While it is hard to get official statistics on how many people have a credit or debit card issued by a member of the EMVCo consortium (Eurocard, Mastercard, Visa, etc.), the most common standard for SCA is likely the one mandated by the 3-D Secure protocol. Well, at least when we look at transaction volumes. 

As a quick reminder, 3D secure is an additional security layer for online credit and debit card transactions. Today, most internet shopping from Europe and the US is still happening via card-not-present transactions protected by this 3-D Secure. Implementations of the initial 1.x version of 3-D Secure mainly were done using SMS messaging for authentication. Now, the required 2.x version supports app-based out-of-band authentication mechanisms, such as what we at Okay provide. Related to EMVCo are the PCI DSS multifactor authentication guidelines. But, when protecting payment systems, these do not cover the transactions directly. 

When we look at major US banks - such as Bank of America and Wells Fargo - we can see that they have at least partly adopted the FIDO2 standard. The Fast Identity Online (FIDO) Alliance is an industry association first launched back in 2013. The association used to be concerned with hardware solutions, including trusted platform modules and USB tokens as 2nd-factor authentication. But today, with FIDO2, the association has gained much more traction as an SCA mechanism. The limitation is that FIDO2 is mainly concerned with integrating your identity with a web browser, perhaps not so relevant in an app-driven world.

Asia, particularly China, is, as usual, a slightly different story. In the last few years, the WeChat wallet has become the most common way to pay when shopping or buying online, with an estimated 900 million users in 2021. Perhaps surprisingly, the WeChat wallet is based on SMS one-time-pin codes and links your wallet to either a Chinese ID card or an existing bank account. So from a European security perspective, it was similar to wallet solutions popular in Europe a decade ago.

In Europe, the Payment Services Directive, followed by the PSD2 and the PSD2 RTS, have been the regulatory driving force for stricter SCA requirements over the last decade. However, unlike the worldwide standard driven by industry organisations, Europe-wide regulation is not so much a standard as it is a guideline left to enforce by the various “National Competent Authorities” (NCAs). This means that how you authenticate and sign up for a service will differ based on your country. 

For example, suppose you’re doing an online onboarding for a service In France. In that case, the know-your-customer (KYC) provider involved will have to be certified by the ANSSI Remote Identity Verification Providers specification, which is different from what BaFin requires in Germany. Such a difference is likely the main reason the EU Commission has proposed a “trusted and secure Digital Identity for all Europeans”. 

Similar to KYC and onboarding, there is no standard for Open Banking. Europe has The Berlin Group’s NextGenPSD2, The Open Banking UK’s standards, the Polish PSD2 API - the list goes on. These standards usually leave how to do SCA up to the individual bank by simply treating it as a “black box”.

In the Nordic countries, the history of SCA has followed a different path, with national electronic identification and SCA initiatives starting in the early 2000s. While the technical implementation varies between Norway, Sweden, Denmark and Finland, the approach is fundamentally the same; Banks, usually represented by a company with ownership distributed among the banks, work together with the government to establish basic authentication solutions. Initially only used for online banking and paying taxes, the usage has grown dramatically over the years. Today, the same infrastructure is used for PSD2 compliant onboarding and SCA.

When we look at all the solutions used worldwide, there are apparent differences between who sets the standards and the security requirements. While the standards I’ve mentioned here have at least some form of multifactor authentication, how the authentication is protected varies quite a bit.

The European solution, where there are many competing technical standards under a single regulation, might appear confusing and inefficient. But it is likely the only practical solution given the significant differences between European countries, including cultural differences and technical legacy solutions. 

It can also be tough to get traction for expensive and potentially inconvenient changes: one example would be for implementing SCA, another pushing beyond simple multifactor authentication via dynamic linking and secure execution environments, as has been mandated by the PSD2. And now, with both payment systems and mobile phones being under increased attack, increasing the security level of the authentication systems becomes more and more relevant. Therefore, choosing an authentication system that takes this into account is important.

After PSD2, the next finance and security-related regulation that has caught the attention of the EU Commission is the Digital Operations Resilience Act (DORA). After half a year of negotiation between the different countries, DORA led to a provisional agreement on May 11th. DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector and critical third parties that provide services. With DORA, all financial companies will have to withstand, respond to, and recover from all ICT-related disruptions. The infrastructure used to authenticate customers is central here. 

We’ll do a follow-up post on how we can help you implement DORA on the cloud and on-premise later this year, so be sure to follow us on LinkedIn if you’re interested in this topic!