An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2)

This article introduces the series: An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2).

The European Union’s Revised Payment Services Directive (PSD2), which went into full effect in September of 2019, is a piece of legislation meant to regulate payment services in the European Union to better protect consumers. While the original Payment Services Directive has been increasing competition between payment services providers since 2007 by stipulating market and business conduct rules, the requirement for Strong Customer Authentication (SCA) only became officially mandated in December of 2020. 

Now that payment service providers in the Single Euro Payments Area (SEPA) region are required by law to meet SCA requirements, fintech companies are racing to become compliant to avoid penalties from the European Commission's Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA). 

The PSD2 SCA provision requires authentication using at least two of the following three factors:

• Knowledge: Something the cardholder knows, such as a password or PIN
• Possession: Something the cardholder has, such as a token or mobile phone
• Inherence: Something the cardholder is, such as a fingerprint or facial recognition

PSD2 SCA also now requires dynamic linking, or tying the authentication tokens to the specific payment amount and payee. This provision requires that the relying party: : 

• Verify the transmission of data with strong authentication
• Guarantee the confidentiality and integrity of the transmission (together these two bullet points satisfy the pillars of Confidentiality, Integrity, and Authentication, or CIA)
• Enable the cardholder to see the data and its authorization, sometimes called What You See Is What You Sign (WYSIWYS)

Complying with PSD2 SCA necessarily requires verifying at least two methods of authentication. There are several methods of multi-factor authentication (MFA), and they are not created equally. While some MFA methods don’t comply with SCA requirements, others do but will still leave your systems—and customers—vulnerable to malicious cyber attacks. 

To help you achieve PSD2 SCA compliance and protect against common cyber attacks , we’ve assembled this guide that explains the pros and cons of each of the six forms of MFA accepted under the PSD2 SCA requirement.

The following MFA methods will be evaluated:

• Short Message Service (SMS) One-time Password (OTP)
• Hardware-based OTP
• Europay, MasterCard, and Visa (EMV) Readers
• Smart Phone Using Biometrics
• Fast Identity Online v2 (FIDO2)

In the final installment, we will explain why we favor the FIDO authentication scheme above all others.

The following criteria are used for comparison:

• Equipment and infrastructure: Costs and benefits
• Ease of deployment: Portability, proprietary limitations, and distribution considerations 
• Ease of loss replacement: Steps needed for a user to begin anew
• Vulnerabilities: Process, hardware, or software weaknesses
• Convenience/speed: The time it takes and ease of the user experience; reports range from as low as 7s to 15s of a user’s experience to determine whether or not they remain in the purchase, so every second counts

Continue to SMS OTP for PSD2 SCA.

StrongKey FIDO Server (SKFS) is the world’s only open source FIDO® Certified FIDO2 Server. StrongKey never charges per-license or per-user fees, allowing you to keep your costs low even as your business grows. We offer CryptoCloud hosting, PKI solutions including conversion from existing PKI to a FIDO ecosystem via PKI2FIDO, and enterprise-wide FIDO2 strong authentication for businesses on six continents.