If you are a payment ecosystem participant, you may know that on the 14th September 2019 the second Payment Services Directive (PSD2) has entered into force. PSD2 brought us stricter requirements for customer authentication, called Strong Customers Authentication (SCA). Under PSD2 and Regulatory Technical Standards (RTS), SCA is defined as an “authentication based on the use of two or more elements categorized as:

  • knowledge (something only the user knows),   
  • possession (something only the user possesses), and   
  • inherence (something the user is)   

that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.”  

In other words, PSD2 requires to implement Multi-factor Authentication (MFA). Multi-Factor Authentication can be implemented by using a combination of these elements to authenticate the user:  

  • RFID/NFC Badges,  
  • USB or other physical devices  
  • Tokens, certificates  
  • Codes generated by smart gadgets apps;  
  • Codes sent to a phone number or email address   
  • Answers to personal security questions  
  • Behavioral analysis  
  • Fingerprints or Facial recognition  
  • Retina or iris scanning  
  • Etc  

In the payment ecosystem, the most recognized standards are provided by the Payment Card Industry Security Standards Council (PCI SSC). It requires MFA to be implemented with at least two of the three authentication methods (similar to SCA in RTS) as described in PCI DSS Requirement 8.2:

  • Something you know, such as a password or passphrase. This method involves verification of information that a user provides, such as a password/a passphrase, PIN, or the answers to secret questions (challenge-response).  
  • Something you have, such as a token device or smartcard. This method involves verification of a specific item a user has in their possession, such as a physical or logical security token, a one-time password (OTP) token, a key fob, an employee access card, or a phone’s SIM card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app or a cryptographic material (i.e., certificate or a key) residing on the device.  
  • Something you are, such as a biometric. This method involves verification of characteristics inherent to the individual, such as via retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry, and even earlobe geometry.  

Currently, the industrial standard for authentication of online payment is PCI 3D Secure (PCI 3DS). Using PCI 3DS typically means adding an extra step after the checkout where the customer is prompted by their payment service provider to provide additional information to complete a payment (e.g., a one-time code sent to their phone (or email address) or biometrical authentication through their mobile app).  

In 2019 the new version of PCI 3DS – 3DS Secure 2 (PCI 3DS2) was released (Read our article about 3DS here).

It introduces a lot of improvements to user experience with authentication added into the checkout process.  

3D Secure 2 allows payment providers to send more data elements on each transaction to the cardholder’s payment service provider. This includes payment-specific data: shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history, etc. By sharing more data PCI 3DS2 enables to increase the number of transactions that can be authenticated without further customer input.  

Apple Pay and Google Pay or other card-based payment providers already support payment process with layer of second authentication factor (biometric, code etc).   

The PCI Guidance for Multi-Factor Authentication says “The intent of multi-factor authentication (MFA) is to provide a higher degree of assurance of the identity of the individual attempting to access a resource, such as physical location, computing device, network or a database. MFA creates a multi-layered mechanism that an unauthorized user would have to defeat to gain access.” PCI-DSS Requirement 8.3, which makes multi-factor authentication mandatory, is in full compliance with PSD2 and SCA. 

Book a free call with our experts to discuss your cyber security challenges here. 

Artūras Vegėlius

Written by Artūras Vegėlius

I am the Compliance and Data Protection Consultant at Advantio. I have over 16 years of experience in developing various information systems and IT projects, 8 years of experience in project management and information security consulting. Also I'm the Marketing and Communications Director at ISACA Lithuania.