Compliance PSD2 : strong customer authentication (SCA) and frictionless journey

The PSD2 raises the level of security requirements ruling the validation of financial transactions and regulates access to banking data with, in particular, the generalization of strong authentication for specific operations, including online payment. E-merchants, payment service providers, banks, don't be afraid of losing your customers by complying with the PSD2.
PSD2  Compliance and strong authentication

What is the PSD2 regulation?

The goal of the 2nd European Payment Services Directive ( PSD2 ) is to strengthen the security of payments. Adopted in November 2015, enforced throughout the European Union in January 2018 (although some provisions remain to be implemented), it raises the level of security requirements ruling the validation of financial transactions and regulates access to banking data.

In the area of security features, the most sensitive element of PSD2 is the widespread use of multi-factor authentication (MFA) for certain transactions, including online payments.

Payment security requires strong authentication

What is strong authentication, also known as MFA (Multifactor Authentication)?

Authentication is said to be strong when a user must, in order to log in or validate his operation, provide two elements from different categories among the three possible ones. The 3 categories of identification factors are:

  • something I know: the most common example is the password for applications or the PIN code for payment cards.
  • something I own: a phone, a computer, a flash drive, a connected device. There are many possibilities. The Possession factor is usually referred to as a token.
  • something that I am: it's essentially biometrics - fingerprint, retinal, voice, facial recognition.

PSD2 Compliance : operations requiring strong client authentication (SCA)

The European directive imposes the strong SCA on 3 types of operations.

access and management of the payment account

which may be either a deposit account opened at a banking institution or an account with one of the payment service providers.

online payment

made either by credit card or by transfer.

online transaction with a significant risk of fraud

such as the validation of a new transfer beneficiary.

The PSD2 provides for some exceptions to these rules, listing transactions that are considered low risk. These exceptions include payments up to €50 in contactless mode or €30 online, or transfers to a beneficiary previously validated by strong authentication.

No, SMS validation is not strong authentication

The main consequence of PSD2 is that the usual process of the payment security system (3D Secure), which validates operations by sending a one-time password (OTP) via SMS to be re-entered by the user, no longer complies. It is indeed based on a single factor, the possession of a mobile phone, and can very easily be circumvented by a cyber attack like SMShing.

The directive thus changes the customer journey in e-commerce at its most crucial point: payment validation. Hence the fears of online merchants who are worried about an increase in shopping cart abandonment due to what they perceive as a more complex customer journey. This concern is easily understandable if we consider only the most widespread multi-factor authentication solutions. Generally not very secure, they are also complicated to use, often requiring the re-entry of a single-use password obtained by more or less practical means.

However, this is by no means inevitable, as illustrated by inWebo MFA , whose implementation not only enables compliance with PSD2 but also reduces friction in the payment process, including in comparison with the experience currently offered by 3D Secure.

Compliance PSD2 : inWebo MFA, the multi-factor authentication solution that ticks all the boxes

Complying with the entire PSD2 regulation is a complex project, requiring many skills. The good news is that inWebo's MFA solution not only ticks all the boxes necessary to secure transactions but also offers exclusive advantages to facilitate the implementation and improve the user experience.

With inWebo MFA SaaS Multifactor Authentication

access to accounts is protected

inWebo can be easily deployed and integrated to protect external access to bank deposit accounts or accounts with payment providers.

sensitive operations and status changes are sealed by a dynamic link

This dynamic link, in accordance with PSD2, ensures the traceability and security of all transactions deemed to be at risk such as the addition of a transfer beneficiary.

strong client authentication (SCA) is ensured

SCA (Strong Customer Authentication) involves authentication with at least 2 factors, which excludes one-time password solutions via SMS. inWebo offers the most complete range of connection factors, with its mobile, desktop, browser (Deviceless and Smartphoneless) tokens.
Essential condition for its banking customers to be PSD2 certified, inWebo is a certified Supplier of Externalized Essential Services, guaranteeing the resilience of the MFA service.

A frictionless customer journey

However, the main obstacle to PSD2 compliance today is not technical but, as we have seen, linked to fears about changes in the payment journey.

This is where one of the main differentiators of the inWebo solution comes in: strong authentication without a smartphone, via a simple browser. The Deviceless (or Smartphoneless) token allows the customer to authenticate in compliance with PSD2 without any other trusted device than his browser, via a simple reusable PIN code. This is achieved while ensuring the highest level of access security of any MFA solution through the use of proprietary dynamic random key technology. To learn more about this technological achievement, see our article Deviceless MFA.

The implementation of the inWebo MFA solution not only does not degrade the connection experience, but it even makes it simpler by removing the need to have a smartphone, to have mobile network connection to receive the SMS and to re-enter a unique code, a major source of mistakes and payment abandonment.

The route is therefore simplified. But it is also unified. With hundreds of available integrations, via connectors, its API mode or its SDK, the inWebo MFA solution can be deployed on all application accesses, not only on bank account accesses. Thus, the user, who wants to connect to his email, validate a transaction, or access his company's VPN, will benefit from a unified interface, a uniform login experience and even a unique PIN code (or any other knowledge factor) without any security degradation.

Do not fear PSD2 compliance

Online retailers, payment service providers, banks, you need not be afraid of losing your customers by complying with PSD2. With inWebo, you can combine strong customer authentication with a frictionless customer journey. And as an added bonus, you'll get a Full SaaS MFA solution that can be deployed in a few clicks on thousands of users, without any equipment constraints.

Check out the replay of our webinar 

PSD2 and strong client authentication SCA: combine security and a simplified user experience

Get in touch for a demo or to request a free trial

Our latest news

Request a demo