Strong Customer Authentication (SCA)
On 17 October 2019, the German Federal Financial Supervisory Authority (BaFin) set 31 December 2020 as the end of the grace period for the non-use of strong customer authentication for card payments carried out online. BaFin also announced that it will incorporate into its supervisory practices the milestones and data to be reported as determined by the European Banking Authority (EBA) for the purpose of supervising and monitoring progress.
Concardis intends to make use of the relief within the framework of the BaFin provisions. As a merchant, you will be informed separately on the basis of the Concardis migration schedule about any potential upcoming migration information and tasks.
Strong customer authentication
The European Union is making online retail even more secure!
The objective is to create a trustworthy environment both for the merchant as well as for the customer. Additionally, this will reduce the risk of abuse, which in turn means cost savings for the merchant.
Previously optional guidelines became obligatory as of 14 September 2019. However, due to the determination of BaFin, implementation of this obligation is to be done by 31 December 2020 at the latest. The European Banking Authority (EBA) demands the clear authentication of the payer with at least two of the following elements.
KNOWLEDGE
KNOWLEDGE
PIN, password and other security questions
whose answers are only known to the customer.
POSSESSION
POSSESSION
Smartphone, token and other objects
which are only in the customer’s possession.
INHERENCE
INHERENCE
Fingerprints as well as all aspects and biometric characteristics
which identify the individual customer.
What dates are important?
The grace period ends on 31 December 2020. Payengine will make the corresponding required protocol versions available in due time.
The cruxes of PSD2
Two-factor authentication for online payments | Open banking account interfaces | Surcharge ban | |
---|---|---|---|
Details | Confirmation with two factors from three different areas Knowledge | Possession | Inherence | Open interfaces for third-party providers | No extra fees, e.g. for credit card payments |
Aim | Greater payment security | Greater competition | Greater protection for consumers |
What happens in the worst-case scenario?
In the worst-case scenario, Concardis will refuse authorisations ...
If a transaction is sent as an exemption that has not been coordinated with Concardis.
If transactions subject to SCA are submitted without a corresponding SCA identification.
If the flagging of the transaction does not correspond to the rules
In the event of erroneous MIT identification.
And if the internal fraud prevention system is triggered, of course.
Concardis will process all transactions that fall within the regulations (SCA or exemptions). However, rejection by the card issuer cannot be excluded.