What is SCA and why is it needed?
As a payment institution, Holvi is acting in the highly regulated field of financial services and therefore changes in legislations and regulations apply to us.
The Second Payment Services Directive 2 (PSD2) is a set of regulations enforced on 13 January 2018, applying to all financial services within the European Union and its effects are being enforced gradually.
The directive aims to:
- Enhance security through new requirements for Strong Customer Authentication (SCA)
- Promote competition through creating new third-party service providers, thus increasing the range of services available to consumers
- Enable these third-party access to account information with the users consent, providing a framework for new payment and account services
For the technical nature of the directive, PSD2 mandated the European Commission to give further technical standards on some issues regulated in the directive. These standards are known as the Regulatory Technical Standards (RTS). Enforceable on 14.9.2019, these standards emphasise payment security by requiring Strong Customer Authentication (SCA). Stronger requirements for customer authentication were enacted to make online payments more secure by protecting the confidentiality of the authentication data.
What does Strong Customer Authentication mean in practice?
The new legislation (PSD2) and it’s technical standards (RTS) emphasise payment security through Strong Customer Authentication (SCA). Increased requirements for financial service providers ensure it’s you accessing your account or making a payment.
In practice, SCA involves the use of two or more of the following elements, which meet the criteria for strong authentication:
- knowledge (something that only the user knows),
- possession (something that only the user possesses), and
- inherence (something that user is).
When must Strong Customer Authentication be used?
SCA is required when you:
(1) access your payment account online;
(2) initiate an electronic payment transaction;
(3) carry out any action through a remote channel which may imply a risk of payment fraud or other abuses.
How will the SCA affect me and what should I do?
Starting at 14.09.19 you will need both your Holvi password and a verification token sent to your primary phone number (the one you have registered in Holvi)
In case you can not remember your password, please reset it here.
Holvi will implement the required changes to support Strong Customer Authentication gradually. The SCA process will in the future be done with the help of the free Holvi mobile application. With the app, customers can authenticate their logins and payments with a passcode, fingerprint or facial recognition.
Additionally, to ensure smooth and secure access to their payment accounts in the future, we will ask all our customers to install the Holvi Mobile App. The App is free and available for both Android and iOS.
What if I am not able to install the Holvi App?
In case you can not download the Holvi app due to location restrictions or the version of your operating system on your phone, you might not be able to install the Holvi App. In this case, Holvi will soon offer an alternative SCA method by using a time-based one time password (TOTP) application, e.g. the Google Authenticator.
These authenticator apps are software-based authenticators that implement two-step verification services using time based authentication algorithms to ensure safe mobile authentication.
In practice, this will involve entering a one-time passcode (OTP) that will be delivered to your mobile device, triggered by a login or a payment. This combination verifies that when entering login data to our site you are actually in possession of the device to which the Google Authenticator (or similar) app is downloaded.
At Holvi, we will guide our customers on how to set up the authentication applications to connect to your Holvi account.