SCA & Security

Photo by Adi Goldstein on Unsplash

Europe’s Strong Customer Authentication (SCA) should be the Groundwork – and the Expectation - for Global Cybersecurity Regulation

As of September 14th, 2019, the second Payment Services Directive went into effect, requiring Strong Customer Authentication (called SCA) across Europe for “customer-initiated” online payments. Enforcement of these regulations varies across countries, banks, and card networks, increasing complexity and blocking payments for online business. While the fragmented application of SCA rules and the numerous nuanced exceptions are causing headaches for businesses across the globe, the requirements are a crucial step forward in requiring secure financial transactions and maintaining customer security.

In today’s modern threat environment, we know that the network perimeter defense strategies of the past no longer meet the needs of the global economy. With the introduction of cloud technology and the Internet of Things, the proliferation of devices and ease of remote access has necessitated a move to a new plan for cybersecurity. Modern security most take on a zero-trust approach to user identity and authentication that compartmentalizes information, applies risk management to users, and makes it harder for bad actors to access sensitive information. The new SCA rules are requiring companies to make this change and to protect crucial financial information while encouraging them to take advantage of new security technologies such as biometric authentication and 3D Secure 2.

What is SCA, and how does it work?

SCA requires “customer-initiated” online payments to receive authentication from two out of three distinct elements (also known as two-factor authentication). These elements are something your customer knows, such as a password, something they use, such as a phone, or are, such as their fingerprint. Depending on the type of purchases customers make, or even which bank they use, SCA may be required during or after checkout, affecting customer experience and checkout conversion for some companies.

While recurring debits are considered “merchant-initiated” and don’t require SCA, most card payments and all bank transfers in Europe now require SCA. These new regulations may pose a particularly significant headache for businesses that take card information and store it for later charges and add ons, such as hotels.

Why is this positive?

Today’s security must be identity-based – there can be zero-trust without authentication. The evolving threat landscape means that any company that doesn’t apply multi-factor authentication is exposing themselves to massive vulnerabilities. Microsoft sounded this alarm in its 2017 Microsoft Security Intelligence report, which highlighted the increasing frequency and sophistication of attacks, with a 300% increase in attacks on cloud-based attacks on user accounts. Modern identity is the new battleground for attackers and defenders.

“If you configure your users with Multi-factor authentication (MFA), that reduces the risk (of attack) by 99.9%. Unfortunately, a surprising number of customers haven’t turned on MFA; it’s like driving without a seatbelt.”

Joy Chik Vice President, Identity Division in Microsoft’s Cloud + Enterprise group (1)