Close

Strong Authentication for e-Commerce and PSD2 directive

What you need to know and what effects it will have on e-commerce
Strong Authentication for e-Commerce and PSD2 directive
Reading time: 2 minutes

Content index

What is Strong Authentication

Strong Authentication, or Two-Factor Authentication (2FA), is an authentication process based on at least two elements of different nature to verify the identity of a user accessing a system (i.e: computer or ATM).

Strong authentication is common in a variety of contexts, from home banking to e-mail services. It provides a higher level of security, compared to that of the traditional combination of username and password. In fact, a password, even if strong and unique, can be easily stolen and compromised.

Strong Authentication is therefore effective against identity theft and allows you to protect the access to your digital life without being forced to remember too many codes or passwords.

How does two-factor or multi-factor authentication work? A user who wants to access a system or make an online payment must use two or more factors to authenticate. These elements must be mutually independent to prevent violation of one from compromising the trustworthiness of the other. Moreover, they must belong to different categories.

The three categories are:

  • Knowledge: a thing that the user knows (a password or PIN);
  • Possession: a thing the user has (a smartphone or a home banking security token);
  • Inherence: a thing the user “is” (a fingerprint, voice stamp, retina or iris, or other biometric data).

Strong Authentication is very simple to use. After entering the password (first factor), the system asks the user for an additional factor. Typically, the second factor belongs to the possession category and corresponds to a numeric code that the user receives via a text message or a security token.

Usually, the second factor is a one-time password (OTP), i.e., a disposable password that is valid for a single login session or transaction.

The European PSD2 directive: news for the e-Commerce?

As of January 1, 2021, the European Payment Service Directive (PSD2) came into effect. It requires all European e-Commerce shops to comply with the new payment security system, the Strong Customer Authentication (SCA).

The Strong Authentication system is designed to make the shopping experience more secure, combat fraud, increase cardholders’ confidence in using online services, and protect buyers and merchants during online transactions.

Strong Customer Authentication applies in case of Cardholder Initiated Transactions (CIT), that is, customer-initiated online payments (for example: purchases on an e-Commerce site). It does not apply to the following transactions:

  • Merchant Initiated Transactions (MIT): transactions processed by the merchant without the active participation of the cardholder, by virtue of an agreement/contract between the parties that defines the charging terms. (subscription services after an initial approval by the customer);
  • MO.TO.: transactions carried out remotely by the merchant (or by automated systems) by entering card data on a virtual terminal;
  • Transactions of less than €30 up to a cumulative amount of €100, or up to 5 cumulative transactions in 24 hours using the same credit card;
  • Low-risk transactions: the payment service provider can perform a real-time risk analysis to decide whether to apply SCA to a transaction. The transactions on which this type of exemption applies are subject to an amount limit that varies depending on the fraud risk associated with the Acquirer and can be up to a maximum of €500;
  • Transactions to trusted beneficiaries: the cardholder can ask their bank to place a specific merchant on the list of trusted beneficiaries. In this case the SCA is required only for the first transaction.

TAG