PSD2 — Strong Customer Authentication

PSD2 — Strong Customer Authentication

Last September, a new set of laws and legislation were introduced by the European Union called PSD2. PSD stands for Payment Services Directive and this second one is a follow-on from PSD1, which was introduced back in 2007.

The whole point of PSD2 is to make e-Payments more secure. One of the main requirements from it, for payment service providers like Trustap, is ‘Strong Customer Authentication’ (SCA). In October 2019, the European Banking Authority announced that by December 2020, SCA will be fully enforced.

What does this mean for me?

Authentication, up until now, has just been a way of proving you are who you say you are so that payment service providers are happy to let you proceed with your payment.

SCA will require authentication to use at least two of the following three elements:

– Something the customer knows e.g. Password, PIN or Security Question
– Something the customer has e.g. Mobile Phone or Laptop
– Something the customer is e.g. Facial Recognition or Fingerprint

You will be allowed to use the same device to initiate the payment and to pass authentication.

What kind of payments will require SCA?

Any ‘Customer Initiated’ payment within Europe will require SCA and the banks will reject any payments that don’t have it. Most card payments and all bank transfers fall under this category and so they will all require SCA.

Will there be any exceptions?

The only types of payments that won’t necessarily require SCA are payments that are deemed to be ‘Merchant Initiated’ like when you use your card in a shop or when recurring direct debits or subscriptions are set up. Some ‘Low-Risk’ payments will also be exempt, or if your transaction is below €30, unless it has been a while since you were last authenticated.

By Luke Nicholson