centraliser-iconnotsurefacemuch-circlespencil

Return to blog home

October 22

PSD2: new European requirements for strong client authentication (SCA)

Strong Customer Authentification


As technology evolves, so do consumer behaviors.

Since September 14, 2019, new regulatory requirements are put in place in Europe to better regulate technological evolutions and the security of electronic payments.

With the advent of major players in the electronic transaction global scene, the PSD2 (Payment Services Directive 2) aims to standardize the standards of practices and payments for banking institutions, as well as the multiple external transactional systems.

There are different players affected by the PSD2:

Account Information Service Provider (AISP) - Third-party providers with permission to retrieve account data provided by banks and financial institutions.

ASPSP (Account Servicing Payment Service Provider) - The bank or financial institution of a customer, for example.

Payment Initiation Service Providers (PISP) ​​- Third-party providers with authorization to make payments into or out of a user's account.

Third-party service providers such as Didacte are able to initiate payments via PISPs (such as Stripe) directly from the customer's bank account.

Its arrival will therefore make online payments more secure thanks to a new strong Customer Authentication (SCA) process, which is mandatory for many online payments.

What is strong client authentication (SCA)?

Strong Client Authentication (SCA) is a new European regulatory requirement to reduce fraud and secure online payments.

To accept payments, once the implementation of the SCA standard has come into full effect, you will need to create additional authentication in your payment process.

The SCA standard requires authentication to use at least two of the following three elements:

  1. Information that the customer knows. (Ex: Password, PIN, etc.)
  2. An item that the customer owns. (Cellular, electronic token, etc.)
  3. A physical component of the customer. (fingerprint, facial recognition, etc.)

Any transaction request that can not be supported by 2 proofs of authentication can now be refused by the banking institutions.

In what context is strong client authentication required?

Strong client authentication will be required for any customer-initiated transaction in Europe.

Recurring and subscription transactions are not included by default in this definition as they are deemed initiated by the merchant. With the exception of contactless cards, payment by credit cards in person is also not affected by this new measure.

For all online payments, strong client authentication will be required if the address associated with the merchant or credit card owner are both based on European Union territory.

What do these changes mean to you?

More security.

Didacte complies with the requirements of strong client authentication and Stripe's high standards to provide the best and safest experience possible for its customers.

You can expect slight changes to your customers' purchase process with additional validation steps only when they are required.

This strong authentication should, among other things, reduce the cases of requests for refunds for purchases deemed "unauthorized".

As a platform administrator, no action is required from you.

Didacte and its payment provider, Stripe, take care to comply with the new regulations.

Mathieu Dumont