top of page

What are the key mechanisms for determining the authenticity of Strong Customer Authentication?

Authenticity is mentioned twice in the RTS. In Article 5, which discuss [Dynamic Linking], there is a requirement that when applying SCA the payment service provider shall “adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following::<br/><br/>

- the amount of the transaction and the payee throughout all of the phases of the authentication;<br/><br/>

and,<br/><br/>

- the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code.<br/><br/>

In computer security terms “authenticity” means that the originator of a message can be verified. In practice this usually requires that the messages received must be cryptographically signed, and that the signature is actually verified on receiving the message. This is not limited to the communication from the PSP, but also the reply message back from the payer must be signed so that the PSP can be sure of the authenticity of the payer. Establishing a secure communication channel only between the PSP and the payer is therefore not sufficient, the security must be bi-directional.<br/><br/>

In article 25 of the RTS, discussing the delivery of credentials, devices and software, there is a requirement that the payment service provider should apply “(b) mechanisms that allow the payment service provider to verify the authenticity of the authentication software delivered to the payment services user by means of the internet”. This means that the payment service provider must verify the authenticity of at least the part of their applications performing the strong customer authentication. Verifying the authenticity of software is typically done by checking the running software against a predefined checksum, but it can also involve verifying the graphical user interface that is shown to the end user as the transaction takes place. There are proprietary watermarking techniques available to do this.

bottom of page