As digital transactions continue to rise, securing these transactions is very important. The European Union introduced the Payment Services Directive 2 (PSD2) to enhance payment security and establish a unified framework for electronic payments across Europe. A crucial component of PSD2 is Strong Customer Authentication (SCA), which mandates multi-factor authentication to reduce fraud and protect consumers. This blog analyzes the legal and technical implications of PSD2 and SCA, highlighting their impact on payment security and the role of passkeys.
The Legal Foundation of PSD2 and SCA
Let’s start by having a look at the legal foundation.
Directive (EU) 2015/2366 (PSD2)
PSD2, adopted in 2015, set the stage for stronger payment security in the EU. It introduced the concept of SCA, requiring payment service providers to implement multi-factor authentication. The directive ensures that whenever users access their payment accounts online, initiate electronic payments, or perform any action that might involve a risk of fraud, they must undergo SCA.
Regulatory Technical Standards (RTS)
In 2018, the European Commission further detailed these requirements through Delegated Regulation (EU) 2018/389, known as the Regulatory Technical Standards (RTS) on SCA. These standards specify that SCA must involve two or more elements from distinct categories: knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user is).
Role of the European Banking Authority (EBA)
The EBA plays a crucial role in ensuring consistent application of these standards across EU member states. Through opinions, guidelines, and the Single Rulebook Q&A, the EBA provides clarity and guidance on implementing SCA, helping national regulators and market participants adhere to these stringent requirements.
Strong Customer Authentication (SCA) Requirements
SCA mandates that financial institutions implement at least two of the three authentication elements:
- Knowledge: Examples include passwords or PINs.
- Possession: This could be a smartphone or a hardware token.
- Inherence: Biometric factors such as fingerprints or facial recognition.
The goal is to ensure that even if one element is compromised, the others remain secure, thereby protecting the user’s data and transactions.
Dynamic Linking
An essential aspect of SCA is dynamic linking, which ensures that transaction details are bound to the authentication process. This means that any change in the transaction amount or recipient will invalidate the authentication, thereby mitigating fraud risks.
European Banking Authority (EBA) Opinions
The EBA has issued several opinions to address ambiguities and provide further guidance:
- EBA Opinion 2018: Clarified that SCA must involve two elements from different categories, effectively making it a true two-factor authentication (2FA).
- EBA Opinion 2019: Emphasized the requirement for distinct authentication factors and provided examples of compliant and non-compliant implementations. These opinions, while not legally binding, are highly authoritative and significantly influence how national regulators and financial institutions implement SCA.
Key Takeaways for Passkey Implementation
Passkeys offer a robust solution for meeting SCA requirements. By leveraging biometric authentication (inherence) and secure device-bound elements (possession), passkeys can provide a seamless yet secure user experience. They eliminate the need for traditional passwords, which are often a weak link in the authentication process.
For Developers:
Implementing passkeys can streamline the authentication process, enhance security, and improve user experience. Detailed guides and SDKs are available to help developers integrate passkeys into their applications swiftly.
For Product Managers:
Understanding the benefits of passkeys can aid in decision-making regarding user authentication strategies. Passkeys not only comply with SCA requirements but also reduce friction during user onboarding and transactions, potentially increasing user retention and satisfaction.
Conclusion
PSD2 and SCA represent significant strides towards securing electronic payments in the EU. By mandating multi-factor authentication and incorporating dynamic linking, these regulations aim to reduce fraud and protect consumers. Passkeys, with their robust security features, align well with these requirements, offering a future-proof solution for authentication. Find out more on Corbado’s Blog.
Top comments (0)