Strong Customer Authentication: Difference between revisions

From ACT Wiki
Jump to navigationJump to search
imported>Doug Williamson
(Link with 3D Secure page.)
imported>Doug Williamson
(Add link.)
 
(6 intermediate revisions by the same user not shown)
Line 10: Line 10:
* Something only the user possesses (e.g., mobile phone or token);
* Something only the user possesses (e.g., mobile phone or token);


* Something the user is (e.g., fingerprint, facial, iris or eye vein).
* Something the user is (e.g., fingerprint, facial, iris or eye vein), sometimes known as 'inherence'.




Line 19: Line 19:




Banks are required to comply with the relevant technical standards for SCA by 14 September 2019 at the latest.
A number of exemptions are available, including trusted beneficiaries and recurring payments, low-value transactions and Transaction risk analysis (TRA).
 
 
In addition, certain transaction types are outside the scope of the rules, for example mail order and telephone orders (MOTO).




== See also ==
== See also ==
* [[3D Secure]]
* [[3D Secure]]
* [[Compromise]]
* [[Customer]]
* [[eIDAS]]
* [[PSD2]]
* [[PSD2]]
* [[Regulatory Technical Standard]]
* [[Regulatory Technical Standard]]
* [[Token]]
* [[Transaction risk analysis]]
* [[Two-factor authentication]]
* [[Two-factor authentication]]



Latest revision as of 17:22, 11 March 2023

Payments - PSD2.

(SCA).

Regulatory Technical Standards (RTS) define SCA as authentication through at least two out of the following three categories:

  • Something only the user knows (e.g., passcode or PIN);
  • Something only the user possesses (e.g., mobile phone or token);
  • Something the user is (e.g., fingerprint, facial, iris or eye vein), sometimes known as 'inherence'.


The RTS require that the selected factors must be mutually independent in that the breach of one does not compromise the reliability of the other.


The use of a single device for authentication and shopping is expressly permitted. This means, for example, that a smartphone may be used at the same time for transacting and for authenticating the cardholder. The risk connected to the use of multi-purpose devices (e.g. smartphones and tablets) must be mitigated through the use of separated secure execution environments.


A number of exemptions are available, including trusted beneficiaries and recurring payments, low-value transactions and Transaction risk analysis (TRA).


In addition, certain transaction types are outside the scope of the rules, for example mail order and telephone orders (MOTO).


See also