Skip to main content

Still Not Compliant With Psd2 Sca? Entrust Offers Secure Multi-factor Authentication

Dec

01

2020

Time to read

Read so far

Written by: 

Nicolas Bruley

Time to read

Written by: 

phone with fingerprint authentication message on screen

DISCOVER SECURE MULTI-FACTOR AUTHENTICATION FOR ONLINE BANKING AND PAYMENTS FROM ENTRUST (FORMERLY ANTELOP SOLUTIONS)

Since September 2019, PSD2 RTS for Strong Customer Authentication (SCA) applies in the European Union. This revised Payment Services Directive makes SCA mandatory for banks and any sensitive operation. Even if the regulation is in place for over a year now, financial institutions have an extended deadline until December 31st 2020 to implement SCA.

More than ever, with increasing online transactions and more complex fraud attempts, banks and financial institutions need to implement a secure solution, compliant with 3DS e-commerce protocol, as SMS OTP is no longer an option in that case.

WHAT IS SCA? 

SCA is an authentication process that confirms the identity of the user of a service through multi-factor.

From September 2019, it is mandatory for Financial Institutions in the European Union following the decision of the European Banking Authority (EBA). This applies to sensitive banking operations and electronic payment transactions, with some exceptions especially for low amounts.

PSD2 SCA relies on a minimum of two different and independent factors out of:

  • “something I know” (e.g. a pin code)

  • “something I have” (e.g. an owned device)

  • “something I am” (e.g. a fingerprint)

ONE OF THE BIGGEST CHALLENGES FOR BANKS IN EUROPE ARE E-COMMERCE PAYMENTS WHERE THE 3D SECURE PROTOCOL IS NOW MASSIVELY USED TO SECURE TRANSACTIONS.

EBA clearly stated that combining the Card number and an SMS OTP in a 3DS protocol is not compliant as the card number isn’t a real possession factor (e.g. if a picture of the card is taken unauthorized by a third party). Furthermore, SMS OTP, which has been adopted by banks for a long time now, doesn’t meet security and frictionless industry best practices.

The industry is overall moving for 3DS e-commerce authentication from SMS to app based authentication which triggers the challenge of integration to card processors and 3DS servers or ACS (Access Control Servers), maintaining a coherent authentication framework with other daily banking authentication use cases.

Regarding the end of year deadline lots of FIs are late and time is running out now.

MFA IMPLEMENTATION IS NOT ENOUGH

We know that regulators will check in the coming months if banks really implemented PSD2 SCA, but it is now agreed that this will only be a first step. Regulators (like the National Central Banks) will rapidly audit the security level of the SCA implemented by banks.

That’s why banks need to focus on both:

  • Security of the SCA solution and overall for their banking app

  • Multi-factor authentication with independence of factors

The best way to assess the security of an SCA is to run a security evaluation from a security expert lab. After such audits, we see some banks moving to expert security solutions for SCA and moving away from in-house MFA developments.

Overall the EU market is equipping with security SDK for:

  • device binding transforming the app into a secured app (1st factor)

  • PIN and / or biometrics (fingerprint, facial recognition, iris…) authentication through cryptography and PKI architectures (2nd or more factors) that can be combined depending on bank’ rules and transactions’ risk profiles

ENTRUST SCA ANSWERS BOTH SECURITY AND UX SCA CHALLENGES FOR BANKS

Entrust SCA offers one of the most advanced security toolbox of the market (certified by leading Security laboratories for International Card schemes: Visa, Mastercard, CB and EMVco), transforming your app into a vault.

With its multilayer security (e.g. device binding, root detection, anti-tampering, anti-debugging, anti-cloning…), the Entrust SDK securely protects your customers from advanced fraud attacks and transforms the smartphone into a “trusted” device. Fraud attacks are especially a major risk factor for solutions developed in house.

With Entrust, all use cases are covered. Our Solution covers all authentication use-cases, using the smartphone for strong customer authentication, regardless of the operation channel:

Digital Card Solution Fingerprint Authentication

  • Account access

  • 3DS Authentication

  • Credit transfers, P2P

  • Mobile Contactless Payments and QR code

  • Mobile and Desktop TPP Application

The Entrust mobile SDK natively manages various customer authentication methods: PIN code, Biometry, Secure Unlock. It also adapts to your business rules depending on transaction risk levels (payment thresholds, counters amount or number of transactions). With both online and offline capabilities, it provides security mechanisms to secure communications between the application and bank’s back-end or third-party servers.

Entrust SCA SDK (Android, IOS and Huawei compatible) can help you comply with PSD2 in a secure and fast time to market. It comes as already connected through its authentication platform to various card processors and ACS.

It enables banks to focus on UX with a generic secure solution.

Example: Desktop checkout with 3DS 2.0 e-commerce payment

In this example, the transaction is initiated on a desktop computer. A push notification is sent to the Entrust’s mobile SDK, which opens the banking application. The customer strongly authenticates himself according to your desired pattern (from simple consent to multi-factor authentication). The payment page automatically refreshes with the result of the transaction, for a fluent customer experience:

Adaptative Multi-Factor Authentication, all use cases are covered

Adaptative Multi-Factor Authentication, all use cases are covered

Nicolas-Bruley-e1511818298343
Nicolas Bruley
VP Digital Payment Solutions
Nicolas Bruley, ex-CEO of Antelop and co-founder of Antelop Solutions (acquired by Entrust in 2021), has more than 20 years’ experience in payments with European banks and international schemes. Previously, Nicolas worked with French banks on mobile payments, issuer wallets, card issuance projects, payment platforms, 3DS, and dynamic CVV. Between 2011 and 2013, while working for Visa, he led international contactless mobile payment projects for European banks.
View all of Nicolas's Posts