Lernen Sie, was starke Kundenauthentifizierung (Strong Customer Authentication, SCA) im Rahmen von PSD2 bedeutet und wie Sie Ihr Unternehmen dafür. der aktuellen Zahlungsdiensterichtlinie PSD2 die starke Kundenauthentifizierung (SCA – Strong Customer Authentication) vorschreiben: Für. Die verbesserte Sicherheit bezieht sich speziell auf eine Reihe von Anforderungen, die als Strong Customer Authentication (SCA) bezeichnet werden.
PSD2 Realitäts-CheckLernen Sie, was starke Kundenauthentifizierung (Strong Customer Authentication, SCA) im Rahmen von PSD2 bedeutet und wie Sie Ihr Unternehmen dafür. Laut Sicherheitsmaßnahmen der PSD2, der sogenannten Strong Customer Authentication (SCA), müssen Kunden ihre Online-Käufe mit der Eingabe eines. Die verbesserte Sicherheit bezieht sich speziell auf eine Reihe von Anforderungen, die als Strong Customer Authentication (SCA) bezeichnet werden.
Strong Customer Authentication What is Strong Customer Authentication (SCA)? VideoEMV® 3-D Secure: Enabling Strong Customer Authentication
Rather, it means that NCAs will focus on monitoring migration plans instead of pursuing immediate enforcement actions against PSPs that are not compliant with the SCA requirements.
Furthermore, the EBA notes that consumers will be protected against fraud as required by the law and NCAs should, therefore, communicate to their PSPs that the liability regime under Article 74 of the PSD2 applies and that issuing and acquiring PSPs are still liable for unauthorised payment transactions.
At the time, the EBA acknowledged the complexity of the payments markets across the EU and the challenges that arise from the changes that are required, in particular for some actors in the payment chain that are not PSPs who may not be ready by 14 September Against this backdrop, the EBA accepted that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September , NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.
The EBA issued the Opinion in accordance with Article 29 1 a of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.
The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA.
The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September Today's Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant.
The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.
The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law.
The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in , which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional month period for the industry to implement SCA.
However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers PSPs and, therefore, not directly subject to PSD2 and the EBA's technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September , NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.
To facilitate ongoing commitment to the managed rollout and for the best customer and industry outcomes, UK Finance set up a central Programme Management Office.
In the managed rollout, we propose a number of measures aimed at implementing SCA at pace, but also in a way that is structured to help coordinate as well as help answer the remaining tricky questions the industry still has.
Although the regulation was introduced on 14 September , we expect these requirements to be enforced by regulators over the course of and As a result, most card payments and all bank transfers require SCA.
With the exception of contactless payments, in-person card payments are also not impacted by the new regulation. Currently, the most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European cards.
Applying 3D Secure typically adds an extra step after the checkout where the cardholder is prompted by their bank to provide additional information to complete a payment e.
This new version introduces a better user experience that will help minimise some of the friction that authentication adds into the checkout flow.
Want to know how we can help you meet PSD2? Please leave your information and our friendly staff will contact you soon! Please use your company email address.
Get in Touch. Financial Conduct Authority. November July 15, The Register. Your mobile app will thus need to fulfil further requirements.
What makes possession elements interesting is that these do not require any effort form the user. One of the criteria in the RTS is that measures should be taken to avoid replication of possession elements.
As such, you cannot directly disclose the value of the element in order to prove possession. These profiles typically consist of a number of device identifiers such as the model, IMEI, SIM card identifiers, phone number… Even though such a profile is likely unique, it is definitely not secure against replication.
Any app on the mobile device might read these to create a remote, fake environment with identical identifiers.
Instead of sending over a profile, some value needs to be derived from a possession element that itself remains secret.
The most common example is a cryptographic key, where that key is used in an algorithm to prove possession of the key. There are many approaches for storing and using cryptographic keys on a phone.
These approaches range from simple file storage, using the keystore of the operating system, to using secure hardware.