Strong customer authentication - what is it?
Published 31 March 2021
Strong customer authentication - what is it?
Published 31 March 2021
From September 14, 2019, banks in 31 countries of the European Economic Area are required to verify the identity of a person, who has made an online purchase before processing their payment. This is done in order to increase the security of online payments and reduce fraud. How is this idea implemented?
That is what the Strong Customer Authentication (SCA) is for.

Simply put, SCA is the rules that payment systems must follow to authenticate the user. In order to be able to make payments, the banks integrate additional authentication into the ordering process.

If we take the example of a regular Internet acquiring, previously, the payment was made after entering the bank card data and a one-time password. Now, another parameter will be added to this chain, which increases the security of the transaction. What could it be?

According to the SCA, when authenticating a customer, the banks must ask for two of the three factors:

  1. The information that you know (password, security question or a PIN code).
  2. The information on what you own (smartphone, smartwatch or other devices).
  3. The information on yourself (fingerprint or facial biometrics).
It is important to note that the SCA will not affect payments in regular stores, you can pay for products in the nearest store without additional verifications. For online card payments, these requirements apply to the transactions when the cardholder's bank is located in the European Economic Area (EEA).
Of course, there is an exception to every rule, just like here. Which payments are not covered by the SCA?

- Subscriptions with fixed amount

If you regularly pay the same amount for Netflix or Spotify, only the first payment will be additionally verified, all other payments to the same business can be exempt from the SCA.

- Payments under 30 euros

No need for clarification, but there is an exception: if the payment was exempt from the SCA 5 times or if the amount of such payments exceeds 100 euros. The banks will monitor this and decide whether authentication is needed.

- Payments initiated by sellers.

If the payment is made using the linked cards, that is, without the actual participation of the buyer, it can be exempt from the SCA. For example, if you link your card to Uber, you don't have to confirm payments every time. Here, the most important thing is to authenticate the card either when it is linked, or during the first transaction.

- Reliable beneficiaries

Cardholders can create a list of companies they trust and disable authentication for them in the future. However, not all banks support this option yet.

- Low-risk transactions

A payment provider that provides service to an online store can recognize a payment as safe by drawing conclusions based on its risk monitoring system.

Now let's talk about how the SCA affects the ePayService users

ePayService cards has a 3D Secure feature.

What is 3D Secure?

This is a technology that additionally protects your card details when you shop online. 3D Secure adds another step to the payment process that identifies the buyer - entering the SMS code.

This is how it happens:

  1. A customer clicks on the "Pay" button when completing the purchase on the website.
  2. A payment system sends a code that is entered to confirm the payment.
Thus, the cardholder confirms that the purchase is made by them.

3D Secure is a free feature, thanks to which no one will make an online card payment without your knowledge. The code for confirming payments is sent to the phone number that is specified in your account.
We have two-factor authentication for all important actions in the system. In order to log in to your personal account and perform any financial transactions, you will need to choose one of several authentication methods.

  1. The most easy and common – get a sms code.
  2. For the second method, you will need a mobile app, where we will send a push notification.
  3. And another method - TOTP - one-time login codes, generated by the Google Authenticator app.
Additionally, we protect transactions with payment passwords, and we use a PIN, Face ID, or Touch ID to log in to the ePayService app and confirm transactions there.

Why should I use mandatory authentication??

ePayService complies with the Strong Customer Authentication requirement, so we request a second authentication factor every time you log in to your account or make a payment transaction, to ensure your security. Two-factor authentication cannot be disabled, as this contradicts with the ePayService security rules. We protect your funds.

By Oksana
ePayService Team