SCA (Strong Customer Authentication) standard is being implemented in businesses in all sectors to boost the customer journey of leading companies. Although, as we will see in depth later, we tend to link this term only to payments, Strong Customer Authentication (SCA) is being applied and has a full impact on all types of operations.
SCA has become an authentication procedure that provides security and trust in the relationship between customers, companies and intermediaries, if any. In certain use cases, implementing SCA standards is not only beneficial, but mandatory, as there are a multitude of standards in practically all markets that regulate certain operations and that use Strong Customer Authentication procedures to make them possible.
While most experts are able to distinguish between what we know as registration or identity verification and authentication or, also, authentication, it is normal for many to wonder what the difference between these two terms really is.
Authentication is generally referred to a process that is performed after a customer is added. That is, when a customer is already registered in the company's database as already, he must authenticate to access his account and his data is displayed.
Whereas in identity verification or digital customer onboarding, a first step is taken in the relationship between the organization and the not-yet-customer to perform a series of checks to verify and confirm their identity in order to create a profile for the first time.
Once the client has been associated to a profile with a confirmed digital identity, he/she can access to rectify, modify, extend or cancel his/her contracted products and services. They can also perform various operations using their products and services, and contract or acquire new ones.
The term SCA, Strong Customer Authentication, is used to refer to the secure authentication controls and protocols used by companies to verify the identity of their customers, especially in online and remote environments.
While strong customer authentication is used in physical locations such as commercial offices or stores, its meaning and birth is preceded by the increase in online transactions. It is here, in these types of channels, where it is more complex, both technically and legally, to certify that a person is who they say they are.
As we have already mentioned, authentication is based on prior registration of the customer. In the first registration, known as the Know Your Customer (KYC) process, the controls are very exhaustive and require a series of specific steps. Once this is done, having registered the customer, the customer's access to the contracted product is more agile than the initial registration.
In future interactions between the company and the customer, the customer already has a set of credentials to access his management area, or, for example, to be legitimately identified through a telephone support call. Although these should be known only to the customer in question, it is now believed that they can be stolen or falsified.
There are authentication methods, such as face recognition, that are impassable. However, most companies currently use as user the person's ID number or e-mail address and a numeric or alphanumeric password with symbols that can sometimes be used for illicit purposes.
The SCA comes to solve this problem with strong authentication procedures that use more identification factors beyond the username and password.
PSD2, or DSP2, is the Second Payment Services Directive. Its predecessor, approved in 2007, already introduced a series of rules to establish the dynamics of online transactions. Now, the new standard advances in the scope of use cases and regulatory loopholes to finally become mandatory.
PSD2 not only advances in its toughness and enforceability, but also modifies the criteria and requirements for online transactions, modernizing its proposal so as to dispense with intermediaries.
The new payment services directive includes for the first time the SCA criteria, previously only applied by those leading companies that wanted to offer their users the best experience without sacrificing security.
These models, which were already being applied, now become mandatory for all those companies that wish to allow their users to perform sensitive processes remotely, such as the contracting of new services or transactions for large amounts.
The PSD2 SCA rules directly affect all financial institutions and related companies (FinTechs, trading, insurance companies...). In addition, companies in other sectors where customers perform similar transactions through their online management portals are also obliged to comply with the regulations.
In other words, any company that performs electronic payments, remote activities that may entail fraud risks and those that offer digital payment account services (payment fund portfolios) are required to establish SCA processes.
An authentication factor is an element in different formats that can only be used, known or possessed by a specific person, and is associated with his or her legal identity.
Among the different types of authentication factors, facial biometrics is one of the most outstanding for its uniqueness and absolute originality. Each person has a different face, with a particular facial biometric pattern with unique mathematical measurements found only in one subject. Even in twins, there are major differences, though perhaps sometimes imperceptible to human eyes, that facial recognition software is able to report.
This method of identification has played a fundamental role in recent years, being not only a way to unlock cell phones, but also part of the well-known KYC processes and supported by the most demanding regulations in all markets. The cross-referencing between a person's face and the image on ID documents is the best guarantee in any customer onboarding and authentication process.
As we have been advancing, access to a system in which products and services are used or in which particularly sensitive information is contained must now, by legal imperative, take place under SCA standards.
They consider a single user credential and password to be frank and forgeable, so they propose the combination of several types of authentication factors. These can be of:
Although we could consider coordinate cards as a factor of reinforced authentication of possession, it can be lost, misplaced or stolen. Thanks to the implementation of factors such as biometrics or the implementation of security processes to prevent SIM Swapping, coordinate cards are a thing of the past.