Are You Ready for Strong Customer Authentication?
Payment service providers have until September to comply with new Strong Customer Authentication (SCA) regulations
For consumers today it’s seen as the norm to have instant access to their money, whether it’s through a bank’s website or mobile application, consumers can check their balance, pay a bill and transfer funds 24/7.
The convenience this offers has caused NetBanking to boom. Since 2008 we’ve seen the percentage of people in the UK using online banking nearly double – from 35% in 2008 to 69% in 2018.
But the rapid adoption has outgrown policy leading to a lack of standard cybersecurity regulations in NetBanking, which means there’s opportunity for fraudsters.
According to UK Finance, 76% of fraud losses in 2018 were gained through remote purchase payments through telephone, mail order or the internet. On top of that, there’s been a worrying trend for criminals turning to cyber methods to hack banking organisations over the last 10 years. So, it’s critical that the growing issue of cybercrime in NetBanking is addressed – something which the European Union Payment Services Directive (PSD2) partly aims to do.
What is PSD2?
PSD2 came into effect in January 2018 and is a set of regulations for payment services and providers in the European Union (EU) and European Economic Area.
PSD2 is a revision of the regulations set out in the original PSD, which established a single market for payments with a view to creating a more efficient and secure service.
One of the major revisions in PSD2 is the introduction of Strong Customer Authentication (SCA).
What is SCA?
Strong Customer Authentication aims to reduce fraud and enhance the security of online payments. It’s a set of technical standards, outlined by the European Banking Authority, which define the security measures payment services must comply with.
The standards come into force this September, so the race is on for banks and payment service providers to put the necessary security procedures and tools in place.
In this article, we’ll look at some of the key areas for compliance set out in the Regulatory Technical Standards (RTS) and explain how you can implement them in your organisation.
Regulatory Technical Standards
Electronic payments should be secure and payment service providers should employ technology to guarantee the authentication of the user and minimise the risk of fraud.
This includes adopting technology to prevent instances of mobile application cloning and malware-detection amongst other security threats.
But to comply with SCA, there are three key technical adoptions payment service providers need to make.
- Authentication: One-time codes
The first aspect of the technical regulations for SCA is to implement strong authentication, by utilising authentication one-time codes (OTCs).
Each time a user actions a payment or other activity such as setting up a direct debit through a remote channel, like their mobile phone, the payment service provider must supply them with a one-time code. The user then inputs the code to confirm their identity, and the payment or action is validated.
To ensure the authentication code is secure, it must include two or more of the following elements for two-factor authentication (2FA) or multi-factor authentication (MFA):
- Knowledge – something which only the user knows, like a PIN. The user might then extract a one-time code, using their PIN as a positional indicator
- Possession – something the user owns, this could be a mobile phone application or a hardware token
- Inherence – something which is associated with the user, such as a biometric including their fingerprint
Additionally, payment service providers need to take steps to ensure that none of the elements above can be deciphered if the code is revealed. Therefore, the one-time code shouldn’t follow a sequence or be based on the information the user has supplied to prevent fraudsters gaining personal information about users or guessing a future one-time code (OTC).
- Dynamic Linking
Secondly, payment service providers need to adopt measures to link the payer, transaction amount, and payee for each transaction in a standard known as dynamic linking.
The payer can see the transaction amount and payee at all stages of authentication, and the authentication one-time code will be unique to that transaction.
Should any element change, for example the transaction amount, the authentication code will be invalidated. Unless the user receives a OTC through a separate factor to authenticate (such as a mobile app), it leaves the user open to attacks such as a man-in-the-middle attack.
- Transaction Risk Analysis
Finally, payment service providers need to implement risk-based analysis in real time. Every remote payment needs to be monitored and adequate authentication should be applied depending on the circumstances.
Most banks have implemented some sort of risk algorithm and process already but the RTS sets out specific criteria for remote payments, using risk-based analysis to provide a combined score based on particular parameters, including:
- The locations of the payer and payee
If the payer is in an abnormal location or the payee is in a high-risk location, this should be considered in the risk analysis
- Any abnormal spending or behaviour from the payer
Payment service providers need measures in place to identify any abnormal activity and take this into consideration when making their transaction risk analysis.
What does SCA mean for you?
In addition to the technical changes required to comply with SCA, the regulations may pose some initial obstacles for the banking industry and users.
- User experience
There’s some concern that the extra steps users go through for strong authentication will have a negative effect on their experience of NetBanking – despite the rapid increase in popularity, due in part to its convenience and efficiency.
To counter this, there are some exemptions to SCA. As mentioned above, transaction risk analysis will determine the level of authentication required, and some transactions will be exempt – such as low value payments under 30 euros.
Despite this, Barclaycard’s Director of International Payments, Paul Adams suggests one in ten transactions will need to go through two-factor authentication.
So, it’s essential to implement user-friendly two-factor authentication methods which cause minimal friction while still securing users’ funds.
With an easy-to-use process banks could see increased trust in NetBanking, as well as a reduced risk of cyber fraud.
Another concern for payment service providers is finding a way to implement SCA at a low cost.
Ecommerce sites especially will be keen to find a low-cost solution without negatively affecting users’ checkout experience.
It’s important for payment service providers to work with any third parties to find a solution that balances those concerns because cutting costs in the implementation stage could be crippling later down the line, with some predictions estimating SCA to cause €57 billion in abandoned carts if the process isn’t easy enough.
- NetBanking architecture
Another concern in the industry is how to implement secure authentication across the carefully balanced banking architecture.
Bank networks experience surges of traffic in busy periods, for example at the end of each month as users receive their salary, and this can cause pressure on the service.
One way to mitigate this is by having a layered network which is load balanced for resilience. With this set-up, the NetBanking Publication Cluster could sit behind one firewall meaning the user only communicates directly with the edge of the NetBanking architecture, while something which requires more security, such as the User Directory, could sit behind several layered hardware and software firewalls.
Banks should consider implementing two-factor authentication so that each of these layers require separate authentication. This would help keep the layers separate to enhance security, but also ensure the network architecture can withstand both authentication capability and load on the system.
The Deadline Approaches
With just months until the SCA deadline, the banking industry will be looking to implement technology to comply. But it’s crucial that any technology can be flexible and secure for each unique network.
This will not only help overcome some of the concerns the banking industry has about SCA but will also encourage users’ trust in NetBanking and create a more security-aware consumer base.
While SCA is a good step forward for cybersecurity in the banking industry, the criteria for certain features may not be secure enough to deter the cybercriminals who are constantly finding new ways to infiltrate the NetBanking architecture.