Strong Costumer Authentication (SCA) is a special form of authentication which is regulated in §§ 1 para. 24. 55 ZAG, which is based on Art. 97 PSD2. Authentication is used to check whether a person is also who he or she claims to be.
- accesses their payment account online,
- initiates an electronic payment transaction, or
- carries out, by means of remote access, an act involving the risk of payment fraud or other misuse.
Accordingly, the SCA obligation applies, for example, to credit card payments on the Internet or when accessing an online account. However, the obligation does not apply to payments by direct debit, even if the direct debit mandate is issued online. (Something different applies only to so-called e-mandates where the payer’s bank is involved in the issuing of the mandate). In fact, in the case of direct debit, the payment is initiated by the payee on the basis of the payer’s consent vis-à-vis the payee, their payment service provider or their own payment service provider. It is therefore not a payment transaction initiated by the payer.
The SCA requires at least two of the following elements to be applied:
- “Knowledge”, in other words something that only the user knows,
- “Possession”, i.e. something that only the user owns, or
- “Inherence”, in other words something that is the user.
The elements used must be derived from different categories. Something that only the user knows can be a password or a PIN, for example. The category possession includes tokens and mobile phones. Ownership of the telephone can be proven, for example, by entering a transaction number (TAN) that was sent to the telephone by means of an SMS. The elements of the inherence category are personal or physical to the user, such as fingerprints or facial recognition..
A card payment in a shop can therefore be initiated, for example, with the card (possession element) and PIN (knowledge element).
But how come you do not always have to enter a PIN when paying by card in the supermarket? This is because the SCA is not necessary in all cases: Articles 10 to 20 of the Delegated Regulation (EU) 2018/389 on the Second Payment Services Directive (PSD2) provide for exemptions from the SCA obligation e.g. for
- contactless payments,
- unattended terminals for traffic and parking fees,
- recipients deemed trustworthy by the payer, and
- small value payments.
This means that a PIN does not have to be used for contactless card payments in the supermarket.
If the triggered electronic payment is a remote payment transaction, e.g. a transfer in online banking, the SCA must, according to Section 55 (2) ZAG, also be supplemented by a “dynamic link”, by means of which the payment transaction is linked to a concrete amount and the specific recipient. When sending a TAN by SMS, the payer must be informed, for example, of the amount and the payee for which this TAN is to apply. The TAN is then only valid for this one payment; any change to the payment data would invalidate the transmitted TAN.
Excluded from the requirement to apply SCA are payments for so-called MOTO orders, i.e. orders by mail order (letter, fax) and telephone.
Cover picture: Copyright © PayTechLaw