New rules around Stronger Customer Authentication for accepting payments by card

New rules around Stronger Customer Authentication for accepting payments by card

From 14 September 2019, new rules apply that affect the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions. These new rules, referred to as Strong Customer Authentication (SCA), are intended to enhance the security of payments, increase efficiency and limit fraud during this authentication process.

The added layer of security that is required is known as two-factor authentication.  It means that, with limited exceptions, consumers must confirm their identity by providing information from at least two of the following three categories:

  • Something they know e.g. a pin or password;
  • Something they have e.g. mobile phone or card reader to obtain an one time password;
  • Something they are (biometric authentication) e.g. a fingerprint.

Even though the rules took effect mid-September, the Financial Conduct Authority has agreed an 18-month implementation plan to give firms extra time to implement these rules in some circumstances. The FSB played a key role as part of a cross-industry alliance that won this concession which will benefit its members.

These rules are set in the Payment Services Regulations 2017 (PSRs) and related EU standards.

Brexit and SCA

The implementation of SCA is European-wide. The implementation is not affected by the current plan for the UK to leave the EU on 31 October 2019.

What action should you take?

Our advice is to contact your merchant services provider to discuss authentication and to clarify what steps your business should take.

Read the FCA summary here.

As always, if you have a legal query please get in touch with the FSB Legal Helpline on 0345 0727727 and we'll be happy to assist you.