Strong customer authentication – about the new rules on electronic payments

Written by Johan Ragnar, lawyer at Synch and John Lundberg, thesis intern

Strong customer authentication (SCA) means that a customer must verify his/her identity with two from each other independent factors when using electronic payment methods, for example when using a credit card. The rules, which are based on EU legislation, aims to increase the security of electronic payments and combat fraud. Generally speaking, the legislation does not introduce anything completely unheard of in Sweden. There are already several different two-factor authentication techniques in use, but this has now become a legal requirement.

As an outset, the rules apply for all kinds of electronic payments. However, there are some exceptions provided for by law. An example is contactless payments made at the point of sale for amounts under a certain threshold, or payment for parking fees at unattended parking meters. It is the payment service which decides which exceptions they will offer for its customers to enjoy as a part of its service.

The new rules have already started to apply – but for the implementation in e-commerce the deadline has been extended until December 31st, 2020.

Providers of payment services are the ones responsible for the compliance with SCA rules. The SCA procedure must consist of a unique code created for every transaction. This code shall be generated when two out of three factors in the categories i) knowledge, ii) possession or iii) inherence have been provided by the payment initiator. “Knowledge” means information that only the customer knows, such as a password. “Possession” relates to something the user has, for example a payment card. The category “inherence” is something the customer is, like a fingerprint or other biometric figures. A combination of factors that is already widely spread is a credit card and a PIN-code. The card is something the payer has and the code something they know. However, when paying online, often only the card details are required which means only one factor is provided. With the new laws in place, this will change. It will probably not come as a big shock for online shopping Swedes, who are already accustomed to use Mobilt BankID.

The legislation also contains rules in order to make the SCA systems secure. For example, it should not be possible to manipulate the authentication code or for a third party to hijack the transaction. The security measures shall ensure the secrecy, authenticity and integrity of the payment. The payment service providers must also create a monitoring mechanism in order to find any unauthorised transactions, both as a whole and single transactions. The security measures should be regularly evaluated and improved in order to uphold a high level of security.

For e-commerce, a review of payment procedures will be required even if it is the payment service providers who carry the main responsibility for compliance with the SCA rules. First, e-retailers must choose the SCA method that fits their business the best and secondly, they must technically adjust their platforms to the chosen method.

When it comes to choosing an SCA method, an e-retailer should look at what creates the leanest order process for its customers. The new rules create an extra step that the customer must take before an order is placed. A smooth payment method is an important component in the process of increasing sales. Many Swedes are today accustomed to use different types of SCA, such as Mobilt BankID, but e-commerce businesses must reflect upon possible improvements in their order procedure. An exception from SCA that can be of special interest for e-retailers is the possibility for the customers to create a so called “white list”. By adding names of payment receivers on this list, transactions will not have to go through the SCA procedure.

When it comes to adjusting the e-commerce platforms, it all depends on its technical standards and what requirements the chosen payment service provider have.

Even if the complete implementation of SCA procedures within e-commerce does not have to be finished before December 2020, the payment service providers that yet must implement measures to comply with the new rules must submit a plan to the Swedish Financial Supervisory Authority on how this will be achieved. The deadline for the submission is December 31st, 2019. The plan should also include which exceptions from SCA the e-retailer plan to provide.