Strong Customer Authentication: die neue Anforderung für Onlinetransaktionen. Wir klären: Was ist SCA? Was bedeutet es für den. Strong Customer Authentication (SCA). Am hat die BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) die Duldungsperiode für die. Eine starke Kundenauthentifizierung ist eine Anforderung der überarbeiteten EU-Richtlinie über Zahlungsdienste für Zahlungsdienstleister im Europäischen Wirtschaftsraum.
Strong Customer Authentication (SCA): EU-Standard für sicheren ZahlungsverkehrLaut Sicherheitsmaßnahmen der PSD2, der sogenannten Strong Customer Authentication (SCA), müssen Kunden ihre Online-Käufe mit der Eingabe eines. Strong Customer Authentication: die neue Anforderung für Onlinetransaktionen. Wir klären: Was ist SCA? Was bedeutet es für den. Die verbesserte Sicherheit bezieht sich speziell auf eine Reihe von Anforderungen, die als Strong Customer Authentication (SCA) bezeichnet werden.
Strong Customer Authentication How will SCA and PSD2 affect you? VideoCloudCard+™ - Strong Customer Authentication
The FCA statement clearly expects momentum to be maintained but recognises that additional time may be needed due to the impacts of Covid The focus of the rollout is a technology called 3DSecure which will help to facilitate the authentication of the majority of card-based transactions.
However, there are other SCA compliant solutions available in the market, such as those provided by Payment Initiation Services e.
The RTS also specifies that a user should be temporarily blocked after a number of consecutive failed authentication events.
This can be achieved either by secure hardware at the mobile device or by having a server-assisted verification. In the latter, the server will block the user.
Since mobile devices do not have secure hardware that can be blocked for app-specific knowledge elements, server-assisted verification will always be required.
Inherence elements on a mobile device: use the biometrics sensors provided by the mobile device. These biometrics sensors fingerprint or faceID are generally backed by secure hardware, which is capable of generating strong cryptographic signatures.
With custom implementations of face, voice or behavioural verification, one should always take into account privacy and accuracy aspects. Just as for knowledge elements, where one cannot rely on secure hardware on the mobile, these custom inherence elements must be verified with the server.
With regard to privacy, one should only collect the minimal amount of data necessary. Furthermore, these data must be adequately protected on the mobile device, in transit and on the server.
Want to know how we can help you meet PSD2? Please leave your information and our friendly staff will contact you soon! Please use your company email address.
Get in Touch. The SCA requirement came into force on 14 September Article 97 1 of the directive requires that payment service providers use strong customer authentication where a payer: .
Article 4 30 defines "strong customer authentication" itself as multi-factor authentication : . E-commerce merchants must update the payment flows in their websites and apps to support authentication.
To accept payments and meet SCA requirements, you need to build additional authentication into your checkout flow. SCA requires authentication to use at least two of the following three elements.
Although the regulation was introduced on 14 September , we expect these requirements to be enforced by regulators over the course of and As a result, most card payments and all bank transfers require SCA.
With the exception of contactless payments, in-person card payments are also not impacted by the new regulation. Currently, the most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards.
Against this backdrop, the EBA accepted that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September , NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.
The EBA issued the Opinion in accordance with Article 29 1 a of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.
The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA.
The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September Today's Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant.
The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.
The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law.
The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in , which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional month period for the industry to implement SCA.
However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers PSPs and, therefore, not directly subject to PSD2 and the EBA's technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September , NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.
This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.
This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.
In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.