Solutions overview
Harness the power of your data
Support and investigations
Support services for Ravelin
Online payment fraud
Account security
Policyabuse
Marketplace fraud
3DSecure
Resource Zone
Deep dives on fraud & payments topics
API & developer docs
APIs, glossary, guides, libraries and SDKs
Global Payment Regulation Map
Track PSD2 & more with a full report
Blog
The latest fraud & payments updates
Insights
In-depth guides to fraud, payments & security
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Press
Get the latest Ravelin news
Support & investigations
Accept more payments securely
Protect your customer accounts
Policy abuse
Stop policy abuse to protect your bottom line
Ravelin for marketplace fraud
3D Secure
Ravelin 3DS & SDKs
Resource zone
Global Payment regulation map
Read more about our happy custmomers
Blog / News
The EBA is strict about what’s considered compliant for inherence, possession & knowledge under SCA. We look closer at the new requirements for each element and how today’s widely used authentication methods compare.
Share this article:
The Strong Customer Authentication (SCA) regulatory technical standards (RTS) require two of three elements to be met in order for authentication to be successful. These three elements are inherence, possession, and knowledge. Or in other words, something the user is, something they have and something they know.
However, the EBA Opinion Paper is strict about what actually counts as inherence, possession, and knowledge under SCA. In this article, we take a closer look at the new requirements for each element and how this compares to widely-used methods today.
Inherence is defined as ‘something the user is’. Article 8 of the technical standards refers to authentication elements that would be read by devices and software.
Depending on the implementation, these inherence elements are SCA compliant:
If a user memorizes a swiping path on their device, this does not count as an inherence element - but it does count as a knowledge element.
It’s important to note that user information sent via 3D Secure 2 (or EMV 3DS) is not considered SCA compliant - as none of the data relates to biological and behavioural biometrics - but this may change in the future.
Despite this not being compliant for SCA, this data is critical for Transaction Risk Analysis (TRA) and enabling exemptions.
The EBA states that this does not need to be something physical - for example, it could be an app, provided that there are reliable means to confirm possession. This can be confirmed through a One-Time Password (OTP) or a push notification. A QR code could also be used as evidence of possession.
Printed card details don’t count as possession. But dynamic card security codes can count, as long as they are changed regularly and are not printed on the card itself. This applies to some virtual cards too.
This is a non-exhaustive list of knowledge elements. It’s important to remember that the implementation approach will impact compliance.
Dynamic linking
There must be at least two elements used to meet SCA compliance, and the elements must dynamically link the transaction to an amount and a payee specified by the payer when initiating the transaction. This means that at the time of the transaction, the value of the transaction and the identity of the recipient must be displayed. Dynamic linking is possible through the generation of authentication codes - there are strict security rules explained in more detail here.
Independence
The two elements must be independent of each other. One element cannot compromise the reliability of another.
Card reader eligibility
This scenario could constitute two elements in one - eg. in the typical use of a card reader, the PIN is first inserted to access the device, and then the OTP is generated.
Reusing elements
An element may be used twice within a session - for example to initiate a payment and perform another service that requires SCA eg. access an account.
A possible scenario is when a user performs SCA to save a new card to an account and then must also perform SCA to set up a payment. In this case, the device could be used as the possession element for both SCA instances.
For a payment provider, another example could be if a user accesses their account using a static password (knowledge) and OTP (possession) and then immediately initiates a payment.
Today, some SCA-compliant elements are already in use:
There are also some non-compliant methods which are widely used today:
The EBA is strict about what counts for each element behind SCA.
Possession must be something physical that the user has. A combination of QR codes, card readers or OTPs might be popular for those wishing to remain compliant.
Knowledge is about what the user knows - passcodes and PINs make this more familiar to everyday users - these are just two possible examples of something the user knows. Memorized swiping paths count as knowledge, not inherence.
The user data sent via 3DS currently does not count as the inherence element (something the user is). This may have come as a surprise to many businesses who believed the enhanced version of 3DS and its biometric capabilities provided salvation for those struggling to develop compliant solutions. This highlights how important it is to review guidelines carefully to ensure your authentication strategy is not taken by surprise.
Jessica Allen, Head of Content
Blog / Fraud Analytics
Fraud prevention is a delicate balance between stopping fraud and maintaining good customer experiences. But what is the most effective way to measure this outcome?
Ravelin Technology, Writer
Blog / Machine Learning
Online payment fraud is one of the biggest threats facing grocery merchants. And it’s only gotten worse. How are fraudsters using the cost of living crisis to take advantage of your business?
There’s a new fraud threat on the rise – and it’s your customers. First-party fraud is infamously tricky to catch and a huge revenue risk. How can you detect and deter criminal behavior in your customer base?