How to achieve strong customer authentication in 2021

24 December, 2020Ouida Taaffe
City of London skyline from the air

2021 is the year when strong customer authentication (SCA) for e-commerce payments becomes mandatory in Europe and the UK. But banks, payment service providers and merchants are concerned that too much risk checking will antagonise consumers. Behavioural analytics promises to be a solution.

Banks and e-payment service providers must make sure that the person paying is who they say they are. If SCA goes wrong and fraud occurs, banks are on the hook.

In the EU, from 31 December 2020, merchants and payment providers must start supporting full SCA. In the UK, 14 September 2021 is the deadline for full compliance for merchants.

By then, UK banks will have had their SCA ducks in a row for over a year. They had to go live with full SCA on 14 March 2020. In 2020, there has been a dive in cash usage in the UK.

Thanks to Covid-19, transactions volumes in the LINK ATM network were down 44% year on year in November. However, the majority of payments have been cashless for a few years.

What SCA requires

SCA covers ‘customer-initiated’ online payments, like banks transfers and most online card payments. Direct debits carry on as before because they are deemed ‘merchant-initiated’.

Contactless payments don’t have to meet all three data points. Also, small value contactless payments are exempt, until a certain number of payments or amount is reached. That is why shoppers who use contactless will eventually have to enter a PIN.

SCA compliance requires at least two out of three pieces of data from consumers before payments are authorised. These are:

  • something that the person knows – eg a PIN or password
  • something they are – eg biometrics such as fingerprints or iris scans
  • and something they have – eg a mobile device.

Friction and behavioural analytics

Tap and go is much more convenient than entering a pin. Consumers prefer a frictionless experience. Research by Microsoft finds that online “customers abandon checkout at high rates when challenged” by SCA systems.

Ideally, consumers should be able to pay securely without even noticing security checks. The question is, how?

Most of us are not in control of our digital identities. A 2019 McKinsey report found that just 10% of people did more than six of eight common privacy-protecting activities, such as disabling cookies and browsing privately.

This means our digital identities have likely been compromised.

Melanie Maier is Presales Solution Lead DACH Central Europe at Entersekt, which helps banks provide strong customer authentication. She says that the first line of defence should be to analyse the risk without slowing down the transaction.

The end-user shouldn’t be required to make an active authentication, unless there’s doubt.

Behavioural analytics

“Really good authentication…that provides security but doesn’t compromise the user experience can be offered with behavioural analytics,” says Maier. “With behavioural biometrics you can’t fake it – people can fake fingerprints and face ID.”

Maier says that banks can analyse highly individual behavioural patterns like how a customer types, or how they use their phone. She argues that – given the criteria for privacy and security standards – banks are in a good position to be the brokers of digital identities.

“Many banks are slow to realise and act on that,” she says. 

The use of behavioural analytics is expected to be high in Europe because the EBA has said that SMS one-time passwords don’t count as a compliant factor in SCA. But behavioural analytics offer a friction-free environment that should have wider use.

“Banks will have to deal with evolving customer expectations,” says Maier. “Customers will want services that are personalised, relevant and offered at the right time.”

That is because they’ll expect online banking to provide the level of service they enjoy from tech companies that aren’t regulated firms dealing with money.

“Banks will have to change their processes to meet customers wherever they are, …and customers are not going to want to restart a process over and over again.”

Related content


Find out more about our Certificate in Principles of Payments (CertPAY) qualification

See our Centre for Digital Banking and Finance