As Europe moves toward a more efficient payment system designed to better meet the needs of digital commerce and cross-border transactions, a program called PSD2 Strong Consumer Authentication has emerged as a cornerstone of that effort. In fact, secure authentication stands as one of the prime requirements of the European Union’s second Payment Services Directive, commonly called PSD2.
The goals of Strong Consumer Authentication within PSD2 are to reduce online transaction fraud and better protect consumer data by requiring two-factor authentication for payments exceeding 30-euros
That might sound like a new robot from “Star Wars,” but PSD2 represents a decade-plus effort to rework the competitive landscape for payments in Europe. The first Payment Services Directive, adopted in 2007, created a single market for payments in Europe and provided the legal foundation for the Single Euro Payments Area, which, among other results, made bank transfers simpler and easier, according to the European Payments Council.
The revised directive, PSD2, is designed to reflect the rise of online payments and the entrepreneurs and new services that have sprung up to meet consumer demand in this digital environment. Those new players did not fall under the regulatory umbrella of the 2007 directive, making an update necessary. According to the payments council, the new PSD2 will “make payments safer, increase consumer protection, and foster innovation and competition while ensuring a level playing field for all players, including new ones.”
How PSD2 Strong Consumer authentication will work for European payments
Now the payments and secure authentication industries in Europe—and those companies that serve Europe—are working hard to meet PSD2 requirements. EU members are expected to approve these requirements into their national laws by Jan. 13, 2018. The PSD2 Strong Consumer Authentication piece is scheduled to come into force in the fourth quarter of 2018.
“PSD2 mandates Strong Consumer Authentication for transactions above €30 (about US$36), meaning two-factor authentication will be required to verify the transaction,” according to secure authentication firm Signicat, which has recently released a white paper on the subject. “SCA mandates that authentication is based on at least two of the three elements of knowledge, possession and inherence.”
According to the European Payments Council, the goals of PSD2 Strong Consumer Authentication are to reduce online transaction fraud and better protect consumer data. That means all electronic transactions conducted under the PSD2 regime will have to include two of the following three factors: Something only the user knows, such as a password or PIN; something only the user possesses, such as a key; and something the user is, which means a biometric such as fingerprints or voice recognition.
For remote transactions, however—think mobile purchases—it also requires the use of “unique authentication codes that dynamically links the transaction to a specific amount and a specific payee.” PSD2 Strong Consumer Authentication rules do not apply to transactions below that 30-euro amount, or when the beneficiary is already identified.
That’s not to say the requirements won’t face challenges. In its white paper, for instance, Signicat cautions that, “SCA could damage business by creating more friction for the consumer at the checkout. Once SCA is triggered, providers will be forced to look for ways to simplify the transaction process either through exemptions or low-friction (method).”