eIDAS & Strong Customer Authentication – Securing Europe’s Digital Payments Landscape

eIDAS & Strong Customer Authentication – Securing Europe’s Digital Payments Landscape

September 2019 will usher in a new paradigm in terms of online payment security and trust. September is the month when the requirements for Strong Customer Authentication (SCA) under the Revised Payment Service Directive (PSD2) will go live in the European Economic Area.

Most payment processors and service providers are already working on implementing the same as the Regulatory Technical Standards (RTS) for Strong Customer Authentication were defined and adopted in 2017 itself.

What exactly is Strong Customer Authentication (SCA)?

As the name suggests, Strong Customer Authentication requires a customer initiating an online payment transaction to be authenticated by the service provider in a manner that is a lot more robust and fool proof than what was previously being done.

The need for having SCA in payment transactions is obvious. As more and more transactions move online, so do more bad actors who want to disrupt those transactions in order to profit personally. In order to protect retail users from such fraud, the European Commission wants to bring in regulations that can tackle the problem in a standardized manner. So that rather than having to worry about which bank or payment service provider offers the best authentication, you can rest assured that all of them mandatorily follow the minimum requirements that the European Commission deems appropriate to protect the consumer.

The philosophy behind SCA is that a strong authentication can be provided by a combination of at least two of the following:

  • Something that the user knows (like a password, secret question etc)
  • Something that the user owns (a mobile number to receive a One-Time password or a smart card that you have in your possession)
  • Something that the user is (fingerprints, voice pattern recognition, retina scans, etc.)

PSD2 mandates that Strong Customer Authentication is established using two or more of the above category of authentication features.

Implementing Strong Customer Authentication

Knowing what SCA is and why you need it, is just half the battle. The actual implementation is what matters in terms of having a noticeable impact on transactional security. The technical standards define the broad scope of what should be achieved and ensured – things like authentication requirements, independence of elements, monitoring, risk analysis, exemptions and so on.

The electronic identity (eID), with its cross-border usage and recognition as governed by the eIDAS regulation, can constitute an authentication mechanism based on what a user has (eID card) and knows (PIN). The Regulatory Technical Standard also requires qualified certificates for electronic seals and website authentication, as defined by eIDAS.

The actual implementation of SCA standards is where Hardware Security Modules (HSMs) come into the picture. They provide hardware Root of Trust which can help achieve Strong Customer Authentication for online payment transactions. These devices have the flexibility to allow multi-factor authentication requirements which are mandated to achieve SCA under the new regulations.

To stand the high expectations of eIDAS (and to contribute to its legal probative value), Hardware Security Modules should comply with the eIDAS Protection Profile EN 419 221-5, providing compliant and highly secure banking-grade and qualified trust services. Companies have already brought compliant modules into the market and this will undoubtedly help financial service providers jump start the next phase of their digital transformation.

Blog post by Gaurav Sharma

To find more press releases related with below topics, click on one of the keywords:

Wie können wir Ihnen helfen?

Sprechen Sie mit einem unserer Spezialisten und erfahren Sie, wie Utimaco Sie unterstützen kann.
Sie haben zwei verschiedene Arten von Downloads ausgewählt, so dass Sie verschiedene Formulare absenden müssen, die Sie über die beiden Tabs auswählen können.

Ihre Download-Sammlung:

    Direkt nach dem Absenden des Formulars erhalten Sie die Links zu den von Ihnen ausgewählten Downloads.

    Ihre Download-Sammlung:

      Für diese Art von Dokumenten muss Ihre E-Mail Adresse verifiziert werden. Sie erhalten die Links für die von Ihnen ausgewählten Downloads per E-Mail, nachdem Sie das unten stehende Formular abgeschickt haben.

      Downloads von Utimaco

      Besuchen Sie unseren Download-Bereich und wählen Sie aus: Broschüren, Datenblätter, White-Papers und vieles mehr. 

      Fast alle können Sie direkt ansehen und speichern (indem Sie auf den Download-Button klicken).

      Für einige Dokumente muss zunächst Ihre E-Mail-Adresse verifiziert werden. Der Button enthält dann ein E-Mail-Symbol.

      Download via e-mail


      Der Klick auf einen solchen Button öffnet ein Online-Formular, das Sie bitte ausfüllen und abschicken. Sie können mehrere Downloads dieser Art sammeln und die Links per E-Mail erhalten, indem Sie nur ein Formular für alle gewählten Downloads ausfüllen. Ihre aktuelle Sammlung ist leer.