BSI launches SCA code of practice
Written by Peter Walker
The British Standards Institution (BSI) has published a publicly available code of practice for digital identification and Strong Customer Authentication (SCA).
The new specification - PAS 499:2019 - is for organisations with regulatory requirements under the second Payment Services Directive (PSD2) and related regulations.
It focuses on management principles and takes a regulatory view of identification and strong customer authentication, including: identity validation; identity verification; enrolment; authentication; delegated authorisation; risk models; security and usability.
It also applies to management processes for creating, accessing or managing accounts digitally; users making a payment via a mobile device or other computer; users making a contactless payment using an electronic device; a retailer receiving such payments; third-party roles; delegated authority; and a bank or payment service provider administering such transactions.
It does not cover contactless payments made using plastic cards; transactions in the context of the internet of things; digital currencies; specifics of payment devices or payment terminals.
Tim McGarr, digital sector lead at the BSI, said: “At a time when cyber crime and fraud are on the rise, it is critical that organizations have robust digital identity and user authentication processes in place to minimize the risks of their online transactions.
“PAS 499:2019 provides the recommendations needed to optimise and implement a system that supports legal and regulatory requirements.”
The new code was developed by a steering committee and underwent a peer and public review, as is normal practice in such a consensus document.