Meeting PSD2 SCA requirements with SEON

Author avatar

by Florian

The EU’s new SCA requirements (strong customer authentication) can be worrying for businesses. Let’s see how fraud authentication tools can help.

The PSD2 directive, designed by the European Union is a huge step in the direction of complete Open Banking. It also requires stronger fraud prevention checks by merchants and issuers.

Today we’ll break down what your Risk Ops team should know about PSD2 and SCA (strong customer authentication). We’ll then see how 3D Secure 2.0 works, and where SEON can help you meet these requirements. But first, a quick recap of the basics:

What is PSD2?

The latest directive from the European Union. This Second Payment Service Directive forces banks to share their collected user data. If you, as a customer, authorise data sharing, third party services can use it for a variety of services and financial products.

The directive also pushes for Payment Initiation Services (PIS). These online services can access a users’ payment account to initiate payment directly, as long as authentication is checked and consent is given.

What is the goal of PSD2?

Financial products and services vary greatly across Europe, both in quality and price. PSD2 aims to reduce domestic frameworks and harmonise local regulations. This will help third party financial services scale across the continent, foster International eCommerce, and attract new ventures wishing to tap into a larger, unified market.

PSD2 also simplifies the current payment chain. PIS will cut down on middlemen by potentially removing bank card companies, acquirers and payment gateways, allowing banks to deal directly with merchants. It will significantly reduce transaction costs.

What Does PSD2 Say About SCA?

“Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions.”

All online payments made by customers in the EU need to be secured through the appropriate technology. In PSD2, it is referred to as strong customer authentication (SCA).

Article 2(1) of the PSD2 clearly stipulates that: “payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions”.

The minimum requirements for payment transaction analysis are further explained in Article 2(2). These include:

  • Checks against lists with compromised or stolen authentication elements
  • Checks against known fraud scenarios
  • Detection of malware infection of the authentication device
  • Deviations in the amount of the transaction
  • Analysis of the device/software, when provided by the PSP

How Does 3D Secure 2.0 Fit Into The Picture?

US merchants report decreased conversion rates of up to 45% because of the friction 3D Secure (1.0) creates for users. Click To Tweet

3D Secure is the standard designed by EMVCo and major credit card schemes. 3D Secure 1.0 usually required a static token (like a password) to complete a card payment, but 3D Secure 2.0 increases the number of data point checks to improve payment security.

The previous version was notoriously clunky. US merchants reported decreased conversion rates of up to 45% because of the friction it creates for users. So yes, it might help reduce chargebacks, but also overall profits.

The 2.0 version will enable a more frictionless payment method by enabling dynamic 2FA which provides multiple data points from the merchant to the issuer. So these data points can reduce fraud for PSD2 based payments while meeting requirements.

However, contrary to popular belief, 3D Secure is not mandatory to pass the SCA requirements. Firstly, there are a number of exemptions (low value or low-risk transactions, subscriptions, whitelisted merchants etc..).

Secondly, the right fraud authentication tool can help you achieve the same – if not more – than 3D Secure to meet PSD2 authentication standards without going into manual reviews.

Below is our breakdown of the SCA requirements, and how a risk management tool like SEON can meet them.

Checks against lists with compromised or stolen authentication elements

What does it mean?

Account takeovers must be spotted to ensure neither customer credentials nor other data points have been compromised.

How SEON covers it:

  • User behaviour rules: our Scoring Engine sets up relevant rules to mitigate the risk of account takeovers. User behaviour rules allow fraud and risk managers to alter the classification in case a user is trying to transact with an unknown authentication element (eg. new ISP, new device, new IP address).
  • SEON’s Proxy API: it generates a risk score associated with a single IP address, revealing anomalies related to IP spoofing/masking. The IP address is also validated by the spam blacklist check process in order to identify prior anomalies from a specific connection.
  • SEON’s Device Fingerprint tool collects insights about devices associated with a user. Account takeovers and various anomalies can easily be avoided by implementing the Device Fingerprinting module.
  • Lastly, our data enrichment process takes the user email address and checks it against a database of known compromises or data breaches.

Checks against known fraud scenarios.

What does it mean?

Known fraud scenarios should be set up in a fraud monitoring tool as pre-set rules. Furthermore, Machine Learning can help define unforeseen fraud scenarios.

How SEON covers it:

  • Fully customisable Scoring Engine: admins can create rules based on any relevant logic. All existing rules are listed on one page with the option to modify or delete them. Known fraud scenarios can easily be defined using the Scoring Engine, and unspotted fraud patterns are flagged by the automatic Machine Learning module. The ML generates complex rule suggestions on its own.

Detection of malware infection of the authentication device

What does it mean?

Malware or botnets attempting to spoof the identity of the customer (account takeover) must be spotted.

How SEON covers it:

  • The Device Fingerprinting module can identify virtual machines, emulators or advanced fraud tools (e.g. AntiDetect, FraudFox, Multiloginapp).
  • Using the proxy analysis tool, the open ports of the IP address are pinged r to enhance identification of Proxy, VPN or Tor usage and to see whether the router is communicating with other servers.
  • Machine Learning: automatically generates rules that improve the precision of account takeover detection.

Deviations in the amount of the transaction

What does it mean?

If the customer is trying to transact in a way that is out of the ordinary, the anomaly has to be spotted.

How SEON covers it:

  • In the Scoring Engine, managers can use rule parameters to compare past and present input fields value within a certain time frame. Past fields are linked through a matching data point, which may also be selected.
  • Velocity rules allow fraud managers to set up triggers based on unusual recurring actions measured in a certain timeframe. This means certain deviations in average spending patterns can easily be spotted and classified accordingly.

Analysis of the device/software, when provided by the PSP

What does it mean?

The customer device has to be identified and validated to ensure safe customer authentication and full risk assessment.

How SEON covers it:

  • Our Device Fingerprint tool collects insights about devices associated with a user. Account takeovers and device spoofing anomalies can easily be avoided, as it accurately identifies returning visitors based on their previously used device. Even if the user deletes their browser and reinstalls it, the system still identifies the matching data-points.

Conclusion – PSD2, SCA and Fraud Authentication

PSD2 is a strongly consumer-focused directive from the European Union. Everyone, on paper, should benefit from decreased transaction fees, reduced payment friction, and increased authentication security.

However, this security point may be challenging for Risk Ops teams in the same way the GDPR and fraud detection appear at odds with each other.

It might require you to train fraud managers, who might feel they have to jump through hoops to help remain their organisations compliant. Luckily, at SEON, we firmly believe implementing our series of fraud authentication tools can cover all those legal requirements, while future-proofing your business.

Share article

Learn more about our products


Author avatar
Communication Specialist

Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.

Sign up to our newsletter