Passenger rolls out Strong Customer Authentication compliance

Imagine you were taking a stroll down a fictional High Street, to deposit some money in a fictional brick and mortar bank. During your transaction with the cashier, you notice that the bank’s safe has a back door onto the street, and it’s left open and unwatched. Would a potential security breach like that have you reconsidering if your money is safe?

Internet banking and transacting is fast, accessible and hugely popular, but comes with its own set of security challenges. The possibility of committing fraud remotely and the high value of the e-commerce market is very enticing to some, so it’s important that businesses continuously work to make sure the back door to any virtual vaults remain locked and bolted.

In 2019, Strong Consumer Authentication (SCA) ensuring that electronic payments are performed with multi-factor authentication to confirm the identity of users, became a European requirement.

With SCA, the customer’s identity has to be verified, using at least two independent elements:

• Knowledge (something only the user knows, e.g. password or PIN)
• Possession (something only the user possesses, e.g. mobile phone or ID)
• Inherence (something the user is, e.g. fingerprint or facial recognition)

SCA has strict rules about getting this information, what counts as acceptable information and the independence of each piece of information. Luckily, mobile ID is helping to make these requirements easier to meet – a high percentage of people in the UK tend to have a mobile phone on their person at most times – satisfying the possession requirement. Biometric authentication can also be used to satisfy the inherence requirement, with fingerprint scanning and other mobile biometrics appreciated by users for ease of use and convenience.

The e-commerce industry has until 14 September 2021 to implement SCA. Passenger has been working diligently over the last year to ensure our apps and web-based e-commerce systems would be fully compliant with the new SCA regulations as early as possible. In July this year, we implemented significant behind-the-scenes updates to how payments are handled within our apps, but with minimal changes to the user experience. Like a swan gliding smoothly across the water but paddling energetically underneath, all users might see is a text or push notification from their bank requesting them to authorise certain payments.

Security is hugely important to gaining and keeping customers trust, but so is ease and convenience. Most people will reconsider their options if something they trust and use experiences a security breach, but they still want remote transactions and identity verification to be as frictionless as possible. On the flip side, for businesses, effective customer authentication procedures are critical to knowing that the person they’re trading with is who they say they are and reducing risk.

Protecting our customers’ e-commerce revenues is our greatest priority. Doing that whilst delivering a high-quality user experience is what separates us from others. Our app-based authentication requires just a single touch from the user to approve a transaction and helps keep everyone on the journey with us, safe and secure.