An important novelty recently introduced by PSD II is the obligation for payment service providers to apply mechanisms called SCA (Strong User Authentication). The strength of client authentication is a two-factor verification, which is to provide a higher level of credibility and fraud protection.

Starting when?

The Payment Services Directive 2 will be enforced on September 14, 2019. The new pressure on customer security becomes mandatory from this date. There are proactive organizations that are preparing to comply with the directive before the deadline.


PSD2 has two main goals. Opening the financial industry to wider interaction by opening APIs. The second, more important one, is the security of customers and their transactions. That’s why the SCA will be necessary in order to minimize fraud possibility.

Winds of change…

So far, the use of strong customer authentication has been the subject of issued recommendations, among others by the ECB (Secure Pay), EBA or KNF, i.e. soft law documents, and was treated as a supervisory practice, not an obligation of the supplier. At the same time, the law did not directly determine how the authentication of the electronic banking user or authorization of payments should take place, leaving the payment service provider the choice of measures appropriate to the risks to which users of specific services and instruments are exposed.

PSD II regulations leave payment service providers less freedom in making decisions in this respect. The provider should require strong customer authentication at least when performing the following actions by the user:

  • obtaining access to an online payment account
  • initiating an electronic payment transaction
  • carrying out activities via the remote channel that may involve the risk of payment fraud

In addition, the PSD II Directive requires the provider to provide adequate security measures to protect the customers’ privacy and integrity.

Biometry as an authentication method

Behavioural biometry is considered to comply with SCA requirements. To paraphrase the words from the EBA website: providers of solutions based on behavioural biometry present that recognition is at a level of 96-99%, which is an excellent result and justifies the use of behavioural biometry as the second component to provide strong client authentication. Due to the fact that the characteristics of the behaviour do not depend on the device, it is ensured that the user of the financial system is always protected regardless of the environment.



Two to rule them all…

The most important thing to remember is that the new rule applies to all customers in e-commerce. That is, two-factor authentication will soon be the standard for everyone and a huge advantage for business owners. The two-factor confirmation will lead to fewer fraud orders, which means an increase in income.

Subscribe to our newsletter