/*close accordion*/ /*Equal heights blog*/ /*GOOGLE ANALYTICS*/

Strong Customer Authentication (SCA) is now live!


July 24, 2021

sca strong customer Authentication

Strong Customer Authentication is now live across the EU. All transactions within the EU of value exceeding € 30 need to be authorized via SCA as of 14th September 2019, unless an allowed exemption applies.

PSP have more time to implement SCA

However, on 21st June 2019 the EBA issued an opinion that allowed National Competent Authorities (NCA) of each Member State to provide a transition period in the application of SCA to PSPs that requested an extension to get ready. PSPs need to agree with the relevant NCA a roadmap to expedite implementation of SCA.

Who is liable for any fraud during the transition period?

That is a benefit to PSPs to be able to get ready in a more comprehensive structured manner without incurring a penalty from a NCA, but it should be clearly understood and the liability rules stated in art. 74(2) of the PSD2 fully apply during the transition period, so the relevant PSPs bear the same liability as if the transition period were not provided.

What elements are SCA compliant?

Another important note is related with the elements of SCA that the EBA value as compliant. In particular in the 21st June opinion the EBA indicates that card details printed on a payment card are not a compliant possession element/factor as they are easily used by anyone in the event the card is lost/stolen. We share this opinion; however, this make a burden on issuers as they would need to rely on a different possession element and in a number of instances create a new one, and educate their customers as a consequence.

In our opinion, another reason for doing so is to stimulate non-card payment methods as most payment cards run on non-European schemes and the EU would be happy to stimulate EU-based payments methods, such as instant payments.

SMS OTP not secure

A second comment is the use of OTP sent via sms, which the EBA values as a compliant SCA possession element. We are surprised with this decision as sms have been violated several times in Europe (see attachment) so sms are a weak element to protect from fraud. We recommend in-app authentication in lieu of sms as the enhanced security promised by SCA may be at risk.

If you want to learn more about Strong Customer Authentication (SCA), contact us or book a call.

The CleverAdvice Team


Check Out These Related Posts

Investing in Transition 4.0 is an investment into the future

Investing in Transition 4.0 is an investment into the future

The Economic Context The president of Confindustria Carlo Bonomi - interviewed by Il Sole24Ore on 19 January - expressed his opinion in relation to the GDP growth, stating that the first half of 2023 will be difficult while growth in the second half should be robust....

Servitization data sharing in industry field

Servitization data sharing in industry field

Servitization data sharing: benefits of a service model with industrial machinery data sharing A manufacturing company typically buys a machine to produce goods. This involves an initial outlay of cash, either its own money or from a credit line. The manufacturing...