more personal data about their devices or their body for increased security protections. Many European customers have not yet shared their mobile phone number with their banks or e-commerce platforms but will likely be forced to as part of this regulation.

Despite the expected hiccups, PSD2 SCA will ultimately be a good thing for customers, awarding them extra protections in an era rife with data breaches and cyberattacks. EU citizens also appear to be less concerned about being frustrated than businesses deem them to be. In a study of 4000 customers from the UK, France, Spain, and Germany, only 14% said that a complex security process would make them feel frustrated. Yet, 71% of the respondents to an Akamai/Ponemon Institute survey said that “preventing credential stuffing attacks is difficult because fixes that prevent such action might diminish the web experience for legitimate users.” So clearly, businesses still see it as a concern.

Nonetheless, we ask this critical question: why did they not consider lower-customer-friction options like compromised credentials screening? Hopefully, that option will become available in future versions of PSD2 SCA.