PSD2 Deadline A guide to strong customer authentication (SCA) with QWACS
The EU Payment Service Directive 2 (PSD2) is scheduled to come into force across the EU on the 14th of September. A significant component of PSD2 are regulations and guidelines for Secure Customer Authentication (SCA). SCA requires additional security authentication for online transactions that have a value over €30. The SCA requirements mandate the use of two independent pieces of identifying information that only the customer making the online transaction will have. Two out the following three items will be needed to complete SCA under PSD2:
- Something known by the customer - e.g. a card PIN.
- Something the customer has - e.g. a registered phone or payment card.
- Something unique to the customer - e.g. A fingerprint or face scan.
The third item covers the increasingly used biometric capabilities in mobile devices and laptops. These three items are how SCA will present to users. There are also infrastructure, application, and network security components that need to be implemented for SCA. Including the correct use of encryption and transport security to secure financial transactions.
Many organisations are struggling to update their online stores and other systems to comply with the SCA requirements. As a result, the European Banking Authority has allowed national regulators to extend the SCA implementation deadline past the 14th of September if required. Both the Central Bank of Ireland and the UK Financial Conduct Authority have agreed to extensions after pressure from the payment services sector. The UK has extended the deadline for 18 months, while the Irish regulator has said there would be an extension but has not set a new date. Clearly, organisations need to comply with SCA as soon as possible in both Ireland and the UK.
Renaissance has all the expertise and industry partners you need to ensure you meet the SCA and other requirements of PSD2. Contact us today to discuss your needs. Read on for a summary of the encryption and network security requirements needed to implement SCA on online stores and web applications that handle financial transactions.
Securing SCA Transactions
Securing financial transactions, after they have been authenticated using the 2 out of 3 SCA authentication items, needs to be done in two ways. Firstly, data at rest on servers needs to be encrypted so it can’t be read if it falls into unauthorised hands. Secondly, financial transaction data needs to be encrypted and secured as it travels over the network between user devices and web application servers.
Both of these security requirements are met by the use of security certificates as defined in the broader electronic identification and trust services (elDAS) specification. These security certificates are used to identify authorised payment service providers (PSPs) securely. They come in two forms:
- Protection for financial transaction data in transit - PSD2 builds on existing Extended Validation (EV) Certificates to provide a Qualified Website Authentication Certificate (QWAC). A QWAC certificate has extensions to EV Certificates that allow for the reliable identification of the organisation using the certificate for trust in the financial sector. QWAC also enables full TLS encryption in both directions on financial transactions.
- Protection for financial transaction data at rest - this relies on the implementation and use of Qualified Electronic Seal certificates (QSealC) that are used to sign files electronically. This allows anyone accessing a file to be sure it is from the organisation they expect, and that it has not been altered since it was electronically signed. This is the electronic equivalent of a traditionally signed document.
Either method can be used as per the current PSD2 requirements documentation. However, it is recommended that both are implemented for maximum security. This also future proofs against regulators changing the regulations to require both. Note that the certificate authority issuing the QWAC and QSealC certificates must be located within an EU member state.
There has been a last-minute postponement on the deadline for fully implementing SCA under PSD2. For an unknown duration in Ireland. However, there are many other reasons for implementing the requirements as soon as possible. Not least to provide additional security to guard against GDPR data breaches.
Renaissance can provide organisations of any size the expertise needed to analyse existing systems and implement full PSD2 SCA compliance. Contact us to discuss your needs.
Aerohive HiveManager delivers the Enterprise level wired and Wi-Fi network configuration, management, and monitoring that is required to provide 24/7 access to business applications. It harnesses the power of the public cloud for resilience and performance, while also giving the option for private deployment if required using the same powerful HiveManager software stack. Chat to Renaissance today to find out more.