Enhanced Client Authentication (SCA) with online payments

Autenticación reforzada

On September 11th, we learned of Banco de España’s decision to extend the period ending on the 14th to comply with the obligations of Delegated Regulation 2018/389. Banco de España (BdE) is thus making use of the extraordinary power granted by the European Banking Authority (EBA) to national authorities, permitting them to grant limited additional time and work with Payment Service Providers (PSPs) on the application of Enhanced Client Authentication (SCA) in electronic payments. BdE has not set an end date or duration for the additional time and will focus on reviewing plans submitted by PSPs.

The Internal Market Payment Services Directive 2015/2366, more commonly known as PSD2, aims to foster competition and innovation, protect consumers and strengthen security requirements for online payments. The Directive is complemented by the delegated Regulation on technical regulatory standards for enhanced customer authentication (SCA) and common and secure open communication standards (CSCs).

The SCA is a double-verified security authentication protocol that EBA established as part of the Technical Regulatory Standards (RTS) developed by PSD2 (which gave rise to the Delegated Regulation). This protocol has become the main stumbling block for the implementation of PSD2. SCA is considered to be a fundamental element in the development of what is known as Open Banking.

The PSD2 updates the regulations established with the PSD1 and introduces a regulation of payment services that were being provided in the market but were actually outside the scope of the PDS1, such as the payment initiation service (PIS) and the account information service (AIS), provided by so-called Third Party Providers (TPP). Until the entry into force of the PSD2 and the delegated Regulation, the provision of these services implied making use, through the technique known as “screen scraping”, of the same credentials for access to the services of the payment account holder himself, which implies a high security risk.

In line with the PDS2 mandate, the EBA started work on the definition of Technical Regulatory Standards (RTS), in cooperation with the ECB, applicable to PIS and AIS service providers. The definition of these standards has been complex and focused on the definition of the SCA and the CSC. The final result has been the Delegated Regulation. PSD2 and enhanced customer authentication therefore signify new rules that change the way payment service providers identify their customers.

Reinforced customer authentication processes serve to determine that a customer is who he claims to be. SCA will require payment service providers to verify that identity using at least two data independent of each other, known as authentication factors. These factors have been classified into three groups:

Knowledge: that which only the client knows.

Possession: that which only the client has.

Inherence: that which the client is.

 

Enhanced client authentication on PSD2

PSD2 online paymentsSource: Banco de España

 

Another aspect of the regulation to consider is the obligation for Payment Service Providers to develop open programming interfaces (APIs) so that TPPs providing any type of service, PIS or AIS, can communicate with them.

All these issues are regulated in the Royal Decree-Law 19/2018 which partially transposes the PSD2 into Spanish law.

Finally, we must not forget other regulations to take into account, such as Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, since what is involved is personal data and therefore agreements with payment service users may be necessary.

We must pay attention to the specific deadline that the BOE grants, but in any case we must work to meet the requirements as soon as possible


Authors: Sergio Muñoz