• About Us

  • Blog
  • Contact


What Changed with PSD2 – Introduction to the SCA and Dynamic Linking

A brief introduction to the main points of the SCA and how is dynamic linking “linked” to it.

When it comes to the topic of the digital payments industry, terms like SCA (Strong Customer Authentication) principles and dynamic linking certainly come up a lot. Introduced in the EU’s revised Payment Services Directive – or simply PSD2, as its most commonly called – SCA principles became the gold standard of financial transactions security. In this article we are going to explore those principles a little bit more, possibly clear up some confusion as to what exactly they are, and what role plays a dynamic linking in them. 

What is a Strong Customer Authentication?

First thing first, let us go through the main requirements of the SCA, which is either Two-Factor Authentication (2FA) or Multi-Factor authentication (MFA) that relies on using at least two of the following three factors:

Possession – something that only the customer has. The most common example would be a mobile device, considering how attached we are to them in our daily lives.

Knowledge – something that only the customer knows. This one is easy; a password, PIN, or maybe a response to a security question.

Inherence – something that the customer is. Returning back to  smartphones and the way they opened up a possibility to use our biometrics, such as a fingerprint or a face-scan, as an authentication factor.

“What makes the SCA different from the 2FA then,” you might ask, and that’s exactly where the dynamic linking comes into equation.

How dynamic linking changed the game?

Dynamic linking introduced a completely new variable to the authentication process, which is a creation of unique “one-time authentication code” that has to be bound to the entire transaction. This new addition helps to counter man-in-the-middle type of attacks, where an adversary alters the details of a transaction after the payer already authenticated the transaction.  

According to the Regulatory Technical Standard for PSD2, Article 5

“1. Where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4 of this Regulation, they shall also adopt security measures that meet each of the following requirements: (a) the payer is made aware of the amount of the payment transaction and of the payee;

(b) the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;

(c) the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;

(d) any change to the amount or the payee results in the invalidation of the authentication code generated.

  1. For the purpose of paragraph 1, payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following:

(a) the amount of the transaction and the payee throughout all of the phases of the authentication;

(b) the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code.”  and will be transferred together with the amount and recipient of the payment through every step of the payment and authentication process. Additionally, both the amount and recipient have to be made clear to the payer when authenticating the payment. If the authentication code or any payment details are changed, the transaction should fail”

If we break those paragraphs down into more casual speech, there are basically three main points to the dynamic linking:

  • A transaction is required to have a specific OTP that is generated over required transaction data – at the very least the paid amount and information identifying the beneficiary – which will be linked to this particular data.
  • The users should always be aware of the transaction data they authenticate – also known as the “What You See Is What You Sign” (WYSIWYS) – if any of the variables mentioned above change during the transactions process, the initial transaction will be automatically canceled.
  • And finally, there is a requirement of a certain level of confidentiality and integrity to the transaction environment, which can be achieved through either specialized security hardware or software – the data between two parties must be encrypted.

Final thoughts: Does PSD2 even concern me though?

Short answer? Yes. To what extent, that’s debatable. If you are a financial service business and processes payments that are completed in the EU, without a doubt you care quite a lot already, as you have to abide by the PSD2. But what if you are a simple credit card owner that does some online shopping from time to time, or you just recently decided to try your hand in crypto trading? Well, it certainly helps to have at least basic understanding on what to expect from the digital payment services on the market, and to what standards you should hold them up to. In our next article, we will take a closer look on the technical aspect of dynamic linking and how it can be performed, stay tuned!