SCA and PSD2: Achieving compliance in the new era of banking security

By Steven Murdoch, Chief Security Architect at OneSpan

18 months after they were initially published by the European Commission, the Strong Customer Authentication (SCA) requirements of PSD2 – also known as the Second Payment Services Directive – have finally come into effect.

These requirements will play a major role in enhancing the security of payments and reducing fraud, by strengthening the authentication processes of banks and financial institutions in Europe.

Marking the next step in the rollout of PSD2, ensuring SCA compliance is just one of the security challenges facing the banking industry. The relentless threat of fraud and cyber-attacks is placing more pressure on banks and financial institutions than ever before, meaning customer security can’t be anything other than a top priority

So with SCA now in force, let’s take a closer look at the good and the bad of SCA under PSD2 and the most important security measures needed to achieve compliance with the new regulations.

SCA: The good

The introduction of SCA in PSD2 will be instrumental in increasing security across the financial services industry and harmonising the strength of authentication processes for financial applications.

As a result of PSD2, financial institutions have been forced to phase out weak authentication methods – such as solutions based solely on username/password combinations or those that rely on printed lists of authentication codes – and replace them with multifactor authentication in combination with transaction monitoring.

SCA requires banks to base authentication on two or more factors related to knowledge (e.g. passwords or PINs), possession (e.g. tokens or mobile devices), and inherence (e.g. biometrics), thereby striking a balance between convenience and security.

PSD2 ensures that these new methods become standard security tools in financial services, taking it much further than the regulation it is replacing – the EBA’s Final Guidelines on the Security of Internet Payments, which became applicable in August 2015.

SCA can be combined with intelligent authentication, which assesses the risk level of a transaction based on disparate data, such as transaction details, customer behaviour and device integrity, to determine what level of authentication is required.

For example, SCA exemptions are permitted for low-risk transactions, so intelligent or adaptive authentication can adjust the way in which the user is authenticated based on this risk and enforce the right level of authentication for each individual situation. It can also adapt based on user preference, ensuring that customers aren’t limited to an inconvenient authentication method (e.g. receiving an SMS when they don’t have mobile signal).

SCA: The bad

Despite its benefits, SCA does come with some limitations. The responsibility for protecting access to bank accounts is put in the hands of the banks themselves, which creates complexity when looked at in the context of Open Banking.

It means that users of applications from third-party providers will likely have to authenticate twice: once in order to access the TPP application, and a second time to use a certain bank account via the app. In addition, the authentication method and flow for different bank accounts depends on the bank that is being used, potentially resulting in a complicated user experience.

The other confusing factor is that the timeline for the enforcement of SCA requirements has shifted in recent months and deadlines have become fragmented. As a consequence, different payment service providers (PSPs) might have different timelines for SCA compliance, which could impact payments where multiple PSPs are involved.

Achieving PSD2 compliance

  • Transaction monitoring: PSD2 mandates the use of transaction monitoring to deter fraudulent payments and prevent threats like account takeover, new account fraud, and mobile fraud. Machine learning and data modelling technology analyse device, application and transaction data in real time to detect known and emerging fraud types in the online and mobile banking channels. This analysis produces a transaction risk score based on a number of factors – including known fraud scenarios and malware infection detection – which can then trigger immediate action based on pre-defined and/or customer-defined security policies and rules.
  • Replication protection: Cybercriminals are now investing more time and money than ever in attacking the mobile channel. As such, where an authentication factor is the possession of a mobile device, PSD2 mandates the use of countermeasures in apps to prevent the replication of the authentication factors. Technologies like mobile application shielding, for example, help to mitigate the risk of apps operating in untrusted and potentially hostile environments – all while ensuring the user experience is not affected.
  • Dynamic linking: This has been one of the most discussed requirements of PSD2 and was introduced to counter man-in-the-middle attacks, whereby the attacker changes the details of a transaction without the payer noticing. Such an attack could result in a genuine transfer of £100 to a friend turning into a rogue transfer of £1,000 to an imposter. To defend against this during payment transactions, the payer must be aware of the amount and recipient of the transaction and the authentication code must be dynamically linked to these details.
  • Independent elements: With mobile devices being such a target for attackers, payment providers must now ensure that the breach of one authentication factor does not compromise another factor. This is a particular concern for mobile devices given that they may handle multiple authentication factors. Functionality such as application shielding with runtime-protection can secure the way apps are deployed to online stores and strengthen the way the platform interacts with the application, thereby mitigating the risks resulting from compromised mobile devices.

One thing that’s clear in today’s threat landscape is that ensuring security is certainly not an easy task for banks and financial institutions. By embracing SCA and keeping these key measures in mind, businesses can significantly strengthen their security posture and put themselves in the best position to ensure PSD2 compliance.