BCH is supporting PSD2 (Payment Services Directive) for Strong Customer Authentication (SCA)
What is SCA?
Introduced in September 2019 and to be implemented through a ‘phase-in period’, all customer-initiated European online card payments will now require SCA by March 2021.
It’s expected that good practice put in place by companies through their adherence to the SCA payment requirements, will actively encourage them to extend multi-factor authentication (MFA) to enhance the security of further business processes throughout their organisations.
If you’re looking to enhance the security of your business operations for employees, customers or both, then SCA or MFA can provide the way forward.
Why you should implement MFA now and extend SCA compliance to protect all aspects of your business
It’s imperative that your business is ready to comply with the SCA regulations in order to avoid increases in ‘declines’ from European cards, staggered and early enforcement dates from different UK banks, fines and possible licence revocations. SCA implementation can also help avoid the realistic prospect of losing as much as 3% of annual revenue to increasing cyber fraud. Using software to test millions of password combinations, accessing tradable lists of email addresses, as well as taking advantage of the fact that 90 % of employee passwords are hackable in just 6 hours, means that businesses are constantly under attack.
You may currently only be using single-factor authentication (SFA) in payment procedures and in other aspects of your business, such as granting employees access to work databases. Single-factor authentication, even though it requires two pieces of information – for example, a user ID and password – still uses only one variable, in this case, it’s something a user already knows. This single level of security is clearly inadequate for both customers affecting online payments and for employees accessing company databases. This is particularly so when the latter group are active in using their own mobiles as part of the BYOD trend (‘bring your own device’ to work). When people choose weak passwords, frequently re-use passwords or even fail to change their passwords regularly, it’s not surprising that hacks attack.
MFA, as opposed to SFA, introduces a further variable to achieve stronger customer or user authentication. This can be ‘something we already own’. Ideally and for convenience sake, it needs to be something that we’ve always got close to hand such as a mobile phone.
SCA requires authentication to use at least two of the following:
Knowledge: something we know, i.e., a pin or password
Possession: something we own: i.e., a mobile phone
Inherence: something that is us, i.e., fingerprint, voice recognition
Each factor is independent of the other. If one factor is at all compromised, the reliability of the other is not.
SCA or MFA using a mobile with the BCH platform
A mobile phone can simply be registered with a website as part of initial account setup. It can then be used for secondary security questions. When a user logs in to a website, a phone call is initiated to his or her mobile. An IVR script (automated voice) will require that the user inputs a secondary credential to complete a purchase transaction. This credential may comprise a random code which can be displayed on the user’s mobile screen.
BCH’s multi-factor procedure directly links the user to the registered phone, thereby constituting an effective secondary factor to verify the person logged in is, in fact, the person he or she claims to be.
To successfully “hack” this process a list of usernames and passwords (the first factor) needs to be broken AND then the call or internal number database (the second factor) intercepted. This pair of hacks although possible is extremely unlikely.
Can SMS be used instead of Voice? If so, is it secure?
Yes, SMS is an alternative. However, it’s generally acknowledged that SMS is not as secure as voice, particularly in view of the recently well-publicised Google SMS SS7 (Signalling System 7) hack. SS7 is a communications protocol used by mobile carriers. Hacking into SS7 allows attackers to read SMS messages and therefore circumvent end-to-end encryption.
Mobile phone – SCA/MFA is cost-effective and user-friendly
There are now more active mobile connections than people. It’s easy to see, therefore, why using SCA/MFA with mobile phones readily champions the barriers of accessibility and familiarity. There’s simply no need for a mobile user to carry (and lose!) any separate hardware tokens such as credit, store or identity cards. There’s also less input needed from call centre staff, who can instead be used efficiently to deal with more profitable and cost-effective tasks.
Exemptions for SCA and the selective application of SCA/MFA
Referral to the PSD2 SCA regulations will shed further light as to currently applicable exemptions. Presently, for example, telephone payments are exempt from the regulations as are some payments below 30 Euros and regular fixed amount subscriptions. However, this doesn’t mean to say that SCA/MFA should not be applied to such payments, either universally or selectively. Some might argue that universal application would result in customer friction and further fall-out during the payment process. Nevertheless, informed application of SCA/MFA in some selected exempt payment transactions is considered advisable.
SCA/MFA will rapidly be the norm and not the exception
Research by Mastercard indicates that only 1-2 % of online payments made through a pc or mobile phone need cardholder authentication. This is expected to rise to at least 25%, that’s 1 in 4 of all online sales.
BCH Digital’s SCA competent systems ensure straight-forward and ongoing real-time compliance with PSD2 SCA regulations. Take the opportunity to enhance your system’s security and avoid increasing fall-out rates by speaking with us today
To find out more about us, follow the link. Or to enquire about our SCA-ready Multi-factor Authentication systems, simply call the BCH team on 0161 537 7707. We’ll look forward to hearing from you!