Global Cybersecurity Regulation: Europe’s Strong Customer Authentication (SCA) should be the Groundwork
Starting September 14th, 2019, the second Payment Services Directive went into effect, requiring Strong Customer Authentication (called SCA) across Europe for “customer-initiated” online payments. Enforcement of these regulations varies across countries, banks, and card networks, increasing complexity and blocking payments for online business. While the fragmented application of SCA rules and the numerous nuanced exceptions are causing headaches for businesses across the globe, the requirements are a crucial step forward in requiring secure financial transactions and maintaining customer security.
In today’s modern threat environment, we know that the network perimeter defense strategies of the past no longer meet the needs of the global economy. With the introduction of cloud technology and the Internet of Things, the proliferation of devices and ease of remote access has necessitated a move to a new plan for cybersecurity. Modern security most take on a zero-trust approach to user identity and authentication that compartmentalizes information, applies risk management to users, and makes it harder for bad actors to access sensitive information. The new SCA rules are requiring companies to make this change and to protect crucial financial information while encouraging them to take advantage of new security technologies such as biometric authentication and 3D Secure 2.
What is SCA, and how does it work?
SCA requires “customer-initiated” online payments to receive authentication from two out of three distinct elements (also known as two-factor authentication). These elements are something your customer knows, such as a password, something they use, such as a phone, or are, such as their fingerprint. Depending on the type of purchases customers make, or even which bank they use, SCA may be required during or after checkout, affecting customer experience and checkout conversion for some companies.
While recurring debits are considered “merchant-initiated” and don’t require SCA, most card payments and all bank transfers in Europe now require SCA. These new regulations may pose a particularly significant headache for businesses that take card information and store it for later charges and add ons, such as hotels.
Why is this positive?
Today’s security must be identity-based — there can be zero-trust without authentication. The evolving threat landscape means that any company that doesn’t apply multi-factor authentication is exposing themselves to massive vulnerabilities. Microsoft sounded this alarm in its 2017 Microsoft Security Intelligence report, which highlighted the increasing frequency and sophistication of attacks, with a 300% increase in attacks on cloud-based attacks on user accounts. Modern identity is the new battleground for attackers and defenders.
“If you configure your users with Multi-factor authentication (MFA), that reduces the risk (of attack) by 99.9%. Unfortunately, a surprising number of customers haven’t turned on MFA; it’s like driving without a seatbelt.”
Joy Chik Vice President, Identity Division in Microsoft’s Cloud + Enterprise group
Yet many companies have been slow to react to the evolving danger of today’s modern threat environment — even though solutions such as Azure AD create seamless multi-factor authentication-based sign-on experiences. SCA helps to solve the problem of security adoption for financial transactions by requiring multi-factor authentication in online payments throughout Europe.
Solving the SCA challenge for companies
While business proponents may throw their hands up at such regulation, the truth is that the costs of inaction are significant, and the solutions are relatively painless with modern technology. Financial crime is on the rise — costing an estimated 1.45 trillion USD worldwide in 2018 with the average cost of a data breach in 2019 rising to 3.92 million USD, not to mention the significant negative brand impacts — even Target, with an established and loyal customer base took a 54.6% hit in customer perception in the year following their 2013 data breach.
Nor does meting new regulations need to be onerous. Payment companies such as Stripe are making the transition to SCA as painless as possible with SCA-ready payment APIs and products for businesses of all sizes. Their new Payments Intents API only triggers additional authentication when required and automates much of the process for companies, providing superior customer service and making it easy for businesses to adapt.
What about data security?
While identity-based solutions are an essential front line to our cybersecurity defenses, we also need to consider how we’re constructing the networks that protect and secure our data. Fintech companies such as Interswitch in Nigeria are increasingly looking to distributed ledger technology and blockchain based systems to secure their data. Interswitch is a digital payments and e-commerce company that used Azure Blockchain Workbench to build a blockchain based supply chain financing platform to streamline supply chain financing, track performance, and reduce risk. They’re using it to create opportunity across Africa by providing access to funding for innovative startups that are having trouble finding financing in Africa’s notoriously closed-door corporate financing structure while using the distributed design of their system to protect data integrity and prevent fraud.
“With a single version of the truth across the supply chain, Nigerian lenders and suppliers can identify and build relationships with high-performing entrepreneurs. That will help empower people to create more jobs, more wealth, and a more prosperous Africa.”
Eghosa Ojo: Design Thinker and Head of Innovation, Interswitch
We need global cybersecurity regulation and collaboration
Countries across the globe need to follow the European Union’s lead and enact cybersecurity regulations to protect consumers and businesses. Whether by developing solutions to secure citizen’s digital identity or requiring multi-factor authentication for financial transactions, it is clear that cybersecurity is a global challenge that we must address. With fines for data breaches increasing and the massive brand damage such incidents cause, companies must be wary of failing to maintain proper security.
The tools to address our modern cybersecurity challenges are available, even while threats evolve. If companies are unwilling to take the steps needed to protect themselves and consumers, it falls on us to hold them accountable, both with our dollars as consumers and through encouraging our elected representatives to act. Lawmakers across the world need to catch up to the modern threat environment and hold companies’ feet to the fire for their failure to protect consumers. SCA is a needed first step — and a blueprint to follow.
Want more of my writing? Sign up for my infrequent newsletter below: